Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QeM0UAj5PK.exe

Overview

General Information

Sample name:QeM0UAj5PK.exe
renamed because original name is a hash value
Original sample name:eef66f7ed3017bb63348c2887fba3211.exe
Analysis ID:1579654
MD5:eef66f7ed3017bb63348c2887fba3211
SHA1:b018c6372cf4bfe76f1a82625bf41d0dc4aeac87
SHA256:2c739c3abb40ea9befaa9a095bf529c54c7934659ef0c963bd90653c2459869c
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • QeM0UAj5PK.exe (PID: 4324 cmdline: "C:\Users\user\Desktop\QeM0UAj5PK.exe" MD5: EEF66F7ED3017BB63348C2887FBA3211)
    • WerFault.exe (PID: 4308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1132 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: QeM0UAj5PK.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: QeM0UAj5PK.exeReversingLabs: Detection: 63%
Source: QeM0UAj5PK.exeVirustotal: Detection: 69%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: QeM0UAj5PK.exeJoe Sandbox ML: detected
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d1ddebcd-6
Source: QeM0UAj5PK.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2480531638.000000000157E000.00000004.00000020.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2480531638.00000000015DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: QeM0UAj5PK.exe, 00000000.00000002.2480531638.00000000015DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851%-
Source: QeM0UAj5PK.exe, 00000000.00000002.2480531638.000000000157E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: QeM0UAj5PK.exeStatic PE information: section name:
Source: QeM0UAj5PK.exeStatic PE information: section name: .idata
Source: QeM0UAj5PK.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1132
Source: QeM0UAj5PK.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: QeM0UAj5PK.exeStatic PE information: Section: glsblkrs ZLIB complexity 0.9944007452333523
Source: classification engineClassification label: mal100.evad.winEXE@2/5@14/1
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4324
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\50dbb5ef-9ad3-44f9-ac60-8547d609e584Jump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: QeM0UAj5PK.exeReversingLabs: Detection: 63%
Source: QeM0UAj5PK.exeVirustotal: Detection: 69%
Source: QeM0UAj5PK.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\QeM0UAj5PK.exe "C:\Users\user\Desktop\QeM0UAj5PK.exe"
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1132
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSection loaded: winrnr.dllJump to behavior
Source: QeM0UAj5PK.exeStatic file information: File size 4455424 > 1048576
Source: QeM0UAj5PK.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: QeM0UAj5PK.exeStatic PE information: Raw size of glsblkrs is bigger than: 0x100000 < 0x1b7400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeUnpacked PE file: 0.2.QeM0UAj5PK.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;glsblkrs:EW;igcnuqxg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;glsblkrs:EW;igcnuqxg:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: QeM0UAj5PK.exeStatic PE information: real checksum: 0x44c0eb should be: 0x44675b
Source: QeM0UAj5PK.exeStatic PE information: section name:
Source: QeM0UAj5PK.exeStatic PE information: section name: .idata
Source: QeM0UAj5PK.exeStatic PE information: section name:
Source: QeM0UAj5PK.exeStatic PE information: section name: glsblkrs
Source: QeM0UAj5PK.exeStatic PE information: section name: igcnuqxg
Source: QeM0UAj5PK.exeStatic PE information: section name: .taggant
Source: QeM0UAj5PK.exeStatic PE information: section name: glsblkrs entropy: 7.954343742162055

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F3C48 second address: 8F3C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F3C4C second address: 8F3C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F3C59 second address: 8F3C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F2B77 second address: 8F2B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F2B89 second address: 8F2B8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F2D23 second address: 8F2D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB9h 0x00000007 jbe 00007F0C34E82BA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0C34E82BAEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F2D56 second address: 8F2D65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F0C34C21D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F328C second address: 8F32AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C34E82BA6h 0x0000000a pop eax 0x0000000b jmp 00007F0C34E82BB7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F32AE second address: 8F32B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F32B5 second address: 8F32BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F344E second address: 8F345D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0C34C21D8Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F345D second address: 8F346E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jnl 00007F0C34E82BA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F346E second address: 8F3483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jl 00007F0C34C21D86h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F0C34C21D86h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F5082 second address: 8F508C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F508C second address: 8F50C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnp 00007F0C34C21D9Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0C34C21D8Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F50C4 second address: 8F50DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0C34E82BABh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F50DA second address: 8F5152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F0C34C21D86h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F0C34C21D8Fh 0x0000001a pop eax 0x0000001b sbb esi, 546E76D7h 0x00000021 lea ebx, dword ptr [ebp+12B9CE97h] 0x00000027 mov dx, 1F79h 0x0000002b movsx esi, cx 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 jmp 00007F0C34C21D98h 0x00000035 push ebx 0x00000036 jmp 00007F0C34C21D91h 0x0000003b pop ebx 0x0000003c popad 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F0C34C21D8Fh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F51E3 second address: 8F524E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jno 00007F0C34E82BC6h 0x00000011 nop 0x00000012 sub dl, FFFFFFA0h 0x00000015 push 00000000h 0x00000017 call 00007F0C34E82BB6h 0x0000001c mov dword ptr [ebp+12A2195Ch], edi 0x00000022 pop edx 0x00000023 call 00007F0C34E82BA9h 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b jl 00007F0C34E82BA6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F524E second address: 8F5264 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 js 00007F0C34C21D92h 0x0000000e jo 00007F0C34C21D8Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F5264 second address: 8F5274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F5274 second address: 8F527A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F527A second address: 8F527E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F527E second address: 8F52A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b jmp 00007F0C34C21D95h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F5368 second address: 8F537A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F0C34E82BA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8F552A second address: 8F5551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 5930B821h 0x0000000f pushad 0x00000010 adc cx, 9981h 0x00000015 popad 0x00000016 lea ebx, dword ptr [ebp+12B9CEABh] 0x0000001c xchg eax, ebx 0x0000001d jnl 00007F0C34C21D90h 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 916691 second address: 916695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 916695 second address: 91669B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 91669B second address: 9166B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9166B3 second address: 9166C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F0C34C21D86h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9166C6 second address: 9166CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8EBCEB second address: 8EBCF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8EBCF0 second address: 8EBCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9145AD second address: 9145C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C34C21D86h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0C34C21D8Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9145C6 second address: 9145CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9145CB second address: 9145D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9145D1 second address: 9145D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 914A3E second address: 914A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 914C00 second address: 914C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 914EC1 second address: 914EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F0C34C21D98h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 914EDF second address: 914EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 914EE3 second address: 914F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C34C21D8Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f jc 00007F0C34C21D86h 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 915762 second address: 91576E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0C34E82BA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 91576E second address: 915786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Bh 0x00000007 jnp 00007F0C34C21D86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8E8964 second address: 8E897B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C34E82BA8h 0x0000000a pushad 0x0000000b jc 00007F0C34E82BA6h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8E897B second address: 8E89A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F0C34C21D8Eh 0x00000014 pushad 0x00000015 jc 00007F0C34C21D86h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 915E98 second address: 915E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 915E9C second address: 915EAC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0C34C21D86h 0x00000008 jnp 00007F0C34C21D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 915EAC second address: 915EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0C34E82BA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 916145 second address: 916149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 916149 second address: 91616C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BAFh 0x00000007 jmp 00007F0C34E82BB0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 91941C second address: 91942E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F0C34C21D86h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 91942E second address: 919433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 918A03 second address: 918A08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 919A9C second address: 919AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 91ADD7 second address: 91ADE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 922409 second address: 922414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0C34E82BA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9218D0 second address: 9218EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D96h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9218EF second address: 9218F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9218F5 second address: 9218F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9218F9 second address: 9218FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 