Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1570593
MD5:7006f5208c072600f4dc6b5fc302229d
SHA1:77b6ea23a54ccb82e88fb1e92ecd2ad2552a79ce
SHA256:47900f920988863110fa58f9102734aa7ba42b15a3f1f3ff5863d2d3a1d561fe
Tags:exeuser-Bitsight
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7006F5208C072600F4DC6B5FC302229D)
    • WerFault.exe (PID: 8 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 3052 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["112.213.116.149"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7c78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7d15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7e2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7926:$cnc4: POST / HTTP/1.1
    00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7c78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7d15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7e2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7926:$cnc4: POST / HTTP/1.1
      00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.bc0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.file.exe.bc0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8078:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8115:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x822a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x7d26:$cnc4: POST / HTTP/1.1

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Startup Folder File Write
          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7588, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-07T11:47:24.407539+010020283713Unknown Traffic192.168.2.44982252.182.143.212443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-07T11:46:12.464518+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:17.414754+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:26.312166+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:40.208493+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:47.388464+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:54.093692+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:54.562724+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:55.080302+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:55.559235+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:56.664656+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:58.084118+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:58.301056+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:00.251187+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:00.996989+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:01.212847+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:01.655554+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:04.059727+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:04.543047+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:04.734923+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:05.533470+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:06.367516+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:07.412393+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:07.563530+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:07.937901+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:08.153554+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:08.350153+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:08.438928+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:09.072611+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:09.597139+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:10.268753+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:10.683412+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:11.350904+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:12.709959+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:12.925868+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:14.985397+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:15.864713+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:16.301171+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:16.494864+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:16.930896+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:17.702283+010028528701Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-07T11:46:12.583976+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:26.369212+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:40.211650+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:54.154019+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:54.671204+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:55.622574+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:56.436181+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:56.953077+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:57.259676+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:58.305243+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:46:59.905597+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:00.028993+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:00.192900+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:01.028305+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:01.239866+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:02.713253+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:02.768850+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:03.075071+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:04.765410+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:06.018069+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:06.575385+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:07.536853+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:09.598059+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:11.785543+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:12.717369+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:12.950349+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:13.882447+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:14.004652+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:15.905549+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:16.063519+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:16.364961+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:16.981293+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          2024-12-07T11:47:17.145059+010028529231Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-07T11:46:17.414754+010028528741Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:46:47.388464+010028528741Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          2024-12-07T11:47:17.702283+010028528741Malware Command and Control Activity Detected112.213.116.1497000192.168.2.449732TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-07T11:46:55.742443+010028531931Malware Command and Control Activity Detected192.168.2.449732112.213.116.1497000TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["112.213.116.149"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
          Multi AV Scanner detection for submitted file
          Source: file.exeVirustotal: Detection: 34%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Sample uses string decryption to hide its real strings
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: 112.213.116.149
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: 7000
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: <123456789>
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: <Xwormmm>
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: vuctum
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: USB.exe
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: %AppData%
          Source: 0.2.file.exe.bc0000.0.unpackString decryptor: msedge.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 52.182.143.212:443 -> 192.168.2.4:49822 version: TLS 1.2
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb/ source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Accessibility.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: Accessibility.pdb^ source: WERD772.tmp.dmp.9.dr
          Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbh source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: .pdb" source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Drawing.pdbRa source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD772.tmp.dmp.9.dr
          Source: Binary string: e.PDBl source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.ni.pdbRSDS source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Windows.Forms.pdbx\U source: WERD772.tmp.dmp.9.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbu source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: lib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: n0C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: file.exe, 00000000.00000002.2557625492.00000000015FA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbPt source: WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Configuration.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Xml.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: %%.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.pdb source: file.exe, 00000000.00000002.2557625492.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp, WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb:R source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbdbib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Management.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Management.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Core.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: symbols\dll\mscorlib.pdbLb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdbP source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERD772.tmp.dmp.9.dr

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 112.213.116.149:7000
          Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 112.213.116.149:7000 -> 192.168.2.4:49732
          Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49732 -> 112.213.116.149:7000
          Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 112.213.116.149:7000 -> 192.168.2.4:49732
          Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 112.213.116.149:7000
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 112.213.116.149
          Source: global trafficTCP traffic: 192.168.2.4:49732 -> 112.213.116.149:7000
          Source: Joe Sandbox ViewIP Address: 52.182.143.212 52.182.143.212
          Source: Joe Sandbox ViewASN Name: SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49822 -> 52.182.143.212:443
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownTCP traffic detected without corresponding DNS query: 112.213.116.149
          Source: unknownHTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket_Error: 0x80004004Content-Length: 4708Host: umwatson.events.data.microsoft.com
          Source: file.exe, 00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
          Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
          Source: unknownHTTPS traffic detected: 52.182.143.212:443 -> 192.168.2.4:49822 version: TLS 1.2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.file.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          PE file contains section with special chars
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_052343010_2_05234301
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_052348F80_2_052348F8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_052313280_2_05231328
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_052338E80_2_052338E8
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 3052
          Source: file.exe, 00000000.00000002.2563703861.0000000007F18000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
          Source: file.exe, 00000000.00000002.2556750058.0000000000BCC000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametest.exe4 vs file.exe
          Source: file.exe, 00000000.00000002.2557625492.000000000151E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenametest.exe4 vs file.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.file.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: file.exeStatic PE information: Section: ZLIB complexity 0.9995535714285714
          Source: file.exeStatic PE information: Section: kcsazwfy ZLIB complexity 0.9951127713295146
          Source: classification engineClassification label: mal100.troj.evad.winEXE@2/7@0/2
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
          Source: C:\Users\user\Desktop\file.exeMutant created: NULL
          Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\5A2EV0QwEpBhrhGH
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exeVirustotal: Detection: 34%
          Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
          Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 3052
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
          Source: msedge.lnk.0.drLNK file: ..\..\..\..\..\msedge.exe
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: file.exeStatic file information: File size 1737216 > 1048576
          Source: file.exeStatic PE information: Raw size of kcsazwfy is bigger than: 0x100000 < 0x19ea00
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb/ source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Accessibility.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: Accessibility.pdb^ source: WERD772.tmp.dmp.9.dr
          Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbh source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: .pdb" source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Drawing.pdbRa source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD772.tmp.dmp.9.dr
          Source: Binary string: e.PDBl source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.ni.pdbRSDS source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Windows.Forms.pdbx\U source: WERD772.tmp.dmp.9.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbu source: file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: lib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: n0C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: file.exe, 00000000.00000002.2557625492.00000000015FA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbPt source: WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Configuration.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Xml.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: %%.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.pdb source: file.exe, 00000000.00000002.2557625492.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2565422812.00000000085F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp, WERD772.tmp.dmp.9.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb:R source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbdbib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Management.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Management.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Core.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: symbols\dll\mscorlib.pdbLb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: file.exe, 00000000.00000002.2563937142.0000000008059000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdbP source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.ni.pdb source: WERD772.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERD772.tmp.dmp.9.dr

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.bc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcsazwfy:EW;epcrslpk:EW;.taggant:EW; vs :ER;.rsrc:W;
          Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
          Source: file.exeStatic PE information: real checksum: 0x1b6a5e should be: 0x1a94f8
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: kcsazwfy
          Source: file.exeStatic PE information: section name: epcrslpk
          Source: file.exeStatic PE information: section name: .taggant
          Source: file.exeStatic PE information: section name: entropy: 7.964327563991748
          Source: file.exeStatic PE information: section name: kcsazwfy entropy: 7.953709762013856