921B91 second address: 921BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34C21D8Dh 0x00000009 jmp 00007F0C34C21D93h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 922116 second address: 92211C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92211C second address: 922131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 922131 second address: 922135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 922277 second address: 922284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F0C34C21D86h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 922284 second address: 9222AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0C34E82BAFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92320F second address: 923215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9232C4 second address: 9232EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 xor dword ptr [esp], 478BFDC1h 0x0000000d jnc 00007F0C34E82BACh 0x00000013 call 00007F0C34E82BA9h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9232EE second address: 923326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f jnp 00007F0C34C21D88h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F0C34C21D8Eh 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 923326 second address: 92332A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92332A second address: 92335E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C34C21D92h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F0C34C21D95h 0x00000018 jmp 00007F0C34C21D8Fh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92380D second address: 923811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 924108 second address: 92410E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9242D6 second address: 9242DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 924966 second address: 924A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F0C34C21D8Ah 0x00000010 add dword ptr [ebp+12A23766h], edx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F0C34C21D88h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov edi, 2FD31C4Ch 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F0C34C21D88h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 sbb di, D452h 0x00000058 xchg eax, ebx 0x00000059 jl 00007F0C34C21D98h 0x0000005f pushad 0x00000060 jmp 00007F0C34C21D8Eh 0x00000065 pushad 0x00000066 popad 0x00000067 popad 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F0C34C21D97h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 924A02 second address: 924A07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 926484 second address: 926488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 925C5E second address: 925C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 926488 second address: 92648E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 925C62 second address: 925C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92648E second address: 926494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 926494 second address: 926498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 927017 second address: 92701C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92701C second address: 927030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C34E82BAFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 926DB8 second address: 926DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 927030 second address: 927098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F0C34E82BB0h 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 nop 0x00000016 add dword ptr [ebp+12A238B0h], edx 0x0000001c mov esi, dword ptr [ebp+12A22B85h] 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+12B9F6EEh], edi 0x0000002a push 00000000h 0x0000002c mov esi, dword ptr [ebp+12A22A4Dh] 0x00000032 xchg eax, ebx 0x00000033 jl 00007F0C34E82BC4h 0x00000039 pushad 0x0000003a jc 00007F0C34E82BA6h 0x00000040 jmp 00007F0C34E82BB6h 0x00000045 popad 0x00000046 push eax 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 926DBE second address: 926DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 927098 second address: 92709C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 926DC2 second address: 926DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 927A4B second address: 927A6A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0C34E82BACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F0C34E82BB2h 0x00000011 jc 00007F0C34E82BACh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 927811 second address: 92781B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0C34C21D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92906E second address: 929092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007F0C34E82BAAh 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 929092 second address: 929112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0C34C21D86h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F0C34C21D88h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 add dword ptr [ebp+12BBB337h], esi 0x0000002f call 00007F0C34C21D91h 0x00000034 mov dword ptr [ebp+12A2264Ch], esi 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F0C34C21D88h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000015h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+12A21985h], ebx 0x0000005d push 00000000h 0x0000005f mov esi, dword ptr [ebp+12A219B8h] 0x00000065 xchg eax, ebx 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push esi 0x0000006a pop esi 0x0000006b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 928E15 second address: 928E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 929112 second address: 929129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 929ACD second address: 929B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F0C34E82BA8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 sub dword ptr [ebp+12A238B0h], edi 0x00000027 mov esi, 0563819Bh 0x0000002c push 00000000h 0x0000002e movsx edi, bx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F0C34E82BA8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov edi, 37EC6E5Dh 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92A3A2 second address: 92A3AC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C34C21D8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92E343 second address: 92E347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92F194 second address: 92F1A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D8Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92E347 second address: 92E34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92E34B second address: 92E3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F0C34C21D8Ch 0x0000000f jmp 00007F0C34C21D8Bh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov dword ptr [ebp+12A2312Eh], eax 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F0C34C21D88h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 mov bx, dx 0x00000045 mov eax, dword ptr [ebp+12A20FEDh] 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e call 00007F0C34C21D88h 0x00000053 pop edx 0x00000054 mov dword ptr [esp+04h], edx 0x00000058 add dword ptr [esp+04h], 00000019h 0x00000060 inc edx 0x00000061 push edx 0x00000062 ret 0x00000063 pop edx 0x00000064 ret 0x00000065 mov edi, dword ptr [ebp+12A22B45h] 0x0000006b push FFFFFFFFh 0x0000006d push ecx 0x0000006e ja 00007F0C34C21D99h 0x00000074 pop ebx 0x00000075 nop 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 jng 00007F0C34C21D86h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92F24D second address: 92F269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 930242 second address: 9302D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 je 00007F0C34C21D8Ah 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F0C34C21D88h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F0C34C21D88h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov dword ptr [ebp+12A21825h], eax 0x0000004f xor edi, 1CEE4109h 0x00000055 push 00000000h 0x00000057 jmp 00007F0C34C21D93h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F0C34C21D96h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9302D1 second address: 9302D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9302D7 second address: 9302DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 930418 second address: 93043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0C34E82BB9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 931383 second address: 93143F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0C34C21D94h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F0C34C21D88h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+12A225E6h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F0C34C21D88h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov dword ptr [ebp+12A2260Bh], ecx 0x00000054 push 00000000h 0x00000056 mov dword ptr [ebp+12A23073h], edi 0x0000005c xchg eax, esi 0x0000005d jmp 00007F0C34C21D97h 0x00000062 push eax 0x00000063 pushad 0x00000064 jmp 00007F0C34C21D97h 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 931557 second address: 93156E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0C34E82BA6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F0C34E82BA8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 932387 second address: 93238C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93238C second address: 932392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 932392 second address: 932396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 932396 second address: 9323AC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0C34E82BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007F0C34E82BB4h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9323AC second address: 93245C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0C34C21D86h 0x0000000a popad 0x0000000b nop 0x0000000c call 00007F0C34C21D95h 0x00000011 movsx edi, cx 0x00000014 pop edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F0C34C21D88h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 push edi 0x00000037 mov dword ptr [ebp+12A226C6h], ebx 0x0000003d pop edi 0x0000003e mov ebx, dword ptr [ebp+12BBF614h] 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b xor ebx, dword ptr [ebp+12A22B21h] 0x00000051 mov eax, dword ptr [ebp+12A208F5h] 0x00000057 push 00000000h 0x00000059 push esi 0x0000005a call 00007F0C34C21D88h 0x0000005f pop esi 0x00000060 mov dword ptr [esp+04h], esi 0x00000064 add dword ptr [esp+04h], 0000001Ch 0x0000006c inc esi 0x0000006d push esi 0x0000006e ret 0x0000006f pop esi 0x00000070 ret 0x00000071 push FFFFFFFFh 0x00000073 jmp 00007F0C34C21D99h 0x00000078 nop 0x00000079 pushad 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93245C second address: 932488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007F0C34E82BA6h 0x0000000e jmp 00007F0C34E82BB5h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 932488 second address: 93248C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9343D3 second address: 9343DD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0C34E82BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93248C second address: 932492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 932492 second address: 932498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 932498 second address: 93249C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 934541 second address: 93454B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0C34E82BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 935454 second address: 935471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 935471 second address: 935476 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 935541 second address: 935545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 935545 second address: 935564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 937445 second address: 9374B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F0C34C21D88h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov bx, ax 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F0C34C21D88h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 pushad 0x00000041 mov dword ptr [ebp+12A231B7h], edi 0x00000047 movsx edx, ax 0x0000004a popad 0x0000004b push 00000000h 0x0000004d xchg eax, esi 0x0000004e jmp 00007F0C34C21D93h 0x00000053 push eax 0x00000054 push ecx 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9374B5 second address: 9374B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9395C5 second address: 939604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F0C34C21D88h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 cmc 0x00000024 mov bx, 68D7h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c movsx edi, bx 0x0000002f push eax 0x00000030 push eax 0x00000031 push ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93A75A second address: 93A75F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93A75F second address: 93A796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D94h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F0C34C21D99h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B64C second address: 93B667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BB7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B667 second address: 93B6D3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C34C21D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F0C34C21D88h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 add dword ptr [ebp+12BC72D2h], eax 0x0000002f mov edi, dword ptr [ebp+12A22A59h] 0x00000035 push 00000000h 0x00000037 clc 0x00000038 push 00000000h 0x0000003a jmp 00007F0C34C21D8Eh 0x0000003f jmp 00007F0C34C21D98h 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B6D3 second address: 93B6D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93C5AE second address: 93C5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93C5B2 second address: 93C655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007F0C34E82BA8h 0x00000013 jne 00007F0C34E82BB9h 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F0C34E82BA8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+12A218F9h], edi 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F0C34E82BA8h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jmp 00007F0C34E82BB9h 0x00000062 jnc 00007F0C34E82BA6h 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93D546 second address: 93D5BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F0C34C21D88h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 pushad 0x0000002a mov ax, 4F07h 0x0000002e add eax, dword ptr [ebp+12A22915h] 0x00000034 popad 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F0C34C21D88h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 jng 00007F0C34C21D8Ch 0x00000057 sbb edi, 32CD0E0Ah 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jbe 00007F0C34C21D88h 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93D5BD second address: 93D5C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93D5C3 second address: 93D5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9365F8 second address: 9365FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9366AD second address: 9366B7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C34C21D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93868B second address: 9386AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0C34E82BB9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93975B second address: 939760 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93A8F2 second address: 93A8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93A8F6 second address: 93A987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+12A238B0h], ecx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F0C34C21D88h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+12A22A85h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d or di, 4922h 0x00000042 mov eax, dword ptr [ebp+12A20075h] 0x00000048 jmp 00007F0C34C21D95h 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F0C34C21D88h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Ah 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d jc 00007F0C34C21D86h 0x00000073 pop eax 0x00000074 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B85A second address: 93B85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B85E second address: 93B864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B864 second address: 93B8C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx ebx, di 0x0000000d push dword ptr fs:[00000000h] 0x00000014 call 00007F0C34E82BB7h 0x00000019 mov di, FBEAh 0x0000001d pop ebx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 movsx ebx, dx 0x00000028 mov eax, dword ptr [ebp+12A20AC9h] 0x0000002e sub dword ptr [ebp+12A2399Fh], edx 0x00000034 push FFFFFFFFh 0x00000036 mov bx, si 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push edi 0x0000003d pushad 0x0000003e popad 0x0000003f pop edi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93B8C3 second address: 93B8C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 93D76A second address: 93D786 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0C34E82BB2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94649C second address: 9464AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34C21D8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9464AA second address: 9464F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0C34E82BACh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F0C34E82BB2h 0x0000001a pop edi 0x0000001b push ecx 0x0000001c jmp 00007F0C34E82BB5h 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9464F1 second address: 946519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Ah 0x00000007 pushad 0x00000008 jmp 00007F0C34C21D8Bh 0x0000000d jmp 00007F0C34C21D8Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 946519 second address: 94651F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 945BD3 second address: 945BE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D90h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 945EB3 second address: 945EB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 945EB9 second address: 945ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C34C21D8Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 945ECC second address: 945EF9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C34E82BA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e je 00007F0C34E82BA6h 0x00000014 jmp 00007F0C34E82BB2h 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 945EF9 second address: 945EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 945EFD second address: 945F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94607A second address: 946084 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C34C21D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 946084 second address: 946089 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94A5DF second address: 94A603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007F0C34C21D8Ah 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F0C34C21D8Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94A6B5 second address: 94A6CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F0C34E82BACh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94A6CF second address: 94A6EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0C34C21D86h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 js 00007F0C34C21D8Eh 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94A6EA second address: 94A6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [eax] 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 94A7DC second address: 94A7FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jmp 00007F0C34C21D8Dh 0x0000000f pop esi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950BF4 second address: 950BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950E79 second address: 950E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950E7E second address: 950E9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0C34E82BB2h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950E9C second address: 950EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950EA0 second address: 950EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950EA4 second address: 950EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950EAA second address: 950EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 950EB0 second address: 950EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95118D second address: 9511A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BB0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9511A1 second address: 9511A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9558A7 second address: 9558AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9558AD second address: 9558B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 959D14 second address: 959D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0C34E82BB1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 959F2D second address: 959F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 959F33 second address: 959F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95A20B second address: 95A224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F0C34C21D8Ch 0x0000000d jne 00007F0C34C21D86h 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95A224 second address: 95A23E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C34E82BA6h 0x00000008 jnc 00007F0C34E82BA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F0C34E82BAEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95A746 second address: 95A795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0C34C21D86h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F0C34C21D98h 0x00000011 jp 00007F0C34C21D86h 0x00000017 jne 00007F0C34C21D86h 0x0000001d jmp 00007F0C34C21D97h 0x00000022 popad 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 pop edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95A795 second address: 95A79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95AA77 second address: 95AA98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0C34C21D95h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95B1B0 second address: 95B1B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95B1B6 second address: 95B1D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0C34C21D90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F0C34C21D88h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8EA299 second address: 8EA29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92ACF3 second address: 92AD23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0C34C21D90h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92AD23 second address: 92AD29 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92AD29 second address: 90D719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0C34C21D86h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f js 00007F0C34C21D8Ch 0x00000015 or edi, 3C0628BCh 0x0000001b call dword ptr [ebp+12A22CFBh] 0x00000021 push ebx 0x00000022 push ebx 0x00000023 push edx 0x00000024 pop edx 0x00000025 jnl 00007F0C34C21D86h 0x0000002b pop ebx 0x0000002c push ebx 0x0000002d push esi 0x0000002e pop esi 0x0000002f pop ebx 0x00000030 pop ebx 0x00000031 pushad 0x00000032 push esi 0x00000033 pushad 0x00000034 popad 0x00000035 pop esi 0x00000036 jmp 00007F0C34C21D8Bh 0x0000003b jl 00007F0C34C21D9Ah 0x00000041 jmp 00007F0C34C21D8Eh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B38D second address: 92B397 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C34E82BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B397 