          Boot Survival

          barindex
          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE2F second address: D3EE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE33 second address: D3EE46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE46 second address: D3EE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ebx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE50 second address: D3EE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3EE56 second address: D3EE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49C67 second address: D49C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49DFF second address: D49E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49E07 second address: D49E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1882h 0x00000009 jmp 00007F52C0BB1882h 0x0000000e popad 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4DF91 second address: D4DFC0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F52C0D3C11Ch 0x00000008 jo 00007F52C0D3C116h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007F52C0D3C129h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4DFC0 second address: D4DFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4DFC4 second address: D4DFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007F52C0D3C11Ch 0x0000000d mov si, cx 0x00000010 pop edx 0x00000011 and edi, 70C629AEh 0x00000017 push 00000000h 0x00000019 mov edx, dword ptr [ebp+13BC2B56h] 0x0000001f push C07FBA80h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4DFF5 second address: D4E011 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1888h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E011 second address: D4E016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E182 second address: D4E1C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d sub dword ptr [ebp+13BC3377h], eax 0x00000013 push 00000000h 0x00000015 mov ecx, dword ptr [ebp+13BC2B1Eh] 0x0000001b call 00007F52C0BB1879h 0x00000020 pushad 0x00000021 pushad 0x00000022 jnl 00007F52C0BB1876h 0x00000028 push eax 0x00000029 pop eax 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jns 00007F52C0BB1876h 0x00000033 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E1C3 second address: D4E204 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F52C0D3C12Dh 0x0000000e ja 00007F52C0D3C127h 0x00000014 jmp 00007F52C0D3C121h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d js 00007F52C0D3C122h 0x00000023 jnp 00007F52C0D3C11Ch 0x00000029 jnl 00007F52C0D3C116h 0x0000002f mov eax, dword ptr [eax] 0x00000031 push esi 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E204 second address: D4E28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jne 00007F52C0BB188Ch 0x00000010 jmp 00007F52C0BB1886h 0x00000015 pop eax 0x00000016 movsx ecx, dx 0x00000019 push 00000003h 0x0000001b clc 0x0000001c push 00000000h 0x0000001e jmp 00007F52C0BB187Dh 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F52C0BB1878h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 0000001Ah 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f mov ecx, dword ptr [ebp+13BC2C46h] 0x00000045 call 00007F52C0BB1879h 0x0000004a pushad 0x0000004b jl 00007F52C0BB1878h 0x00000051 push edi 0x00000052 pop edi 0x00000053 pushad 0x00000054 jbe 00007F52C0BB1876h 0x0000005a push edx 0x0000005b pop edx 0x0000005c popad 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push edx 0x00000063 pop edx 0x00000064 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E28D second address: D4E2BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C11Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jng 00007F52C0D3C122h 0x00000014 jns 00007F52C0D3C11Ch 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ebx 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E2BF second address: D4E2C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E2C6 second address: D4E2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F52C0D3C118h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FE86 second address: D5FE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34E3A second address: D34E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34E42 second address: D34E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1886h 0x00000009 jnl 00007F52C0BB1876h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F52C0BB1883h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6CAC6 second address: D6CAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F52C0D3C116h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6CAD0 second address: D6CAE2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F52C0BB1876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F52C0BB187Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D032 second address: D6D044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0D3C11Dh 0x00000009 pop ecx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D206 second address: D6D241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F52C0BB1882h 0x00000008 jnl 00007F52C0BB1876h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jnp 00007F52C0BB1876h 0x00000016 popad 0x00000017 jp 00007F52C0BB187Ch 0x0000001d jo 00007F52C0BB1876h 0x00000023 pop edx 0x00000024 pop eax 0x00000025 jp 00007F52C0BB1897h 0x0000002b push ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D96D second address: D6D973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D973 second address: D6D979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D979 second address: D6D993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C126h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D614B1 second address: D614B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D614B7 second address: D614D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F52C0D3C127h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D614D5 second address: D61505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1885h 0x00000007 jl 00007F52C0BB1881h 0x0000000d jmp 00007F52C0BB187Bh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61505 second address: D61518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F52C0D3C116h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33407 second address: D33420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1885h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33420 second address: D33424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33424 second address: D33430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33430 second address: D33435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DC19 second address: D6DC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E322 second address: D6E332 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E332 second address: D6E338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E338 second address: D6E33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E33E second address: D6E347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E347 second address: D6E34D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E34D second address: D6E36A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F52C0BB1888h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E36A second address: D6E388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0D3C128h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7127E second address: D71283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72236 second address: D72240 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75963 second address: D75969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B904 second address: D3B90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B90F second address: D3B915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B915 second address: D3B920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7992D second address: D79931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A50 second address: D79A72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C122h 0x00000007 je 00007F52C0D3C116h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A72 second address: D79A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A78 second address: D79A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A83 second address: D79A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A87 second address: D79A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A8F second address: D79A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79A95 second address: D79ABB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F52C0D3C129h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79ABB second address: D79AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79C1C second address: D79C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D3D7 second address: D7D3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D455 second address: D7D463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C11Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D463 second address: D7D469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E5EA second address: D7E623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F52C0D3C125h 0x0000000e popad 0x0000000f push eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EBAF second address: D7EC23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F52C0BB1878h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F52C0BB1887h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F52C0BB1878h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F52C0BB1878h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 or dword ptr [ebp+13BC38BDh], edi 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EC23 second address: D7EC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F5E7 second address: D7F5EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F46A second address: D7F471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F5EB second address: D7F644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F52C0BB187Bh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F52C0BB1878h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+13BC2C0Eh] 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F52C0BB1884h 0x0000003b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F471 second address: D7F49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F52C0D3C125h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007F52C0D3C116h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82765 second address: D827D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add si, 6956h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F52C0BB1878h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+13BC2B72h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F52C0BB1878h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a jmp 00007F52C0BB1887h 0x0000004f push eax 0x00000050 push esi 0x00000051 push eax 0x00000052 push edx 0x00000053 jne 00007F52C0BB1876h 0x00000059 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80DFA second address: D80E00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82496 second address: D8249E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82FF2 second address: D82FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F52C0D3C116h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8323F second address: D83245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82FFC second address: D83000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83245 second address: D832CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F52C0BB1878h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 sub di, 9861h 0x00000028 mov edi, ecx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F52C0BB1878h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+13BC38BDh], esi 0x0000004e xchg eax, ebx 0x0000004f push ecx 0x00000050 pushad 0x00000051 jnp 00007F52C0BB1876h 0x00000057 jmp 00007F52C0BB187Ah 0x0000005c popad 0x0000005d pop ecx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F52C0BB1887h 0x00000066 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D832CD second address: D832D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8586C second address: D85883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB187Ch 0x00000009 je 00007F52C0BB1876h 0x0000000f popad 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A0BA second address: D8A0C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BEFA second address: D8BEFF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B1B7 second address: D8B1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BEFF second address: D8BF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F52C0BB1882h 0x0000000f mov edi, edx 0x00000011 pop edi 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+13BC2F0Eh], eax 0x0000001a push 00000000h 0x0000001c add edi, 57DE28E2h 0x00000022 xchg eax, esi 0x00000023 jmp 00007F52C0BB1885h 0x00000028 push eax 0x00000029 jnp 00007F52C0BB188Dh 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CF9F second address: D8CFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F52C0D3C123h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C15C second address: D8C173 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F52C0BB1876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C173 second address: D8C178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8DF41 second address: D8DF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F52C0BB1880h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8DF55 second address: D8DFB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C11Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F52C0D3C118h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F52C0D3C118h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 push 00000000h 0x00000044 mov di, bx 0x00000047 xchg eax, esi 0x00000048 push edi 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c pop edx 0x0000004d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F0FE second address: D8F102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90FD0 second address: D90FDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F102 second address: D8F1A2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F52C0BB1878h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F52C0BB1878h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 jmp 00007F52C0BB1880h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 sbb bh, 0000006Eh 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jmp 00007F52C0BB187Ah 0x00000042 mov eax, dword ptr [ebp+13BC0379h] 0x00000048 cld 0x00000049 push FFFFFFFFh 0x0000004b or dword ptr [ebp+13D3D962h], ecx 0x00000051 mov edi, dword ptr [ebp+13BC2AC6h] 0x00000057 nop 0x00000058 push edx 0x00000059 jl 00007F52C0BB1882h 0x0000005f jmp 00007F52C0BB187Ch 0x00000064 pop edx 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push ebx 0x00000069 jmp 00007F52C0BB1883h 0x0000006e pop ebx 0x0000006f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F1A2 second address: D8F1B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F52C0D3C11Bh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F1B1 second address: D8F1B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92FBF second address: D92FD5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F52C0D3C11Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92FD5 second address: D92FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92FD9 second address: D92FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92FDD second address: D9302E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F52C0BB187Dh 0x0000000b popad 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+13BC2986h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F52C0BB1878h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov dword ptr [ebp+13BC3564h], ebx 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 mov edi, ecx 0x0000003a pop edi 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jp 00007F52C0BB1876h 0x00000046 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9302E second address: D93034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93034 second address: D9303E instructions: 0x00000000 rdtsc 0x00000002 je 00007F52C0BB187Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93F37 second address: D93F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93F3C second address: D93F6A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F52C0BB1887h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F52C0BB187Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9310E second address: D93114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93114 second address: D93118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E440 second address: D2E44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F52C0D3C116h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D964C0 second address: D964D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F52C0BB187Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D964D2 second address: D96523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 mov dword ptr [ebp+13BC2CB9h], ecx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F52C0D3C118h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov dword ptr [ebp+13D68B68h], edx 0x00000030 mov ebx, dword ptr [ebp+13BC1B7Eh] 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F52C0D3C11Eh 0x00000040 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96523 second address: D96529 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9668C second address: D966A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D984E3 second address: D984F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F52C0BB187Dh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A5A9 second address: D9A5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A5AF second address: D9A5B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98708 second address: D98712 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A5B3 second address: D9A5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A5BD second address: D9A5CA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A5CA second address: D9A5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D368A4 second address: D368AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D368AA second address: D368BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Fh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA06B3 second address: DA06C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA06C1 second address: DA06DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1885h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0841 second address: DA084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB09DB second address: DB09E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB09E1 second address: DB09E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB09E7 second address: DB09EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6434 second address: DB6450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6450 second address: DB646A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1886h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB646A second address: DB6489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F52C0D3C129h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6489 second address: DB64BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Fh 0x00000007 jmp 00007F52C0BB1889h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB64BD second address: DB64C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB64C1 second address: DB64D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F52C0BB187Ch 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB64D3 second address: DB64FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F52C0D3C126h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jl 00007F52C0D3C116h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007F52C0D3C116h 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5925 second address: DB592C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB592C second address: DB593E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F52C0D3C11Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5BB3 second address: DB5BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1889h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB82A second address: DBB843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0D3C124h 0x00000009 pop edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB843 second address: DBB84D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F52C0BB1882h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3832F second address: D38333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA6D9 second address: DBA6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BEE1 second address: D7BEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BEE5 second address: D614B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+13BC2D0Fh] 0x0000000e xor dword ptr [ebp+13BC2F1Ch], ebx 0x00000014 call dword ptr [ebp+13BC2D63h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C341 second address: D7C347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C347 second address: D7C34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C3F4 second address: D7C3FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C3FA second address: D7C400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C400 second address: D7C404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C404 second address: D7C408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C63C second address: D7C656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F52C0D3C122h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C701 second address: D7C706 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7CCE5 second address: D7CCEF instructions: 0x00000000 rdtsc 0x00000002 je 00007F52C0D3C11Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7CFEB second address: D7CFF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7CFF0 second address: D7D004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F52C0D3C118h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D004 second address: D7D06B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F52C0BB1889h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F52C0BB1878h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+13D6BC2Fh] 0x0000002e jmp 00007F52C0BB1886h 0x00000033 nop 0x00000034 pushad 0x00000035 push eax 0x00000036 pushad 0x00000037 popad 0x00000038 pop eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAB44 second address: DBAB60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F52C0D3C116h 0x0000000a jmp 00007F52C0D3C122h 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAB60 second address: DBAB6A instructions: 0x00000000 rdtsc 0x00000002 je 00007F52C0BB1876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAF46 second address: DBAF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAF4C second address: DBAF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAF55 second address: DBAF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push edx 0x0000000a js 00007F52C0D3C116h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F52C0D3C128h 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB1F7 second address: DBB203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F52C0BB1876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6216C second address: D62177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC02C6 second address: DC02CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF8C7 second address: DBF8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF8CD second address: DBF8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F52C0BB1876h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF8D7 second address: DBF8E6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF8E6 second address: DBF90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F52C0BB187Ah 0x0000000e jng 00007F52C0BB1882h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC05FC second address: DC060B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F52C0D3C116h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC060B second address: DC0612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0612 second address: DC0617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0763 second address: DC076F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jng 00007F52C0BB1876h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC076F second address: DC0783 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0904 second address: DC0908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCBDE4 second address: DCBDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCBDEA second address: DCBE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F52C0BB1888h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC1FB second address: DCC1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC1FF second address: DCC209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC209 second address: DCC20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC20F second address: DCC215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC215 second address: DCC224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F52C0D3C116h 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC4CE second address: DCC4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC4D2 second address: DCC518 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F52C0D3C118h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 push edi 0x00000011 jmp 00007F52C0D3C11Dh 0x00000016 jmp 00007F52C0D3C11Eh 0x0000001b pop edi 0x0000001c pushad 0x0000001d jmp 00007F52C0D3C126h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC518 second address: DCC51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCCA98 second address: DCCAB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C127h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF8E2 second address: DCF8E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF8E8 second address: DCF8EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF605 second address: DCF619 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F52C0BB187Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF619 second address: DCF61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF61F second address: DCF623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF623 second address: DCF64A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C121h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jnc 00007F52C0D3C116h 0x00000016 pop edx 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2866 second address: DD2874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F52C0BB187Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD211B second address: DD212C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007F52C0D3C116h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD212C second address: DD2140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1880h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2140 second address: DD2146 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2146 second address: DD215B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F52C0BB187Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD215B second address: DD2164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD22A9 second address: DD22AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD22AF second