second address: 92B3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F0C34C21D92h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 pushad 0x00000012 jno 00007F0C34C21D86h 0x00000018 jno 00007F0C34C21D86h 0x0000001e popad 0x0000001f pop edx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push ebx 0x00000023 jmp 00007F0C34C21D8Dh 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 jne 00007F0C34C21D86h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B3E2 second address: 92B423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0C34E82BB1h 0x0000000e popad 0x0000000f pop eax 0x00000010 call 00007F0C34E82BA9h 0x00000015 pushad 0x00000016 jbe 00007F0C34E82BACh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B423 second address: 92B45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0C34C21D88h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007F0C34C21D93h 0x00000013 jmp 00007F0C34C21D8Dh 0x00000018 popad 0x00000019 pop ecx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B45F second address: 92B49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 ja 00007F0C34E82BA6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007F0C34E82BB1h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jl 00007F0C34E82BA6h 0x00000022 jmp 00007F0C34E82BAFh 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B49D second address: 92B4A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B5C2 second address: 92B5C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B5C6 second address: 92B5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B5D0 second address: 92B5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B5D4 second address: 92B5D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B8C8 second address: 92B8CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92B8CD second address: 92B91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F0C34C21D88h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000004h 0x00000024 jc 00007F0C34C21D88h 0x0000002a mov ecx, eax 0x0000002c nop 0x0000002d push ecx 0x0000002e push eax 0x0000002f jmp 00007F0C34C21D8Ch 0x00000034 pop eax 0x00000035 pop ecx 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push esi 0x0000003b pop esi 0x0000003c jns 00007F0C34C21D86h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92BD9B second address: 92BDA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92BDA1 second address: 92BDA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92BDA7 second address: 92BDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C0BF second address: 92C0FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F0C34C21D86h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0C34C21D98h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jmp 00007F0C34C21D90h 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C0FD second address: 92C122 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a jnp 00007F0C34E82BA8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0C34E82BABh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C122 second address: 92C126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C1A6 second address: 92C1AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C1AA second address: 92C1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C1B0 second address: 92C1BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C34E82BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C1BA second address: 92C1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92C1CA second address: 92C1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F0A7 second address: 95F0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F0AB second address: 95F0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C34E82BAEh 0x0000000d jnc 00007F0C34E82BA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F0C7 second address: 95F0ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D90h 0x00000007 jmp 00007F0C34C21D92h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F0ED second address: 95F0F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F0F3 second address: 95F0F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F0F7 second address: 95F103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F103 second address: 95F116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D8Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F258 second address: 95F264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0C34E82BA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F7FC second address: 95F81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D95h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F81A second address: 95F81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95F81E second address: 95F837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 95FB46 second address: 95FB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 962E6A second address: 962E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9682E1 second address: 9682E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9682E7 second address: 9682ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9682ED second address: 968307 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C34E82BA8h 0x00000008 pushad 0x00000009 jmp 00007F0C34E82BADh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 96849E second address: 9684A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 968A0F second address: 968A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 968A15 second address: 968A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F0C34C21D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F0C34C21D8Ch 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 96922E second address: 969232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 969232 second address: 969252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F0C34C21D8Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 969252 second address: 969256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 969256 second address: 969273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D94h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 96E9B5 second address: 96E9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8DB873 second address: 8DB879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8DB879 second address: 8DB87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97258E second address: 972598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 977FD0 second address: 977FE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F0C34E82BA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 976D4E second address: 976D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92BB7C second address: 92BBF4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C34E82BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+12BAF661h], ecx 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F0C34E82BA8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov ecx, dword ptr [ebp+12A22BB5h] 0x00000036 or ecx, dword ptr [ebp+12A2310Dh] 0x0000003c nop 0x0000003d pushad 0x0000003e jmp 00007F0C34E82BB9h 0x00000043 push eax 0x00000044 jmp 00007F0C34E82BADh 0x00000049 pop eax 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push esi 0x0000004f pushad 0x00000050 popad 0x00000051 pop esi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 92BBF4 second address: 92BBF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9771FE second address: 977206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 977370 second address: 977389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F0C34C21D91h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C2DB second address: 97C2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C2E1 second address: 97C2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C2E6 second address: 97C2F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BABh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C2F7 second address: 97C2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C5BE second address: 97C5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0C34E82BA6h 0x0000000a push ebx 0x0000000b jno 00007F0C34E82BA6h 0x00000011 pop ebx 0x00000012 jmp 00007F0C34E82BB3h 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C726 second address: 97C737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnp 00007F0C34C21D86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C737 second address: 97C73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C73F second address: 97C74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0C34C21D86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C74E second address: 97C752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97C752 second address: 97C758 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97FC4E second address: 97FC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97FC54 second address: 97FC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D90h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97FC69 second address: 97FC7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F0C34E82BA6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97FC7A second address: 97FC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jng 00007F0C34C21D86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97F5E1 second address: 97F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97F5E5 second address: 97F5F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 97F5F6 second address: 97F614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C34E82BB5h 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9872A8 second address: 9872C6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C34C21D98h 0x00000008 jmp 00007F0C34C21D8Ch 0x0000000d jp 00007F0C34C21D86h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9855E1 second address: 9855FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985BF1 second address: 985BF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985BF5 second address: 985BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985BFB second address: 985C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985C01 second address: 985C08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985E8B second address: 985EA2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C34C21D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F0C34C21D86h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985EA2 second address: 985EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34E82BB1h 0x00000009 jns 00007F0C34E82BA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985EBF second address: 985ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 985ECB second address: 985ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 986742 second address: 986748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 986748 second address: 98676D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C34E82BB0h 0x0000000b popad 0x0000000c jbe 00007F0C34E82BC1h 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F0C34E82BA6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9907A9 second address: 9907B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0C34C21D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9907B3 second address: 9907C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C34E82BAEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9907C9 second address: 9907CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8ED8A2 second address: 8ED8B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C34E82BA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98F9F0 second address: 98FA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0C34C21D8Fh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F0C34C21D8Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FA1C second address: 98FA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FA22 second address: 98FA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F0C34C21D95h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FA44 second address: 98FA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FA48 second address: 98FA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FA54 second address: 98FA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FE5E second address: 98FE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0C34C21D8Eh 0x0000000e jmp 00007F0C34C21D8Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FFC5 second address: 98FFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FFC9 second address: 98FFCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FFCD second address: 98FFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 98FFD8 second address: 98FFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D8Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 99016B second address: 99016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 99016F second address: 9901B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D98h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jng 00007F0C34C21D86h 0x00000012 jmp 00007F0C34C21D8Eh 0x00000017 pop edx 0x00000018 push ecx 0x00000019 jng 00007F0C34C21D86h 0x0000001f pop ecx 0x00000020 jo 00007F0C34C21D8Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 990312 second address: 99031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9904A8 second address: 9904AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9904AC second address: 9904D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F0C34E82BA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9904D0 second address: 9904D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9985C3 second address: 9985C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9985C7 second address: 9985CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9985CD second address: 9985EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB1h 0x00000007 pushad 0x00000008 jc 00007F0C34E82BA6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 996E1D second address: 996E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 996E21 second address: 996E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 996F77 second address: 996F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0C34C21D99h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 996F9A second address: 996F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 996F9E second address: 996FA8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 996FA8 second address: 996FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9972A0 second address: 9972A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9973C7 second address: 9973CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9973CB second address: 9973E9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C34C21D86h 0x00000008 jmp 00007F0C34C21D94h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9973E9 second address: 9973F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F0C34E82BA6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9973F8 second address: 99740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D91h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 99740F second address: 99745E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34E82BB8h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007F0C34E82BB7h 0x00000014 jmp 00007F0C34E82BB1h 0x00000019 pop ebx 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 99745E second address: 997463 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9975C1 second address: 9975D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9975D9 second address: 9975F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C34C21D96h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9975F5 second address: 997604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F0C34E82BA6h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997604 second address: 997612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997612 second address: 997618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997618 second address: 997621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997CA9 second address: 997CC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997CC7 second address: 997CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997CCB second address: 997CDC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F0C34E82BACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 997CDC second address: 997CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0C34C21D8Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9983C9 second address: 9983D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0C34E82BA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9983D3 second address: 998403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D97h 0x00000007 jnl 00007F0C34C21D86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jmp 00007F0C34C21D8Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 998403 second address: 998408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 998408 second address: 99840E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 99840E second address: 99843F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0C34E82BAAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F0C34E82BA6h 0x0000001c jmp 00007F0C34E82BB5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 99843F second address: 998445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A167F second address: 9A1691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F0C34E82BA6h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A1691 second address: 9A1697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A1697 second address: 9A169B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A169B second address: 9A169F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A1048 second address: 9A1062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A1062 second address: 9A10A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0C34C21D93h 0x0000000c jmp 00007F0C34C21D8Bh 0x00000011 ja 00007F0C34C21D86h 0x00000017 popad 0x00000018 pop edi 0x00000019 pushad 0x0000001a jmp 00007F0C34C21D91h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A10A4 second address: 9A10C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0C34E82BA6h 0x0000000a jmp 00007F0C34E82BB9h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9A1242 second address: 9A1257 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0C34C21D86h 0x00000008 jmp 00007F0C34C21D8Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B071B second address: 9B071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B071F second address: 9B0723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B4922 second address: 9B4928 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B4928 second address: 9B493C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0C34C21D8Eh 0x0000000c jne 00007F0C34C21D86h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B9A28 second address: 9B9A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B9A2C second address: 9B9A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D98h 0x00000007 jmp 00007F0C34C21D8Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F0C34C21D8Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9B9A69 second address: 9B9A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C25C0 second address: 9C25C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C25C4 second address: 9C25ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007F0C34E82BAFh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C25ED second address: 9C25F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C25F8 second address: 9C25FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C25FC second address: 9C2600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C2600 second address: 9C2616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F0C34E82BA6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C2616 second address: 9C261A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CAAE3 second address: 9CAAF5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0C34E82BA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CAAF5 second address: 9CAAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CAAF9 second address: 9CAAFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C97EE second address: 9C97F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9C9DC5 second address: 9C9DCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CC192 second address: 9CC1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34C21D8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CC1A2 second address: 9CC1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB1h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c je 00007F0C34E82BC4h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push edi 0x00000018 pop edi 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CC1CE second address: 9CC1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CC1D4 second address: 9CC1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CFDFF second address: 9CFE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0C34C21D86h 0x0000000a jmp 00007F0C34C21D90h 0x0000000f popad 0x00000010 ja 00007F0C34C21D8Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b je 00007F0C34C21D86h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CFE33 second address: 9CFE3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 9CFB37 second address: 9CFB41 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C34C21D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A10AC6 second address: A10AD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A10AD0 second address: A10AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A10AD4 second address: A10AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F0C34E82BA8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A1231B second address: A12349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F0C34C21D96h 0x0000000b jmp 00007F0C34C21D8Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A0BF7F second address: A0BF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A0BF83 second address: A0BFA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D90h 0x00000007 jnl 00007F0C34C21D86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A0BFA1 second address: A0BFA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A0BFA9 second address: A0BFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F0C34C21D8Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: A209C2 second address: A209CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE8E86 second address: AE8E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0C34C21D88h 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F0C34C21D86h 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 8E2018 second address: 8E2022 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C34E82BA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE812E second address: AE8133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE8133 second address: AE8162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C34E82BB4h 0x00000009 jmp 00007F0C34E82BB0h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE85EC second address: AE85F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE85F2 second address: AE8621 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0C34E82BA8h 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 push edx 0x00000011 jg 00007F0C34E82BA6h 0x00000017 js 00007F0C34E82BA6h 0x0000001d pop edx 0x0000001e pushad 