address: DD22B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD22B5 second address: DD22D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F52C0BB1887h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD22D3 second address: DD22D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2593 second address: DD2597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2597 second address: DD25AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a jno 00007F52C0D3C116h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD25AE second address: DD25C5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F52C0BB1876h 0x00000008 jne 00007F52C0BB1876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD25C5 second address: DD25CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6910 second address: DD6915 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6BB2 second address: DD6BBC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6BBC second address: DD6BDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1888h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6E84 second address: DD6E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F52C0D3C116h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6E8E second address: DD6E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6E92 second address: DD6EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6FFD second address: DD7049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F52C0BB1885h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F52C0BB1876h 0x00000016 jmp 00007F52C0BB1888h 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA0DE second address: DDA0E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA0E6 second address: DDA0EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA0EB second address: DDA0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA0F1 second address: DDA104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F52C0BB1876h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA104 second address: DDA11A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C122h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA11A second address: DDA120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA120 second address: DDA124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA124 second address: DDA146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F52C0BB1888h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA146 second address: DDA14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2023 second address: DE2027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2027 second address: DE202D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0AD0 second address: DE0AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0AD5 second address: DE0AFF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F52C0D3C116h 0x00000009 jmp 00007F52C0D3C128h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F52C0D3C116h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0AFF second address: DE0B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0B03 second address: DE0B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0B11 second address: DE0B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0B15 second address: DE0B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C125h 0x00000007 jmp 00007F52C0D3C121h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F52C0D3C11Ch 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DB7 second address: DE0DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DBB second address: DE0DC5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F52C0D3C116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DC5 second address: DE0DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DCE second address: DE0DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0DD6 second address: DE0DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0F29 second address: DE0F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F52C0D3C116h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3676 second address: DE367C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FEE0 second address: D2FEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE96A7 second address: DE96AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE96AD second address: DE96BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C11Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE96BB second address: DE96D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1887h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE99F4 second address: DE99F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE99F8 second address: DE9A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F52C0BB1882h 0x0000000d pushad 0x0000000e jmp 00007F52C0BB187Ah 0x00000013 jmp 00007F52C0BB1886h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9A3B second address: DE9A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9A41 second address: DE9A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F52C0BB187Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnc 00007F52C0BB1876h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9A5F second address: DE9A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9CEB second address: DE9CFB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F52C0BB1876h 0x00000008 jg 00007F52C0BB1876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9F7D second address: DE9F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9F83 second address: DE9FC8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F52C0BB1876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jl 00007F52C0BB1876h 0x00000013 jmp 00007F52C0BB187Ch 0x00000018 popad 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F52C0BB1884h 0x00000021 push eax 0x00000022 push edx 0x00000023 jg 00007F52C0BB1876h 0x00000029 jno 00007F52C0BB1876h 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9FC8 second address: DE9FD4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007F52C0D3C116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA2A1 second address: DEA2A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA56A second address: DEA58E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F52C0D3C11Ah 0x00000008 jmp 00007F52C0D3C11Fh 0x0000000d jg 00007F52C0D3C116h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA58E second address: DEA59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F52C0BB1876h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAB88 second address: DEAB96 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAB96 second address: DEABA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F52C0BB1876h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEABA0 second address: DEABAA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F52C0D3C116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAE34 second address: DEAE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAE3A second address: DEAE44 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F52C0D3C116h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB3D9 second address: DEB3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB3DD second address: DEB3E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB3E1 second address: DEB409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jne 00007F52C0BB1876h 0x0000000d pop edi 0x0000000e pushad 0x0000000f jmp 00007F52C0BB1887h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3E99 second address: DF3E9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3E9F second address: DF3ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F52C0BB187Eh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F52C0BB1884h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2E77 second address: DF2E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F52C0D3C116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2E88 second address: DF2EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F52C0BB1881h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2EA9 second address: DF2EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2EAD second address: DF2EBD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F52C0BB1876h 0x00000008 jng 00007F52C0BB1876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2EBD second address: DF2ECB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F52C0D3C116h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3034 second address: DF3041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F52C0BB1876h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3041 second address: DF3066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F52C0D3C128h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3066 second address: DF3092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1883h 0x00000009 jne 00007F52C0BB1876h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 je 00007F52C0BB187Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3202 second address: DF3206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3206 second address: DF3238 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F52C0BB1876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F52C0BB1880h 0x00000010 jmp 00007F52C0BB1885h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3397 second address: DF339B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3675 second address: DF3695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F52C0BB1886h 0x00000009 jne 00007F52C0BB1876h 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF37FD second address: DF3802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3802 second address: DF380A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB7F3 second address: DFB803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F52C0D3C116h 0x0000000a jnl 00007F52C0D3C116h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9A79 second address: DF9A7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9A7E second address: DF9A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pushad 0x00000008 jbe 00007F52C0D3C116h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9F12 second address: DF9F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F52C0BB1886h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9F3D second address: DF9F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9F41 second address: DF9F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9F45 second address: DF9F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9F4F second address: DF9F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F52C0BB1876h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9F59 second address: DF9F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA1F6 second address: DFA213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA213 second address: DFA218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA52F second address: DFA533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA533 second address: DFA539 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA539 second address: DFA543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA543 second address: DFA549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAD0B second address: DFAD15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAD15 second address: DFAD41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F52C0D3C127h 0x00000011 jmp 00007F52C0D3C121h 0x00000016 jp 00007F52C0D3C11Ah 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAD41 second address: DFAD53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F52C0BB187Eh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAD53 second address: DFAD59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB642 second address: DFB64D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB64D second address: DFB678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F52C0D3C116h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F52C0D3C129h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB678 second address: DFB68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB187Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB68B second address: DFB68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D409B9 second address: D409BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D409BF second address: D409C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02743 second address: E02755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F52C0BB187Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02755 second address: E02759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E637 second address: E0E63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E12807 second address: E1283E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F52C0D3C127h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1283E second address: E12846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1742A second address: E1742E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1742E second address: E17432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17432 second address: E17438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17583 second address: E175A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB187Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007F52C0BB1876h 0x00000012 jmp 00007F52C0BB187Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E175A8 second address: E175AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2405D second address: E24063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24063 second address: E24069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D960 second address: E2D965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D965 second address: E2D988 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F52C0D3C116h 0x00000009 jmp 00007F52C0D3C120h 0x0000000e jns 00007F52C0D3C116h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D988 second address: E2D9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F52C0BB1888h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D9AF second address: E2D9BB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F52C0D3C116h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D9BB second address: E2D9D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F52C0BB187Dh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D9D2 second address: E2D9D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DB35 second address: E2DB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DB3B second address: E2DB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DB3F second address: E2DB49 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F52C0BB1876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DB49 second address: E2DB6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F52C0D3C11Dh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F52C0D3C14Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F52C0D3C116h 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DCCF second address: E2DCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DE70 second address: E2DE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F52C0D3C116h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DE7A second address: E2DEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F52C0BB1880h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DEAA second address: E2DEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E35B second address: E2E35F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E35F second address: E2E365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E365 second address: E2E36A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E36A second address: E2E370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E370 second address: E2E38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F52C0BB1888h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2ED87 second address: E2ED9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F52C0D3C116h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push edi 0x0000000d je 00007F52C0D3C116h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31E6E second address: E31E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31ADF second address: E31AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F52C0D3C116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31AF2 second address: E31B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jns 00007F52C0BB1876h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F52C0BB187Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B5FA second address: E4B608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jg 00007F52C0D3C116h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4B608 second address: E4B617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jne 00007F52C0BB1889h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53A41 second address: E53A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53E7B second address: E53E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54107 second address: E5410D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5410D second address: E54117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54117 second address: E5411D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5411D second address: E54121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54121 second address: E5412B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F52C0D3C116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E575BE second address: E575E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0BB1889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e js 00007F52C0BB1876h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D801E0 second address: D801E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D801E6 second address: D801EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8039D second address: D803AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F52C0D3C11Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D803AE second address: D803B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F52C0BB1876h 0x0000000a rdtsc
          Tries to evade debugger and weak emulator (self modifying code)
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BD3915 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D9CC55 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BD390F instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E07A62 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 51F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 5380000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: 7380000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 8533Jump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1272Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 7824Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 7836Thread sleep count: 8533 > 30Jump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 7836Thread sleep count: 1272 > 30Jump to behavior
          Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: file.exe, file.exe, 00000000.00000002.2556769905.0000000000D53000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
          Source: Amcache.hve.9.drBinary or memory string: VMware
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: file.exe, 00000000.00000002.2557625492.00000000015A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Amcache.hve.9.drBinary or memory string: vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: file.exe, 00000000.00000002.2557625492.0000000001588000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.9.drBinary or memory string: VMware20,1
          Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: file.exe, 00000000.00000002.2556769905.0000000000D53000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
          Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
          Source: file.exe, file.exe, 00000000.00000002.2556769905.0000000000D53000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SProgram Manager
          Source: file.exe, 00000000.00000002.2560743636.0000000005406000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.00000000053C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005437000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: file.exe, 00000000.00000002.2560743636.0000000005406000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.00000000053C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005437000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-^q
          Source: file.exe, 00000000.00000002.2560743636.0000000005406000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005437000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005414000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
          Source: file.exe, 00000000.00000002.2560743636.0000000005406000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005437000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005414000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
          Source: file.exe, 00000000.00000002.2560743636.00000000053C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>1986632
          Source: file.exe, 00000000.00000002.2560743636.0000000005437000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2560743636.0000000005414000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q
          Source: file.exe, 00000000.00000002.2560743636.00000000053C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^q@\^q-PING!<Xwormmm>Program Manager<Xwormmm>1986632
          Source: file.exe, 00000000.00000002.2560743636.000000000545C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q$
          Source: file.exe, 00000000.00000002.2560743636.00000000053C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q-PING!<Xwormmm>Program Manager<Xwormmm>1986632Te^q
          Source: file.exe, 00000000.00000002.2560743636.0000000005406000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q$u@
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: 0.2.file.exe.bc0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7588, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: 0.2.file.exe.bc0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7588, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		2
          Registry Run Keys / Startup Folder          		2
          Process Injection          		1
          Masquerading          		OS Credential Dumping751
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		2
          Registry Run Keys / Startup Folder          		1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		361
          Virtualization/Sandbox Evasion          		Security Account Manager361
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Software Packing          		Cached Domain Credentials214
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe35%VirustotalBrowse
          file.exe100%AviraTR/Crypt.XPACK.Gen
          file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          112.213.116.1490%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          112.213.116.149true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netAmcache.hve.9.drfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              52.182.143.212
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              112.213.116.149
              		unknownHong Kong
              		38197SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1570593
              Start date and time:2024-12-07 11:45:04 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 43s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@2/7@0/2
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 2.16.158.56, 2.16.158.34, 2.16.158.43, 2.16.158.40, 2.16.158.48, 2.16.158.51, 2.16.158.35, 2.16.158.50, 2.16.158.49
              • Excluded domains from analysis (whitelisted): www.bing.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, umwatson.events.data.microsoft.com, arc.msn.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              05:45:56API Interceptor1080371x Sleep call for process: file.exe modified
              05:47:24API Interceptor1x Sleep call for process: WerFault.exe modified
              10:46:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              52.182.143.212EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                  doc20247622056002_pentamix.batGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                    file.exeGet hashmaliciousAmadey, LummaC Stealer, XWormBrowse
                      faststone-capture_voLss-1.exeGet hashmaliciousPureLog StealerBrowse
                        ISehgzqm2V.zipGet hashmaliciousRemcosBrowse
                          cHQg24hABF.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, XWorm, zgRATBrowse
                            PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
                              Reader_Install_Setup.exeGet hashmaliciousUnknownBrowse
                                Download-File-2-Chainz--Dope-Dont-Sell-Itself-Hola-Browser-Setup-C-Mmds4495 (1).exeGet hashmaliciousUnknownBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongarm5.elfGet hashmaliciousUnknownBrowse
                                  • 117.19.102.86
                                  jew.ppc.elfGet hashmaliciousUnknownBrowse
                                  • 112.213.114.230
                                  botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                  • 117.19.113.75
                                  wFg25zfjIL.dllGet hashmaliciousUnknownBrowse
                                  • 103.45.64.91
                                  wFg25zfjIL.dllGet hashmaliciousUnknownBrowse
                                  • 103.45.64.91
                                  LSQz1xnW54.exeGet hashmaliciousUnknownBrowse
                                  • 103.45.64.91
                                  http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                  • 121.127.231.212
                                  botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 103.12.151.132
                                  la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                  • 112.213.108.9
                                  rrfVaSCIYc.elfGet hashmaliciousMiraiBrowse
                                  • 103.45.68.22
                                  MICROSOFT-CORP-MSN-AS-BLOCKUSmips.elfGet hashmaliciousUnknownBrowse
                                  • 21.111.131.81
                                  akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                  • 22.95.50.95
                                  arm7.elfGet hashmaliciousUnknownBrowse
                                  • 52.226.212.223
                                  xobftuootu.elfGet hashmaliciousUnknownBrowse
                                  • 52.155.190.248
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 13.107.246.63
                                  pbnpvwfhco.elfGet hashmaliciousUnknownBrowse
                                  • 22.129.9.29
                                  i586.elfGet hashmaliciousUnknownBrowse
                                  • 20.218.138.44
                                  home.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 40.127.68.102
                                  home.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 20.9.165.239
                                  Note no. ROC 2453-2024.docGet hashmaliciousUnknownBrowse
                                  • 52.123.243.181

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 52.182.143.212
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 52.182.143.212
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 52.182.143.212
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 52.182.143.212
                                  Note no. ROC 2453-2024.docGet hashmaliciousUnknownBrowse
                                  • 52.182.143.212
                                  Outstanding_Payment.vbsGet hashmaliciousXenoRATBrowse
                                  • 52.182.143.212
                                  Outstanding_Payment.vbs_.vbsGet hashmaliciousXenoRATBrowse
                                  • 52.182.143.212
                                  Outstanding_Payment.vbs_.vbsGet hashmaliciousXenoRATBrowse
                                  • 52.182.143.212
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 52.182.143.212
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 52.182.143.212

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_6dcab0508431583d9427b82e3fe48a3ace4b7d_f4ea6d69_8f0a4d9a-d878-420d-afa1-e8cc49a039c9\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.1989612877051405
                                  Encrypted:false
                                  SSDEEP:192:T1BpVvzdyl30BU/fI3juCvGCMGAzuiFeZ24IO8HVB2:nbplBU/YjlT9AzuiFeY4IO872
                                  MD5:040A908D6B4B89A1AC6310D162B3D8DA
                                  SHA1:823B09C9817CB83AFBCA01F3B0B67C942FE96680
                                  SHA-256:8BF5C606277C2A544A4063E83708A9ED3AC96AB87BA67F6D85700AD5EA8A48F6
                                  SHA-512:6585ECCCFC9F31DED144F31D64515AACF887451E22B7A81658F8AEEA77B0ACBE5FAA446EEF4DBFFEA3E154068A4323EEBA2575F894A8E1883DF830416CC8F779
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.0.4.2.0.3.7.1.1.7.2.9.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.0.4.2.0.3.8.0.3.9.1.7.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.0.a.4.d.9.a.-.d.8.7.8.-.4.2.0.d.-.a.f.a.1.-.e.8.c.c.4.9.a.0.3.9.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.4.8.4.7.2.a.-.1.2.1.4.-.4.5.f.8.-.8.7.7.c.-.0.e.3.8.b.a.f.f.2.d.b.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.t.e.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.4.-.0.0.0.1.-.0.0.1.4.-.d.d.1.f.-.e.0.2.e.9.5.4.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.1.f.5.e.c.8.4.6.3.4.e.a.0.3.a.7.9.a.6.5.e.9.8.c.e.4.7.d.0.a.0.0.0.0.0.0.0.0.!.0.0.0.0.7.7.b.6.e.a.2.3.a.5.4.c.c.b.8.2.e.8.8.f.b.1.e.9.2.e.c.d.2.a.d.2.5.5.2.a.7.9.c.e.!.f.i.l.e...

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERD772.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Sat Dec 7 10:47:17 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):559826
                                  Entropy (8bit):2.8842625010552236
                                  Encrypted:false
                                  SSDEEP:3072:1qIwq64uEqgSnJLTgzNy4hXGQZ4eohl7VxtAlwvp2FJSgrAPK:1qIwR46Tghy4xG9eafzx4
                                  MD5:B35310E8F294DA6AE15421A6A01406E9
                                  SHA1:CA5EF63AD16A6C85F582C36845983B5ACA223FE1
                                  SHA-256:7AF3A8776F7189E8BD2A19FEF35BB266DEACC96B559F87270D2B80C32D55718D
                                  SHA-512:37125B73A8840CD61942F5C36BFFF4B9A0427253B1A425393559D3ECD6C5F80F4D9FFCD06A3477A396D989BD703924D75906EF372BC49372465A2184BDCA6880
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... ........'Tg......................... ...........2..............T.......8...........T...........pY..b1.........../...........1..............................................................................eJ......D2......GenuineIntel............T..........._'Tg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA42.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8380
                                  Entropy (8bit):3.6906708817701106
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJWCa6EjB6Y9dSU28gmfZDwIprJ489bOAsf7am:R6lXJ46u6Y3SU28gmfm+OTfX
                                  MD5:A31BD219A7C47C5431122B5C92DC1BCC
                                  SHA1:AB981EFBB055BA4D580F78144B91FDB1D82731A6
                                  SHA-256:0439B857192962406A139FC5B35C303C196E006603F655F621535619556E3E7B
                                  SHA-512:8DE32DFD82D05E10FD391A8023B735A2D8161E4E5258E554E392C348DD12E93FEB038A1B2B376CB9CBBCFC37574CABE5B9426DB9352A548F7C507D8C11230474
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.8.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA72.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4704
                                  Entropy (8bit):4.425791178996497
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zs5iJg77aI94myWpW8VYiYm8M4JH7Fs+q8vzPyGN3hF/d:uIjfGI7Oi7VCJiKTlBhF/d
                                  MD5:2B5F19C06827DA99C429445F1AF57E6A
                                  SHA1:1666212249E4FBCC9D1412820A3BB6DB8728C1B0
                                  SHA-256:3BB4B85ECB37472306B76C3F9420AD50F6C63C8E3F62BD8A08E10071D6B67CAB
                                  SHA-512:A6A9EE2B15898F1CA6EF9320DA0A6BA432CE6A371DED06A5D91AE2C74182FBE5612AD4C451472BBA04E09B8EC9D8A0AC2CD512AEDCAF1EAF54C05FEB6E5BCEC6
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="620749" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):29
                                  Entropy (8bit):3.598349098128234
                                  Encrypted:false
                                  SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                  MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                  SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                  SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                  SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:....### explorer ###..[WIN]r