0x0000001f jmp 00007F0C34E82BAEh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE8B9B second address: AE8BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AE8BA4 second address: AE8BA9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AECD28 second address: AECD44 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0C34C21D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0C34C21D90h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AED045 second address: AED04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AED2CC second address: AED2D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AED2D1 second address: AED32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnl 00007F0C34E82BB4h 0x0000000e nop 0x0000000f mov dword ptr [ebp+12A21C7Ch], ecx 0x00000015 movsx edx, cx 0x00000018 push dword ptr [ebp+12A225DAh] 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F0C34E82BA8h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 call 00007F0C34E82BA9h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push ebx 0x00000041 pop ebx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AED32D second address: AED33B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0C34C21D86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AED33B second address: AED3B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jc 00007F0C34E82BB0h 0x00000011 jmp 00007F0C34E82BAAh 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b pushad 0x0000001c je 00007F0C34E82BA6h 0x00000022 jnc 00007F0C34E82BA6h 0x00000028 popad 0x00000029 pushad 0x0000002a jmp 00007F0C34E82BB6h 0x0000002f jmp 00007F0C34E82BB8h 0x00000034 popad 0x00000035 popad 0x00000036 mov eax, dword ptr [eax] 0x00000038 jnp 00007F0C34E82BB8h 0x0000003e push eax 0x0000003f push edx 0x00000040 jno 00007F0C34E82BA6h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: AED3B8 second address: AED3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00011 second address: 6E00026 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00026 second address: 6E0006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C34C21D97h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0C34C21D91h 0x00000019 jmp 00007F0C34C21D8Bh 0x0000001e popfd 0x0000001f mov eax, 35F13BAFh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0006F second address: 6E000CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0C34E82BABh 0x00000009 adc al, 0000003Eh 0x0000000c jmp 00007F0C34E82BB9h 0x00000011 popfd 0x00000012 mov ebx, ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov si, A87Fh 0x0000001e mov edx, esi 0x00000020 popad 0x00000021 mov eax, dword ptr fs:[00000030h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F0C34E82BB8h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000CC second address: 6E000D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000D0 second address: 6E000D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000D6 second address: 6E000DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000DC second address: 6E000E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000E0 second address: 6E000E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000E4 second address: 6E000F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000F4 second address: 6E000F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E000F9 second address: 6E0014F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 79h 0x00000005 mov ch, CEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov esi, 7ECBE32Fh 0x00000011 movzx esi, di 0x00000014 popad 0x00000015 mov dword ptr [esp], ebx 0x00000018 pushad 0x00000019 pushad 0x0000001a mov ecx, 46D6AF35h 0x0000001f popad 0x00000020 call 00007F0C34E82BB2h 0x00000025 push esi 0x00000026 pop edi 0x00000027 pop esi 0x00000028 popad 0x00000029 mov ebx, dword ptr [eax+10h] 0x0000002c jmp 00007F0C34E82BADh 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0C34E82BADh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0014F second address: 6E00155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00155 second address: 6E00223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0C34E82BB9h 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 mov ax, 7C53h 0x00000017 pushfd 0x00000018 jmp 00007F0C34E82BB8h 0x0000001d xor ch, FFFFFFD8h 0x00000020 jmp 00007F0C34E82BABh 0x00000025 popfd 0x00000026 popad 0x00000027 mov esi, dword ptr [759B06ECh] 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F0C34E82BB4h 0x00000034 sbb al, 00000038h 0x00000037 jmp 00007F0C34E82BABh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F0C34E82BB8h 0x00000043 add cx, 8298h 0x00000048 jmp 00007F0C34E82BABh 0x0000004d popfd 0x0000004e popad 0x0000004f test esi, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0C34E82BB0h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00223 second address: 6E00229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00229 second address: 6E0023B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0C34E82BACh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0023B second address: 6E00292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F0C34C22DADh 0x0000000d jmp 00007F0C34C21D97h 0x00000012 xchg eax, edi 0x00000013 jmp 00007F0C34C21D96h 0x00000018 push eax 0x00000019 pushad 0x0000001a call 00007F0C34C21D91h 0x0000001f pop ebx 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00292 second address: 6E00296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00296 second address: 6E0029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0029C second address: 6E0031D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 00h 0x00000005 pushfd 0x00000006 jmp 00007F0C34E82BB4h 0x0000000b xor esi, 7E8DB678h 0x00000011 jmp 00007F0C34E82BABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a call dword ptr [75980B60h] 0x00000020 mov eax, 75F3E5E0h 0x00000025 ret 0x00000026 jmp 00007F0C34E82BB6h 0x0000002b push 00000044h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007F0C34E82BADh 0x00000035 pushfd 0x00000036 jmp 00007F0C34E82BB0h 0x0000003b adc eax, 079A9B38h 0x00000041 jmp 00007F0C34E82BABh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0031D second address: 6E00335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34C21D94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00335 second address: 6E00339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00339 second address: 6E00387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007F0C34C21D97h 0x0000000e xchg eax, edi 0x0000000f jmp 00007F0C34C21D96h 0x00000014 push eax 0x00000015 jmp 00007F0C34C21D8Bh 0x0000001a xchg eax, edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov eax, edi 0x00000020 mov bx, A422h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00387 second address: 6E003FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0C34E82BB6h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F0C34E82BABh 0x0000000f or esi, 6F1A2DCEh 0x00000015 jmp 00007F0C34E82BB9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push dword ptr [eax] 0x00000020 jmp 00007F0C34E82BAEh 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0C34E82BB7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E003FF second address: 6E00454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dx, 35EEh 0x00000013 pushfd 0x00000014 jmp 00007F0C34C21D8Fh 0x00000019 sbb ah, FFFFFF9Eh 0x0000001c jmp 00007F0C34C21D99h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E004A4 second address: 6E004AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E004AA second address: 6E004AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E004AE second address: 6E00567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a jmp 00007F0C34E82BAFh 0x0000000f test esi, esi 0x00000011 jmp 00007F0C34E82BB6h 0x00000016 je 00007F0CA39B1D6Fh 0x0000001c pushad 0x0000001d mov edi, eax 0x0000001f mov si, C9C9h 0x00000023 popad 0x00000024 sub eax, eax 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F0C34E82BB7h 0x0000002d xor eax, 6117562Eh 0x00000033 jmp 00007F0C34E82BB9h 0x00000038 popfd 0x00000039 popad 0x0000003a mov dword ptr [esi], edi 0x0000003c pushad 0x0000003d jmp 00007F0C34E82BACh 0x00000042 jmp 00007F0C34E82BB2h 0x00000047 popad 0x00000048 mov dword ptr [esi+04h], eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F0C34E82BB7h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00567 second address: 6E00616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0C34C21D8Fh 0x00000009 xor si, 6E4Eh 0x0000000e jmp 00007F0C34C21D99h 0x00000013 popfd 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d jmp 00007F0C34C21D93h 0x00000022 mov dword ptr [esi+0Ch], eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0C34C21D94h 0x0000002c sbb ah, 00000028h 0x0000002f jmp 00007F0C34C21D8Bh 0x00000034 popfd 0x00000035 call 00007F0C34C21D98h 0x0000003a push ecx 0x0000003b pop ebx 0x0000003c pop ecx 0x0000003d popad 0x0000003e mov eax, dword ptr [ebx+4Ch] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F0C34C21D98h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00616 second address: 6E006A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0C34E82BB1h 0x00000009 adc ax, 9D56h 0x0000000e jmp 00007F0C34E82BB1h 0x00000013 popfd 0x00000014 mov cx, 6EC7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+10h], eax 0x0000001e pushad 0x0000001f movzx eax, di 0x00000022 popad 0x00000023 mov eax, dword ptr [ebx+50h] 0x00000026 jmp 00007F0C34E82BAEh 0x0000002b mov dword ptr [esi+14h], eax 0x0000002e jmp 00007F0C34E82BB0h 0x00000033 mov eax, dword ptr [ebx+54h] 0x00000036 jmp 00007F0C34E82BB0h 0x0000003b mov dword ptr [esi+18h], eax 0x0000003e pushad 0x0000003f mov esi, 384ECDDDh 0x00000044 mov dx, si 0x00000047 popad 0x00000048 mov eax, dword ptr [ebx+58h] 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F0C34E82BABh 0x00000052 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E006A5 second address: 6E006AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E006AB second address: 6E006E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0C34E82BAFh 0x00000014 or ah, FFFFFFAEh 0x00000017 jmp 00007F0C34E82BB9h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E006E7 second address: 6E00735 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 pushfd 0x00000012 jmp 00007F0C34C21D8Fh 0x00000017 xor eax, 3B54E16Eh 0x0000001d jmp 00007F0C34C21D99h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00735 second address: 6E0073B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0073B second address: 6E0073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0073F second address: 6E00743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00743 second address: 6E00762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+20h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C34C21D92h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00762 second address: 6E007A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+60h] 0x0000000e jmp 00007F0C34E82BB4h 0x00000013 mov dword ptr [esi+24h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0C34E82BB7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E007A0 second address: 6E007CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C34C21D8Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E007CF second address: 6E00805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c pushad 0x0000000d call 00007F0C34E82BACh 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 mov di, FF44h 0x00000019 popad 0x0000001a mov eax, dword ptr [ebx+68h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00805 second address: 6E00809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00809 second address: 6E0080D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0080D second address: 6E00813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00813 second address: 