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                  Category:dropped
                                  Size (bytes):806
                                  Entropy (8bit):2.999119845169863
                                  Encrypted:false
                                  SSDEEP:12:8gl0hsXowAOcQ/tz0/CSL1K4gTCNfBT/v4t2YZ/elFlSJm:8iLDWLA4Vpdqy
                                  MD5:AF06B132025778B0F57C06623DD39B4F
                                  SHA1:1307579200558ECF4BC04D1624EB295B26FFCA18
                                  SHA-256:BB766AD46FED984616892BAEC7B6510C68374385D1EAE0E0FD55A12240DD47DC
                                  SHA-512:4951D1A37E7AD5D69A088BD3156A15EBC25724C85701CE3698676C7C18E3C974BD4A06F67167B9ED4FACFC25D10B944D433904EEED18ADAE45B6870EF4A942B5
                                  Malicious:false
                                  Reputation:low
                                  Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....`.2...........msedge.exe..F............................................m.s.e.d.g.e...e.x.e.............\.....\.....\.....\.....\.m.s.e.d.g.e...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.465448049472838
                                  Encrypted:false
                                  SSDEEP:6144:xIXfpi67eLPU9skLmb0b4RWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbL:SXD94RWlLZMM6YFH1+L
                                  MD5:934439A2D8CD2CB8FD5F0CA9E1DF4162
                                  SHA1:9BD6EC2790AACCA71C4205B90E071A3E048563F2
                                  SHA-256:DB908B416F319F1C5A759A8185D140CC3F34546D3A50108F2BFA17F2DA8D64CD
                                  SHA-512:E2438CEC3E6CDBF85BD3E42F45DB8E26132819320FBD95D0372DE3B9551E9DFBF07753632668FD3A929828991F00041A033E8EF27A98076E77E45B475F1B401A
                                  Malicious:false
                                  Reputation:low
                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZj.b.H..............................................................................................................................................................................................................................................................................................................................................i..V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.934076658357078
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'737'216 bytes
                                  MD5:7006f5208c072600f4dc6b5fc302229d
                                  SHA1:77b6ea23a54ccb82e88fb1e92ecd2ad2552a79ce
                                  SHA256:47900f920988863110fa58f9102734aa7ba42b15a3f1f3ff5863d2d3a1d561fe
                                  SHA512:e806ca5708c57bebd90b72af09d0152c140d96ba76812a21bb0bbc7e50d83be37ddc6742f78abc24809437ce8169765f424cb25164ffdc993cb0f0ad9b9a998b
                                  SSDEEP:24576:kjoFwsZFdf417jLWwHo7v+l+HI7cM3xt8LDGr5wDWMGF8o0s/VY9NyGwaYIfzPVP:SonnIQv+GdM3yC46/VcBha
                                  TLSH:B7853309BA33BC6CD956697C1983B31371381FBFF17B607261A4E52D227362967E8D80
                                  File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Tg..............................D.. ........@.. ....................... E.....^j....@................................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x84e000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE
                                  Time Stamp:0x67541CD5 [Sat Dec 7 10:00:53 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F52C07DECCAh
                                  punpcklbw mm3, qword ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [edi], bl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [esi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [0200000Ah], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], cl
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  or byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe0550x69.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x534.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x20000xa0000x46004c8a35de30ceca45f46abe2def9f77e9False0.9995535714285714data7.964327563991748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xc0000x5340x6008507056f2568463380f880cf50779582False0.4088541666666667data4.785785995828827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0xe0000x20000x200042ead42906eac99e4751c4dac9e8955False0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x100000x29c0000x2006a97ae2dae9b01be3ec3366dc147c90aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  kcsazwfy0x2ac0000x1a00000x19ea009cab4b2a2e667968907793e2a7942093False0.9951127713295146data7.953709762013856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  epcrslpk0x44c0000x20000x600ff4be79c2e57b76e8e43ecf44092aaa7False0.5520833333333334data4.8031789165288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x44e0000x40000x220010915dcc9a1e2511ab82ca4a2996e992False0.06330422794117647DOS executable (COM)0.7856249749125117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0xc0a00x23cdata0.47202797202797203
                                  RT_MANIFEST0xc2dc0x256ASCII text, with CRLF line terminators0.5100334448160535

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-12-07T11:46:11.902987+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:12.464518+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:12.583976+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:17.414754+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:17.414754+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:26.312166+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:26.369212+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:40.208493+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:40.211650+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:47.388464+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:47.388464+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:54.093692+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:54.154019+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:54.562724+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:54.671204+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:55.080302+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:55.559235+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:55.622574+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:55.742443+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:56.436181+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:56.664656+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:56.953077+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:57.259676+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:58.084118+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:58.301056+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:46:58.305243+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:46:59.905597+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:00.028993+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:00.192900+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:00.251187+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:00.996989+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:01.028305+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:01.212847+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:01.239866+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:01.655554+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:02.713253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:02.768850+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:03.075071+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:04.059727+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:04.543047+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:04.734923+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:04.765410+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:05.533470+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:06.018069+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:06.367516+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:06.575385+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:07.412393+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:07.536853+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:07.563530+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:07.937901+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:08.153554+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:08.350153+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:08.438928+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:09.072611+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:09.597139+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:09.598059+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:10.268753+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:10.683412+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:11.350904+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:11.785543+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:12.709959+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:12.717369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:12.925868+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:12.950349+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:13.882447+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:14.004652+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:14.985397+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:15.864713+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:15.905549+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:16.063519+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:16.301171+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:16.364961+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:16.494864+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:16.930896+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:16.981293+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:17.145059+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732112.213.116.1497000TCP
                                  2024-12-07T11:47:17.702283+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:17.702283+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21112.213.116.1497000192.168.2.449732TCP
                                  2024-12-07T11:47:24.407539+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44982252.182.143.212443TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 7, 2024 11:45:57.551352024 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:45:57.671309948 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:45:57.671392918 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:45:57.785670996 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:45:57.905442953 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:11.902987003 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:12.022680998 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:12.464518070 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:12.516932964 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:12.583976030 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:12.703665018 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:17.414753914 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:17.470060110 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:25.783087015 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:25.902921915 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:26.312165976 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:26.360696077 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:26.369211912 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:26.488922119 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:39.673666000 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:39.793668985 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:40.208492994 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:40.211649895 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:40.331509113 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:47.388463974 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:47.438862085 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:53.564552069 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:53.684408903 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.033554077 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:54.093692064 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.141982079 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:54.153338909 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.154019117 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:54.273852110 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.549899101 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:54.562724113 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.610233068 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:54.671022892 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.671204090 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:54.902225971 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:54.902285099 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.021994114 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.022047043 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.080302000 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.080352068 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.142352104 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.142553091 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.200053930 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.262219906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.262275934 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.382050991 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.382188082 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.502222061 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.502408028 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.559235096 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.610743046 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.622277021 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.622574091 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.742399931 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.742443085 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.775137901 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.829497099 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.904664040 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.904771090 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:55.998688936 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:55.998840094 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.024559975 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.024630070 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.118768930 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.118829012 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.144391060 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.206763983 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.206815004 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.238579988 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.238624096 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.326633930 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.358805895 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.430788040 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.436181068 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.555951118 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.556396008 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.664655924 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.676330090 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.720112085 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.856631041 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:56.907629967 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:56.953077078 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.072825909 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.088740110 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.157618999 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.259675980 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.432691097 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.432776928 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.552730083 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.552814007 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.672533989 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.672581911 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.792368889 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.792423010 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:57.912128925 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:57.912177086 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.031935930 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.064838886 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.084117889 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.084276915 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.184760094 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.184815884 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.204229116 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.301055908 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.301124096 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.305188894 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.305243015 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.420888901 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.420943022 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.425000906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.517157078 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.540683031 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.540755987 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.660515070 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.660568953 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.732903004 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.780323029 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.780373096 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.901088953 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.901140928 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:58.970213890 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:58.970272064 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.020917892 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.020984888 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.090038061 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.090094090 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.141119957 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.141175985 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.164843082 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.252830982 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.252876997 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.260967970 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.373790979 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.373859882 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.380686045 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.520792007 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.536851883 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.536921978 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.596836090 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.656910896 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.656974077 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.778001070 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.813879967 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:46:59.860780001 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:46:59.905596972 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.028805971 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.028992891 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.192701101 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.192899942 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.251187086 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.251454115 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.312901020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.314033985 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.371280909 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.371331930 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.433837891 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.491168976 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.531845093 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.651779890 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.651828051 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.771574020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.771645069 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.891561031 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.908195019 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:00.996989012 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:00.997035027 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.028081894 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.028305054 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.119417906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.119709015 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.152266026 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.212846994 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.213161945 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.239588022 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.239866018 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.332923889 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.333163977 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.359584093 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.431623936 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.431879997 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.454792023 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.455116034 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.552273035 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.552429914 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.574909925 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.655554056 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.655829906 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.672215939 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.672270060 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.776638985 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.776779890 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.792053938 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.883104086 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.883426905 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:01.896905899 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:01.903131962 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.003226995 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.003349066 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.023113966 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.098695993 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.098805904 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.123704910 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.123755932 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.219526052 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.219585896 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.244499922 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.244556904 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.316914082 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.340462923 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.340503931 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.364304066 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.364346027 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.460269928 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.460316896 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.484163046 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.531672955 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.580080032 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.713253021 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.768791914 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.768850088 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.833007097 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.833055973 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:02.888736010 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.952886105 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:02.962347031 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.057478905 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.075071096 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.178241968 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.178344011 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.240700960 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.244213104 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.298132896 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.298252106 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.365784883 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.365880966 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.418055058 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.418119907 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.485928059 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.538767099 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.642446995 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.762427092 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.799191952 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:03.918889046 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:03.918931007 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.038778067 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.038834095 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.059726954 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.157763958 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.200726986 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.200810909 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.231023073 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.320619106 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.323945999 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.350965023 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.351152897 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.470884085 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.476058960 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.543046951 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.550013065 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.644711971 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.644800901 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.669832945 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.734922886 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.735126972 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.765316963 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.765409946 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.787882090 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.787978888 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.885236979 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:04.885534048 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:04.927196026 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.047569036 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.047719955 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.216705084 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.216794014 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.245707035 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.336822033 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.342062950 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.461885929 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.462047100 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.533469915 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.533638000 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.581844091 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.581888914 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.653625011 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.653681040 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.701663971 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.701716900 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.725409031 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.816795111 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.816899061 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.823368073 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.933794975 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.935486078 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:05.936817884 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:05.936875105 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.015294075 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.018069029 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.055399895 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.055524111 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.056706905 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.137876987 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.142080069 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.175488949 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.250788927 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.262069941 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.262294054 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.367516041 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.368083000 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.382409096 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.382484913 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.488053083 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.502764940 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.574500084 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.575385094 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.695224047 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.696054935 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.812844038 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.812901020 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.815953970 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.816004992 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.887465954 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.932739019 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:06.932781935 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:06.935724020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.052639008 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.052823067 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.120944977 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.249923944 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.251514912 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.371396065 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.371562958 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.412393093 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.536777020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.536853075 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.563529968 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.604515076 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.604589939 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.656744957 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.656788111 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.683458090 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.764703035 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.764766932 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.776484966 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.884552956 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.884598017 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:07.937901020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:07.939024925 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.004379034 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.004426956 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.059842110 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.124388933 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.126812935 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.153553963 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.153610945 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.275496960 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.275549889 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.350152969 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.350209951 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.438927889 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.440299034 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.520756006 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.520992041 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.560070992 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.640806913 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.640863895 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.686237097 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.686306000 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.760651112 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.760714054 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.806055069 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.880542040 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.880621910 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:08.925281048 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:08.925337076 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.000871897 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.000966072 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.045341969 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.072611094 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.076251984 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.164783001 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.164849997 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.193139076 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.196137905 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.284635067 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.284679890 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.386560917 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.405179977 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.405224085 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.525013924 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.597138882 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.598058939 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.717246056 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.717300892 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.717811108 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.837063074 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.837115049 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.909065962 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.954555035 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:09.956861973 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:09.956906080 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.077114105 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.077187061 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.144777060 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.144870043 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.197413921 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.197472095 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.264627934 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.264687061 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.268753052 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.269006014 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.360763073 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.360815048 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.384474993 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.384524107 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.388921022 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.467669010 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.480712891 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.480787039 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.504643917 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.604825020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.604883909 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.683412075 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.683475971 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.726530075 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.726583958 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.803354979 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.803406000 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.847978115 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.848035097 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.918831110 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.918886900 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.924675941 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.924746990 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:10.967717886 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:10.967766047 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.038845062 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.038903952 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.044864893 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.087841034 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.087891102 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.116998911 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.118055105 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.204658985 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.204710007 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.209366083 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.244417906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.244487047 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.325858116 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.350903988 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.350958109 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.432742119 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.432782888 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.470912933 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.470961094 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.552602053 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.560627937 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.632805109 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.632848024 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.752578020 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.784723997 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.785542965 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:11.952728987 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:11.952811003 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.020878077 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.072669983 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.072757006 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.194233894 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.194282055 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.216607094 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.356770992 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.356827974 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.477605104 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.477657080 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.597485065 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.597536087 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.709959030 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.710031033 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.717312098 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.717369080 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.830133915 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.830379009 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.855586052 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.925868034 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.925945044 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:12.950202942 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:12.950349092 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.045970917 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.046037912 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.070121050 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.142385960 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.142462015 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.165858984 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.166032076 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.262474060 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.262520075 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.285804033 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.358097076 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.358259916 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.382380962 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.478204966 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.478252888 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.574886084 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.598011017 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.657670021 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.790170908 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:13.860790014 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:13.882447004 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.002213001 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.004652023 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.028831005 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.157660961 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.172849894 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.172894001 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.221681118 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.222071886 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.292658091 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.292789936 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.342363119 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.346060991 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.412568092 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.412651062 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.465936899 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.465984106 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.534238100 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.585669994 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.611268997 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.733150005 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.733207941 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.853173018 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.853226900 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.972980022 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:14.973028898 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:14.985397100 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.085163116 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.136966944 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.137056112 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.198195934 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.198376894 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.256882906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.256953955 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.318150043 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.318234921 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.378751993 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.413984060 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.484937906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.485193014 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.605021954 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.613562107 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.629975080 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.776782990 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.776923895 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.864712954 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.870037079 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.899255037 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:15.905549049 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:15.992779970 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.025350094 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.062674046 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.063519001 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:16.244755030 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.244832993 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:16.301171064 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.360785007 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:16.364914894 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.364960909 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:16.485120058 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.494863987 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.548301935 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:16.710118055 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.834399939 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:16.930896044 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:16.981292963 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:17.145011902 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:17.145059109 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:17.203783035 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:17.203838110 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:17.265789032 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:17.265841961 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:17.323702097 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:17.385557890 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:17.702282906 CET700049732112.213.116.149192.168.2.4
                                  Dec 7, 2024 11:47:17.860802889 CET497327000192.168.2.4112.213.116.149
                                  Dec 7, 2024 11:47:22.771922112 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:22.771940947 CET4434982252.182.143.212192.168.2.4
                                  Dec 7, 2024 11:47:22.772002935 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:22.775088072 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:22.775105953 CET4434982252.182.143.212192.168.2.4
                                  Dec 7, 2024 11:47:24.407345057 CET4434982252.182.143.212192.168.2.4
                                  Dec 7, 2024 11:47:24.407538891 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:24.407550097 CET4434982252.182.143.212192.168.2.4
                                  Dec 7, 2024 11:47:24.407761097 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:24.409490108 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:24.409495115 CET4434982252.182.143.212192.168.2.4
                                  Dec 7, 2024 11:47:24.409698963 CET4434982252.182.143.212192.168.2.4
                                  Dec 7, 2024 11:47:24.454560041 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:24.460469007 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:24.461266041 CET49822443192.168.2.452.182.143.212
                                  Dec 7, 2024 11:47:25.606046915 CET497327000192.168.2.4112.213.116.149

                                  HTTP Request Dependency Graph

                                  • umwatson.events.data.microsoft.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.44982252.182.143.2124438C:\Windows\SysWOW64\WerFault.exe
                                  TimestampBytes transferredDirectionData
                                  2024-12-07 10:47:24 UTC178OUTPOST /Telemetry.Request HTTP/1.1
                                  Connection: Keep-Alive
                                  User-Agent: MSDW
                                  MSA_DeviceTicket_Error: 0x80004004
                                  Content-Length: 4708
                                  Host: umwatson.events.data.microsoft.com


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:05:45:51
                                  Start date:07/12/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xbc0000
                                  File size:1'737'216 bytes
                                  MD5 hash:7006F5208C072600F4DC6B5FC302229D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2556716131.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.1636045603.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2560743636.0000000005381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:05:47:16
                                  Start date:07/12/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 3052
                                  Imagebase:0x330000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:8.3%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:12
                                    Total number of Limit Nodes:2
                                    execution_graph 15381 5236350 15382 5236394 SetWindowsHookExW 15381->15382 15384 52363da 15382->15384 15371 523b208 15372 523b24e GetCurrentProcess 15371->15372 15374 523b2a0 GetCurrentThread 15372->15374 15375 523b299 15372->15375 15376 523b2dd GetCurrentProcess 15374->15376 15377 523b2d6 15374->15377 15375->15374 15378 523b313 15376->15378 15377->15376 15379 523b33b GetCurrentThreadId 15378->15379 15380 523b36c 15379->15380