6E00818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00818 second address: 6E0083A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0C34C21D93h 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+2Ch], eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0083A second address: 6E0085B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov ax, word ptr [ebx+6Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F0C34E82BB2h 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0085B second address: 6E00861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00861 second address: 6E00872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+30h], ax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00872 second address: 6E008B9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0C34C21D8Dh 0x00000008 or ah, FFFFFFA6h 0x0000000b jmp 00007F0C34C21D91h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov cx, 3FD7h 0x00000017 popad 0x00000018 mov ax, word ptr [ebx+00000088h] 0x0000001f jmp 00007F0C34C21D8Ah 0x00000024 mov word ptr [esi+32h], ax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E008B9 second address: 6E008BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E008BD second address: 6E008C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E008C3 second address: 6E008E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+0000008Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ecx, edx 0x00000014 mov ecx, ebx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E008E9 second address: 6E009BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0C34C21D8Eh 0x00000013 sbb eax, 50FDFA38h 0x00000019 jmp 00007F0C34C21D8Bh 0x0000001e popfd 0x0000001f movzx eax, bx 0x00000022 popad 0x00000023 mov eax, dword ptr [ebx+18h] 0x00000026 jmp 00007F0C34C21D8Bh 0x0000002b mov dword ptr [esi+38h], eax 0x0000002e jmp 00007F0C34C21D96h 0x00000033 mov eax, dword ptr [ebx+1Ch] 0x00000036 jmp 00007F0C34C21D90h 0x0000003b mov dword ptr [esi+3Ch], eax 0x0000003e jmp 00007F0C34C21D90h 0x00000043 mov eax, dword ptr [ebx+20h] 0x00000046 pushad 0x00000047 push eax 0x00000048 pushfd 0x00000049 jmp 00007F0C34C21D8Dh 0x0000004e xor ax, 4B96h 0x00000053 jmp 00007F0C34C21D91h 0x00000058 popfd 0x00000059 pop esi 0x0000005a popad 0x0000005b mov dword ptr [esi+40h], eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F0C34C21D94h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E009BC second address: 6E009C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E009C2 second address: 6E00A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0C34C21D8Ch 0x00000009 adc ecx, 72C5BE18h 0x0000000f jmp 00007F0C34C21D8Bh 0x00000014 popfd 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b lea eax, dword ptr [ebx+00000080h] 0x00000021 pushad 0x00000022 mov ebx, 1D9A85F4h 0x00000027 jmp 00007F0C34C21D8Dh 0x0000002c popad 0x0000002d push 00000001h 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 mov ah, C3h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00A0B second address: 6E00A5B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0C34E82BAFh 0x00000008 sub cx, 983Eh 0x0000000d jmp 00007F0C34E82BB9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edx, ecx 0x00000017 popad 0x00000018 nop 0x00000019 pushad 0x0000001a mov bx, si 0x0000001d mov eax, 5864459Bh 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0C34E82BACh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00A5B second address: 6E00A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00A61 second address: 6E00A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00A65 second address: 6E00A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00A69 second address: 6E00A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00A78 second address: 6E00A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00B17 second address: 6E00B45 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov cx, AEE1h 0x0000000b popad 0x0000000c mov edi, eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F0C34E82BB9h 0x00000016 pop esi 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00B45 second address: 6E00B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00B4B second address: 6E00B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ebx, 0F19CD20h 0x00000015 call 00007F0C34E82BB9h 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00B8C second address: 6E00BD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F0CA37508ABh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0C34C21D8Dh 0x00000018 xor esi, 2F163986h 0x0000001e jmp 00007F0C34C21D91h 0x00000023 popfd 0x00000024 mov ax, 8B37h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00BD2 second address: 6E00BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00BEE second address: 6E00C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-0Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0C34C21D94h 0x00000015 xor si, 29B8h 0x0000001a jmp 00007F0C34C21D8Bh 0x0000001f popfd 0x00000020 jmp 00007F0C34C21D98h 0x00000025 popad 0x00000026 mov dword ptr [esi+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0C34C21D8Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00C53 second address: 6E00C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00C62 second address: 6E00D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c jmp 00007F0C34C21D8Eh 0x00000011 push 00000001h 0x00000013 jmp 00007F0C34C21D90h 0x00000018 nop 0x00000019 pushad 0x0000001a mov bx, cx 0x0000001d mov edx, ecx 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 call 00007F0C34C21D95h 0x00000027 call 00007F0C34C21D90h 0x0000002c pop eax 0x0000002d pop edi 0x0000002e pushfd 0x0000002f jmp 00007F0C34C21D90h 0x00000034 sub ax, ACC8h 0x00000039 jmp 00007F0C34C21D8Bh 0x0000003e popfd 0x0000003f popad 0x00000040 nop 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007F0C34C21D94h 0x00000048 and eax, 32F02F28h 0x0000004e jmp 00007F0C34C21D8Bh 0x00000053 popfd 0x00000054 push eax 0x00000055 pushfd 0x00000056 jmp 00007F0C34C21D8Fh 0x0000005b sub esi, 4DFF386Eh 0x00000061 jmp 00007F0C34C21D99h 0x00000066 popfd 0x00000067 pop ecx 0x00000068 popad 0x00000069 lea eax, dword ptr [ebp-08h] 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00D5A second address: 6E00DC8 instructions: 0x00000000 rdtsc 0x00000002 mov dx, E3FCh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F0C34E82BB5h 0x0000000e or ah, 00000056h 0x00000011 jmp 00007F0C34E82BB1h 0x00000016 popfd 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0C34E82BB3h 0x00000022 or ax, B08Eh 0x00000027 jmp 00007F0C34E82BB9h 0x0000002c popfd 0x0000002d mov ebx, ecx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00DC8 second address: 6E00DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00DCE second address: 6E00DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00DD2 second address: 6E00DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00DD6 second address: 6E00DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0C34E82BB2h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00DF7 second address: 6E00DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00E7E second address: 6E00E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00E83 second address: 6E00EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 8CA0h 0x00000007 jmp 00007F0C34C21D99h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [ebp-04h] 0x00000012 jmp 00007F0C34C21D8Eh 0x00000017 mov dword ptr [esi+08h], eax 0x0000001a pushad 0x0000001b push eax 0x0000001c call 00007F0C34C21D8Dh 0x00000021 pop eax 0x00000022 pop edx 0x00000023 movzx eax, dx 0x00000026 popad 0x00000027 lea eax, dword ptr [ebx+70h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0C34C21D94h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00EE8 second address: 6E00F10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C34E82BB5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00F10 second address: 6E00F7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F0C34C21D8Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F0C34C21D93h 0x0000001b and cx, 83AEh 0x00000020 jmp 00007F0C34C21D99h 0x00000025 popfd 0x00000026 push esi 0x00000027 pop edi 0x00000028 popad 0x00000029 popad 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov si, di 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00F7B second address: 6E00F98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00F98 second address: 6E00FFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 772Bh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F0C34C21D99h 0x00000016 xor ax, 96A6h 0x0000001b jmp 00007F0C34C21D91h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F0C34C21D90h 0x00000027 sbb esi, 43DF7C48h 0x0000002d jmp 00007F0C34C21D8Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E00FFD second address: 6E0100E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 45h 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0100E second address: 6E01024 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01024 second address: 6E0103B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0C34E82BB1h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01090 second address: 6E010DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0C34C21D93h 0x00000008 pop ecx 0x00000009 mov ax, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov edi, eax 0x00000011 jmp 00007F0C34C21D8Bh 0x00000016 test edi, edi 0x00000018 jmp 00007F0C34C21D96h 0x0000001d js 00007F0CA3750363h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 mov ebx, eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E010DD second address: 6E010F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, 6715h 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp-14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E010F1 second address: 6E0110E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0110E second address: 6E01171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C34E82BB7h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d jmp 00007F0C34E82BB5h 0x00000012 mov dword ptr [esi+0Ch], eax 0x00000015 jmp 00007F0C34E82BAEh 0x0000001a mov edx, 759B06ECh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0C34E82BB7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01171 second address: 6E01189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34C21D94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01189 second address: 6E011AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d jmp 00007F0C34E82BACh 0x00000012 lock cmpxchg dword ptr [edx], ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E011AC second address: 6E0121D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d jmp 00007F0C34C21D98h 0x00000012 test eax, eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F0C34C21D8Eh 0x0000001b add esi, 17A7FE58h 0x00000021 jmp 00007F0C34C21D8Bh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007F0C34C21D96h 0x0000002f sbb cl, FFFFFFB8h 0x00000032 jmp 00007F0C34C21D8Bh 0x00000037 popfd 0x00000038 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0121D second address: 6E01244 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007F0CA39B105Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 call 00007F0C34E82BB3h 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01244 second address: 6E012D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 700344EBh 0x00000008 pushfd 0x00000009 jmp 00007F0C34C21D90h 0x0000000e adc ch, 00000078h 0x00000011 jmp 00007F0C34C21D8Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [ebp+08h] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F0C34C21D94h 0x00000024 xor ch, FFFFFFD8h 0x00000027 jmp 00007F0C34C21D8Bh 0x0000002c popfd 0x0000002d mov dx, cx 0x00000030 popad 0x00000031 mov eax, dword ptr [esi] 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F0C34C21D90h 