                                    Executed Functions

                                    Function 052348F8 Relevance: 6.7, Strings: 5, Instructions: 484COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 52348f8-5234936 1 523495b-5234978 call 52337e8 0->1 2 5234938-523493f 0->2 9 5234983-5234994 1->9 10 523497a-5234980 1->10 3 52351f5-5235200 2->3 4 5234945-5234950 call 5230168 2->4 13 5235207-523527b 3->13 4->1 14 5234a42-5234a65 9->14 15 523499a-52349aa call 5233848 9->15 10->9 66 5235282-52352ee 13->66 23 5234cb2-5234cdf 14->23 24 5234a6b-5234a78 14->24 20 5234a07-5234a0a 15->20 21 52349ac-52349c5 15->21 25 5234a18-5234a2a 20->25 26 5234a0c-5234a13 20->26 33 52352f5-5235318 21->33 34 52349cb-52349d0 21->34 31 5234dc5-5234deb call 52338e8 23->31 32 5234ce5-5234cf3 23->32 24->23 35 5234a7e-5234a84 24->35 25->33 42 5234a30-5234a3d 25->42 26->23 45 5234df0 31->45 32->31 47 5234cf9-5234d06 32->47 48 5235321-523532f 33->48 49 523531a-523531f 33->49 34->23 38 52349d6-5234a02 34->38 40 5234a86-5234a88 35->40 41 5234a8a-5234a96 35->41 38->23 46 5234a98-5234aa7 40->46 41->46 42->23 50 52351e6-52351ed 45->50 46->13 61 5234aad-5234ab1 46->61 62 52351f0 47->62 63 5234d0c-5234d0f 47->63 64 5235331-5235341 48->64 65 5235387-523538c 48->65 55 5235393-5235395 49->55 61->66 67 5234ab7-5234abe 61->67 62->3 63->62 68 5234d15-5234d32 63->68 64->65 69 5235343-5235353 64->69 65->55 66->33 67->66 72 5234ac4-5234acb 67->72 93 5234d75-5234d9f 68->93 94 5234d34-5234d3a 68->94 69->65 76 5235355-5235365 69->76 73 5234ad1-5234ad8 72->73 74 5234bc0-5234bc7 72->74 73->33 78 5234ade-5234af9 73->78 74->23 77 5234bcd-5234bf1 74->77 76->65 80 5235367-5235375 76->80 88 5234bf3-5234bf9 77->88 89 5234c2a-5234c3e 77->89 90 5234afb-5234afd 78->90 91 5234aff-5234b19 78->91 80->65 95 5235377-523537d 80->95 96 5234bfb-5234bfd 88->96 97 5234bff-5234c0b 88->97 113 5234c42-5234c4e 89->113 114 5234c40 89->114 98 5234b1b-5234b29 90->98 91->98 93->50 129 5234da5-5234db1 93->129 94->33 99 5234d40-5234d46 94->99 100 5235381 95->100 101 523537f 95->101 104 5234c0d-5234c16 96->104 97->104 108 5234b2b-5234b3a 98->108 109 5234b4e-5234b7e 98->109 110 5234d59-5234d61 call 5230168 99->110 111 5234d48-5234d4b 99->111 103 5235383-5235385 100->103 101->103 103->65 115 523538e 103->115 104->89 130 5234c18-5234c28 104->130 108->109 131 5234b3c-5234b4c 108->131 118 5234d68-5234d6b 110->118 111->33 112 5234d51-5234d57 111->112 112->118 119 5234c50-5234c62 113->119 114->119 115->55 118->62 127 5234d71-5234d73 118->127 136 5234c9c-5234caf 119->136 127->93 127->94 129->31 141 5234db3 129->141 130->89 143 5234c64-5234c9a 130->143 131->109 139 5234b81-5234bbd 131->139 136->23 141->50 143->136
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ,bbq$@b^q$]$$^q$;^q
                                    • API String ID: 0-811305235
                                    • Opcode ID: 91b5eda000bb5e98301b075a07093758956e5273d650b7e68d4a61b56b042922
                                    • Instruction ID: f3cbfebca290f1ca099683f27eb444a96e9dfbdccfd967dc9c9c0f7f4c39fc67
                                    • Opcode Fuzzy Hash: 91b5eda000bb5e98301b075a07093758956e5273d650b7e68d4a61b56b042922
                                    • Instruction Fuzzy Hash: 60027D70B102198FDB14DF28D899B6E7BB7BF85300F1484A9E9099B3A1CB35DD85CB91
                                    Function 05234301 Relevance: 4.4, Strings: 3, Instructions: 600COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Hbq$Hbq$]
                                    • API String ID: 0-65184884
                                    • Opcode ID: 8655bb5d932bcb67ffe1b7e89c801f9f9b047ac8a4b07a8f7a4c4deebb65c356
                                    • Instruction ID: 389d3598773ccb64ca29a1caa6fb950f0d8ffe1c2c1a0884aaf7f39798bdeb9e
                                    • Opcode Fuzzy Hash: 8655bb5d932bcb67ffe1b7e89c801f9f9b047ac8a4b07a8f7a4c4deebb65c356
                                    • Instruction Fuzzy Hash: 17228F70B202159FDB04EF69D859BAE7BB7BF88700F148469E50A9B390CF35DD428B91
                                    Function 052338E8 Relevance: 4.2, Strings: 3, Instructions: 460COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 599 52338e8-523391f 602 5233925-523392e 599->602 603 5233a8f-5233aac 599->603 604 52339e4-5233a19 602->604 605 5233934-5233938 602->605 611 5233ad2-5233aec 603->611 612 5233aae-5233ab4 603->612 625 5233a22 604->625 605->604 606 523393e-5233948 605->606 606->604 614 523394e-5233971 606->614 621 5233aee-5233afa 611->621 622 5233afd-5233b1f 611->622 615 5233bab-5233bb4 612->615 616 5233aba-5233acc 612->616 626 5233cb7-5233cef 614->626 627 5233977-52339a1 614->627 615->611 616->611 624 5233bd8-5233c2a 616->624 621->622 632 5233c31-5233cb0 622->632 633 5233b25-5233b39 622->633 624->632 628 5233ba1-5233ba8 625->628 651 5233e53-5233e69 626->651 652 5233cf5-5233cf7 626->652 627->604 646 52339a3 627->646 632->626 640 5233b3b 633->640 641 5233b3d-5233b49 633->641 644 5233b4b-5233b51 640->644 641->644 649 5233b53-5233b5e 644->649 650 5233b6f-5233b89 644->650 653 52339a6-52339ac 646->653 649->650 668 5233b60-5233b6d 649->668 677 5233b8b-5233b8f 650->677 669 5233e6e-5233eb8 651->669 656 5233d34-5233d46 call 5230168 652->656 657 5233cf9-5233d03 652->657 653->626 658 52339b2-52339b9 653->658 686 5233d53-5233d55 656->686 687 5233d48-5233d51 656->687 674 5233d05-5233d28 657->674 675 5233d2d-5233d2f 657->675 662 52339d7-52339da 658->662 663 52339bb-52339c1 658->663 672 5233bd3 662->672 673 52339e0-52339e2 662->673 663->626 671 52339c7-52339d0 663->671 668->650 688 5233bb9-5233bd1 668->688 720 5233eba-5233edf 669->720 671->662 672->624 673->604 673->653 680 5233e4b-5233e50 674->680 675->680 684 5233b91-5233b97 677->684 685 5233b9f 677->685 684->685 685->628 693 5233d63-5233d65 686->693 694 5233d57-5233d61 686->694 687->686 688->677 693->680 694->693 701 5233d6a-5233d7c 694->701 710 5233da1-5233daf 701->710 711 5233d7e-5233d90 701->711 717 5233db1-5233db3 710->717 718 5233db8-5233dc2 710->718 711->710 724 5233d92-5233d9c 711->724 717->680 727 5233df2-5233dfc 718->727 728 5233dc4-5233dce 718->728 725 5233ee1-5233eea 720->725 726 5233ef0 720->726 724->680 725->726 736 5233eec-5233eee 725->736 729 5233ef2-5233ef5 726->729 734 5233e21-5233e27 727->734 735 5233dfe-5233e08 727->735 728->727 737 5233dd0-5233dd6 728->737 740 5233e41-5233e43 734->740 741 5233e29-5233e33 734->741 735->734 744 5233e0a-5233e1f call 52302d8 735->744 736->729 738 5233dda-5233de6 737->738 739 5233dd8 737->739 743 5233de8-5233df0 738->743 739->743 740->680 741->740 748 5233e35-5233e3f 741->748 743->680 744->680 748->680
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Hbq$$^q$$^q
                                    • API String ID: 0-1611274095
                                    • Opcode ID: 32a7618d44afd314ff331b9f529976f7e1b5f41a2be54cb38b50498dca20c14e
                                    • Instruction ID: cb6230485c2b632f771190a2d6c9fdc31a99329f475491062a8227d899afff7d
                                    • Opcode Fuzzy Hash: 32a7618d44afd314ff331b9f529976f7e1b5f41a2be54cb38b50498dca20c14e
                                    • Instruction Fuzzy Hash: 43F19F7172021A9FCB05DF78D8556AE7BA7BF94600F148829E906DB390DF34DE06CB91
                                    Function 05231328 Relevance: 4.2, Strings: 3, Instructions: 422COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 753 5231328-523134b 754 5231351-523147a 753->754 755 5231834-5231932 753->755 802 5231483-52314dc call 5230298 call 52302a8 754->802 803 523147c 754->803 813 52314de-52314e6 802->813 814 52314ed-52314fc 802->814 803->802 813->814 817 523151e-52315cc 814->817 818 52314fe-5231518 call 5230298 814->818 833 52315d2-52315f6 call 5232938 817->833 834 5231747-523175a 817->834 818->817 837 5231644-523166d 833->837 838 52315f8-52315ff 833->838 845 523175f-5231824 834->845 849 5231684-5231697 837->849 850 523166f-5231682 837->850 838->834 839 5231605-523161d 838->839 851 5231625-5231627 839->851 886 523182c-5231833 845->886 853 523169f-52316cb 849->853 888 5231699 call 5234301 849->888 850->853 854 5231629-523162f 851->854 855 523163f-5231642 851->855 865 52316e2-52316f5 853->865 866 52316cd-52316e0 853->866 857 5231633-5231635 854->857 858 5231631 854->858 855->837 857->855 858->855 868 52316fd-5231735 call 5235397 call 52302b8 865->868 866->868 878 523173a-5231745 868->878 878->845 888->853
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $^q$$^q$$^q
                                    • API String ID: 0-831282457
                                    • Opcode ID: 70d701962f378cd228d0318955f3ed3d83140992beb2de399f2269784c6ff2c1
                                    • Instruction ID: 72166c9b6bed7cd6cb944c33d814ae2320ed07954b02be53722f02638c20e40e
                                    • Opcode Fuzzy Hash: 70d701962f378cd228d0318955f3ed3d83140992beb2de399f2269784c6ff2c1
                                    • Instruction Fuzzy Hash: 1BF191307203059FDB08AB75D969B6E7BA7BFC8700F148428E9069B3A5DF759C06CB91
                                    Function 0523B203 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 255 523b203-523b204 256 523b1c1-523b1cb 255->256 257 523b206-523b297 GetCurrentProcess 255->257 262 523b2a0-523b2d4 GetCurrentThread 257->262 263 523b299-523b29f 257->263 264 523b2d6-523b2dc 262->264 265 523b2dd-523b311 GetCurrentProcess 262->265 263->262 264->265 266 523b313-523b319 265->266 267 523b31a-523b332 265->267 266->267 279 523b335 call 523b3e8 267->279 280 523b335 call 523b3d8 267->280 271 523b33b-523b36a GetCurrentThreadId 272 523b373-523b3d5 271->272 273 523b36c-523b372 271->273 273->272 279->271 280->271
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0523B286
                                    • GetCurrentThread.KERNEL32 ref: 0523B2C3
                                    • GetCurrentProcess.KERNEL32 ref: 0523B300
                                    • GetCurrentThreadId.KERNEL32 ref: 0523B359
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 36a49fc06fb6af488343eb5790cd77d5fabc4bdb728ce8aaefff4ba07a5707ee
                                    • Instruction ID: 47123a6e786c55bea23e57a656c92c70dd0e611053c1387a42782872f9287120
                                    • Opcode Fuzzy Hash: 36a49fc06fb6af488343eb5790cd77d5fabc4bdb728ce8aaefff4ba07a5707ee
                                    • Instruction Fuzzy Hash: 865156B0A00209CFDB04DFA9D949BEEBBF1EF48314F24C569D45AA7260CB749984CF65
                                    Function 0523B208 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 281 523b208-523b297 GetCurrentProcess 285 523b2a0-523b2d4 GetCurrentThread 281->285 286 523b299-523b29f 281->286 287 523b2d6-523b2dc 285->287 288 523b2dd-523b311 GetCurrentProcess 285->288 286->285 287->288 289 523b313-523b319 288->289 290 523b31a-523b332 288->290 289->290 302 523b335 call 523b3e8 290->302 303 523b335 call 523b3d8 290->303 294 523b33b-523b36a GetCurrentThreadId 295 523b373-523b3d5 294->295 296 523b36c-523b372 294->296 296->295 302->294 303->294
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0523B286
                                    • GetCurrentThread.KERNEL32 ref: 0523B2C3
                                    • GetCurrentProcess.KERNEL32 ref: 0523B300
                                    • GetCurrentThreadId.KERNEL32 ref: 0523B359
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 6d34b00ce073117f95537d9c139e6bc46fb791bda7e70ead5e91d6ee50f39f78
                                    • Instruction ID: 36737b1bd7a207b47f4fdcd3a07626626d2fd81804627b2637197928a2bf2999
                                    • Opcode Fuzzy Hash: 6d34b00ce073117f95537d9c139e6bc46fb791bda7e70ead5e91d6ee50f39f78
                                    • Instruction Fuzzy Hash: 185156B0900209DFDB04CFA9D548BAEBBF1EF48304F24C469D41AA7360DB74A984CF65
                                    Function 05236348 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1267 5236348-523639a 1269 52363a6-52363d8 SetWindowsHookExW 1267->1269 1270 523639c 1267->1270 1271 52363e1-5236406 1269->1271 1272 52363da-52363e0 1269->1272 1273 52363a4 1270->1273 1272->1271 1273->1269
                                    APIs
                                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 052363CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID: HookWindows
                                    • String ID:
                                    • API String ID: 2559412058-0
                                    • Opcode ID: a8b79ef68bc8af567aca0de6d01233fd6a2aa29c2a275c32b14ab13dbfa064a9
                                    • Instruction ID: d6f05f3ddb26fc17589e3da79fcf022e57d3a1d24aa4a1b1a8d038069578519b
                                    • Opcode Fuzzy Hash: a8b79ef68bc8af567aca0de6d01233fd6a2aa29c2a275c32b14ab13dbfa064a9
                                    • Instruction Fuzzy Hash: AA2138B29042499FCB14CFA9C944BDEFBF5AF88320F14842AE459A7250C774A984CFA1
                                    Function 05236350 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1277 5236350-523639a 1279 52363a6-52363d8 SetWindowsHookExW 1277->1279 1280 523639c 1277->1280 1281 52363e1-5236406 1279->1281 1282 52363da-52363e0 1279->1282 1283 52363a4 1280->1283 1282->1281 1283->1279
                                    APIs
                                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 052363CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2560169180.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5230000_file.jbxd
                                    Similarity
                                    • API ID: HookWindows
                                    • String ID:
                                    • API String ID: 2559412058-0
                                    • Opcode ID: 3c47b224afc5247a80ea1d05ce05e5577c53f46c7992e508dbf5a71af39cfd00
                                    • Instruction ID: 27797ad0865e1b62f8d3f26c4ecdb966ae8510b2c2c9db871b2e4f07e6ea8d5c
                                    • Opcode Fuzzy Hash: 3c47b224afc5247a80ea1d05ce05e5577c53f46c7992e508dbf5a71af39cfd00
                                    • Instruction Fuzzy Hash: 1E2115B29042099FCB14CFAAC944BEEFBF5AF88320F108429E459A7250C774A944CFA5
                                    Function 04FFD51C Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559452037.0000000004FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4ffd000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: adf6c8048cea2b2b24c98c73faaed65731674feb5956868ca811e32afafc94ee
                                    • Instruction ID: 9365a1fe90ffa76ad248a7d3bd576f3e8e49dc5c2b4c4ed87938c0d8cfefa610
                                    • Opcode Fuzzy Hash: adf6c8048cea2b2b24c98c73faaed65731674feb5956868ca811e32afafc94ee
                                    • Instruction Fuzzy Hash: D2210372604200DFDB05DF14DAC4B26BF65FF94318F288569EA0A4B226C336F456CAA2
                                    Function 04FFD608 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559452037.0000000004FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4ffd000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1c80fadda97caa070d47f28b9b8443b4658d4a762da1952e66fd849131f4e652
                                    • Instruction ID: 3887434f0f65c0eb7d67c0923b45f3f318c6c819fa634e73cab2a1d0c769c4a6
                                    • Opcode Fuzzy Hash: 1c80fadda97caa070d47f28b9b8443b4658d4a762da1952e66fd849131f4e652
                                    • Instruction Fuzzy Hash: 82212572A04204DFDB05DF14DEC4B26BF65FF98314F248569EA0E4B266C336E457CAA2
                                    Function 0500D0FC Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559566801.000000000500D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0500D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_500d000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b258e15b0d6cfe61927959a46bd06c76a53f0503fd433564725b676a451d7d8e
                                    • Instruction ID: 5d679d3e4a01133bd5203bc5070e4410480da53f962c4ec432bc06fb1b16b9fd
                                    • Opcode Fuzzy Hash: b258e15b0d6cfe61927959a46bd06c76a53f0503fd433564725b676a451d7d8e
                                    • Instruction Fuzzy Hash: 63214672544204EFEB04DF54E9C4F6EBBA2FB84314F28C56DD8094B296CB3AD446CA71
                                    Function 0500D01C Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559566801.000000000500D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0500D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_500d000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 59b00edbf5914ba1d6774f1521330571b4c4bb4b1d7d0ce14e655526e36856c8
                                    • Instruction ID: dcfa25e17ed4d90f938e717c8f70cedeab0dcdf495a85ee0ee96fc78f7a5f72a
                                    • Opcode Fuzzy Hash: 59b00edbf5914ba1d6774f1521330571b4c4bb4b1d7d0ce14e655526e36856c8
                                    • Instruction Fuzzy Hash: 8B21D072644200DFEB14DF64E584B2BBBA6FB84314F60C669D90D4B291C336D846C671
                                    Function 0500D007 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559566801.000000000500D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0500D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_500d000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0370ceaa47f376775143007fbf6275e60628d90394129f860b05cc6fc2f6f022
                                    • Instruction ID: 6435adea2f1bb388a573ea00ee53dc7e432bd6e003383f4596f87ef20bcc490f
                                    • Opcode Fuzzy Hash: 0370ceaa47f376775143007fbf6275e60628d90394129f860b05cc6fc2f6f022
                                    • Instruction Fuzzy Hash: ED2193765483809FD716CF64D984B16BFB1FB45314F28C5AAD8498B292C33AD846CB62
                                    Function 04FFD517 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559452037.0000000004FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4ffd000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20a79bdc70fafdd4f01ac923dbc2bce50329bcf4eebf8cc04ff9bca8ffa494ba
                                    • Instruction ID: 166d47af8361311d41d40ff10fc1436f4911205fa7f88ad7bb2c0b72772debe2
                                    • Opcode Fuzzy Hash: 20a79bdc70fafdd4f01ac923dbc2bce50329bcf4eebf8cc04ff9bca8ffa494ba
                                    • Instruction Fuzzy Hash: B411D676904240CFDB05CF14D9C4B16BF71FF94314F28C5A9D9094B626C336E456CBA1
                                    Function 04FFD603 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559452037.0000000004FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FFD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_4ffd000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20a79bdc70fafdd4f01ac923dbc2bce50329bcf4eebf8cc04ff9bca8ffa494ba
                                    • Instruction ID: d56fd0fe38126bdefb9731f002f1bc73e9fd55fc66362d3200c5eec656f4526f
                                    • Opcode Fuzzy Hash: 20a79bdc70fafdd4f01ac923dbc2bce50329bcf4eebf8cc04ff9bca8ffa494ba
                                    • Instruction Fuzzy Hash: 8611B176904240DFDB16CF14D9C4B16BF71FF94314F24C5A9D90A0B666C336E45ACBA1
                                    Function 0500D0F7 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2559566801.000000000500D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0500D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_500d000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f3a0e4954b48d90bce02da7e4ec7046fd9ae97f8adeba2b794c087dee64acebb
                                    • Instruction ID: 010ee1edc06c55bcc4383068251e6ecb8aa271eb4aa155b18976996b50a756fc
                                    • Opcode Fuzzy Hash: f3a0e4954b48d90bce02da7e4ec7046fd9ae97f8adeba2b794c087dee64acebb
                                    • Instruction Fuzzy Hash: 16110076504240DFEB01CF50E9C4B29FFA2FB44314F28C6AADC094B292C33AD44ACB61