0x0000003a adc cx, 9238h 0x0000003f jmp 00007F0C34C21D8Bh 0x00000044 popfd 0x00000045 mov di, si 0x00000048 popad 0x00000049 mov dword ptr [edx], eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F0C34C21D91h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E012D9 second address: 6E012DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01412 second address: 6E01436 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esi+1Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0C34C21D98h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01436 second address: 6E0143C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0143C second address: 6E01474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+1Ch], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F0C34C21D8Ah 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [esi+20h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0C34C21D8Fh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01474 second address: 6E014A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [edx+20h], eax 0x0000000d jmp 00007F0C34E82BACh 0x00000012 mov eax, dword ptr [esi+24h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0C34E82BB7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E014A9 second address: 6E0155F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34C21D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+24h], eax 0x0000000c jmp 00007F0C34C21D8Eh 0x00000011 mov eax, dword ptr [esi+28h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F0C34C21D8Eh 0x0000001b or ax, FD08h 0x00000020 jmp 00007F0C34C21D8Bh 0x00000025 popfd 0x00000026 mov bx, cx 0x00000029 popad 0x0000002a mov dword ptr [edx+28h], eax 0x0000002d pushad 0x0000002e mov ebx, esi 0x00000030 mov bl, ch 0x00000032 popad 0x00000033 mov ecx, dword ptr [esi+2Ch] 0x00000036 jmp 00007F0C34C21D8Fh 0x0000003b mov dword ptr [edx+2Ch], ecx 0x0000003e pushad 0x0000003f mov ecx, 453BA47Bh 0x00000044 pushfd 0x00000045 jmp 00007F0C34C21D90h 0x0000004a and eax, 1E75F1C8h 0x00000050 jmp 00007F0C34C21D8Bh 0x00000055 popfd 0x00000056 popad 0x00000057 mov ax, word ptr [esi+30h] 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F0C34C21D90h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0155F second address: 6E0156E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C34E82BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0156E second address: 6E01574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01574 second address: 6E015BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c jmp 00007F0C34E82BB7h 0x00000011 mov ax, word ptr [esi+32h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov di, 3AF6h 0x0000001c call 00007F0C34E82BB7h 0x00000021 pop esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E015BB second address: 6E01611 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, A3h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+32h], ax 0x0000000c jmp 00007F0C34C21D93h 0x00000011 mov eax, dword ptr [esi+34h] 0x00000014 pushad 0x00000015 push eax 0x00000016 call 00007F0C34C21D8Bh 0x0000001b pop ecx 0x0000001c pop edi 0x0000001d movzx esi, di 0x00000020 popad 0x00000021 mov dword ptr [edx+34h], eax 0x00000024 jmp 00007F0C34C21D91h 0x00000029 test ecx, 00000700h 0x0000002f pushad 0x00000030 mov edx, eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01611 second address: 6E0162E instructions: 0x00000000 rdtsc 0x00000002 mov cx, 91ABh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jne 00007F0CA39B0CA3h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007F0C34E82BAAh 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0162E second address: 6E01691 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0C34C21D97h 0x0000000c or ecx, 0C5DE0FEh 0x00000012 jmp 00007F0C34C21D99h 0x00000017 popfd 0x00000018 popad 0x00000019 or dword ptr [edx+38h], FFFFFFFFh 0x0000001d jmp 00007F0C34C21D8Eh 0x00000022 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0C34C21D8Ah 0x0000002f rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01691 second address: 6E01695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E01695 second address: 6E0169B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E0169B second address: 6E016AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34E82BADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E016AC second address: 6E016B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E016B0 second address: 6E016D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+40h], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C34E82BB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E016D6 second address: 6E016E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C34C21D8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E50D6A second address: 6E50D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E50D70 second address: 6E50D74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRDTSC instruction interceptor: First address: 6E50D74 second address: 6E50DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0C34E82BB5h 0x00000011 or ax, 1126h 0x00000016 jmp 00007F0C34E82BB1h 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e mov al, 82h 0x00000020 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSpecial instruction interceptor: First address: 9A2C1E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeCode function: 0_2_06DD0A2E rdtsc 0_2_06DD0A2E
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeAPI coverage: 6.0 %
Source: C:\Users\user\Desktop\QeM0UAj5PK.exe TID: 6784Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: QeM0UAj5PK.exe, QeM0UAj5PK.exe, 00000000.00000002.2479121090.00000000008FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: QeM0UAj5PK.exe, 00000000.00000003.2104897088.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000003.2105524632.00000000015B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: QeM0UAj5PK.exe, 00000000.00000002.2480531638.00000000015DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: QeM0UAj5PK.exe, 00000000.00000002.2479121090.00000000008FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: QeM0UAj5PK.exe, 00000000.00000003.2107797553.0000000006671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeCode function: 0_2_06E304B3 Start: 06E3050A End: 06E304800_2_06E304B3
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeCode function: 0_2_06E4090F Start: 06E40BE0 End: 06E409520_2_06E4090F
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile opened: NTICE
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile opened: SICE
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeCode function: 0_2_06DD0A2E rdtsc 0_2_06DD0A2E
Source: QeM0UAj5PK.exe, QeM0UAj5PK.exe, 00000000.00000002.2479121090.00000000008FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: .CProgram Manager
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QeM0UAj5PK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: QeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
QeM0UAj5PK.exe63%ReversingLabsWin32.Trojan.Amadey
QeM0UAj5PK.exe69%VirustotalBrowse
QeM0UAj5PK.exe100%AviraTR/Crypt.TPM.Gen
QeM0UAj5PK.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
httpbin.org
98.85.100.80
truefalse
    		high
    home.fivetk5ht.top
    		unknown
    		unknownfalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlQeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtdQeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpQeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://httpbin.org/ipbeforeQeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmlQeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2480531638.000000000157E000.00000004.00000020.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2480531638.00000000015DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963QeM0UAj5PK.exe, 00000000.00000002.2480531638.000000000157E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.4.drfalse
                          		high
                          https://curl.se/docs/alt-svc.htmlQeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://.cssQeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://.jpgQeM0UAj5PK.exe, 00000000.00000003.2077297086.00000000070D6000.00000004.00001000.00020000.00000000.sdmp, QeM0UAj5PK.exe, 00000000.00000002.2478165405.000000000060D000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851%-QeM0UAj5PK.exe, 00000000.00000002.2480531638.00000000015DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  98.85.100.80
                                  		httpbin.orgUnited States
                                  		11351TWC-11351-NORTHEASTUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1579654
                                  Start date and time:2024-12-23 07:06:24 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 1s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:QeM0UAj5PK.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:eef66f7ed3017bb63348c2887fba3211.exe
                                  Detection:MAL
                                  Classification:mal100.evad.winEXE@2/5@14/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.181.2, 20.12.23.50, 13.107.246.63
                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  01:07:22API Interceptor6x Sleep call for process: QeM0UAj5PK.exe modified
                                  01:07:55API Interceptor1x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  98.85.100.805JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                        5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                            jDSFvyBr1P.exeGet hashmaliciousUnknownBrowse
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      httpbin.org5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      Yda6AxtlVP.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 34.226.108.155
                                                      5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      jDSFvyBr1P.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                      • 98.85.100.80

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      TWC-11351-NORTHEASTUS5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      jDSFvyBr1P.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 67.253.209.186
                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                      • 98.85.100.80
                                                      nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                      • 137.124.179.226
                                                      mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 98.1.212.38

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QeM0UAj5PK.exe_13a41d1c4e71496222593bdc11f756ad7d3d7f3_a5d4f8ce_b8de2777-5936-4e90-9869-7177021d9216\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9431223594006252
                                                      Encrypted:false
                                                      SSDEEP:192:wtL7tY0BU/Aju0ZrPMtwzuiFLZ24IO87:uPtzBU/Aj5zuiFLY4IO87
                                                      MD5:91C8539E88709AD5A4A61FE3F7781D17
                                                      SHA1:58D85AD460AE6736BBA27F15827BA01A16AB32B0
                                                      SHA-256:673EAFA3D74E66B4DCCB54D88E25C3D96721504601920389BBE20FD421AAEC1C
                                                      SHA-512:2D0555365389E5D03BCC52336A428430F9ADFCFF49FFEEB16942E739A5922170F69707AEC47AE62E8C66E0C5BAAD21A6410AD090265185C4597BDD421EBEDA3B
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.0.7.6.4.4.6.6.1.5.9.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.0.7.6.4.5.6.9.2.8.3.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.d.e.2.7.7.7.-.5.9.3.6.-.4.e.9.0.-.9.8.6.9.-.7.1.7.7.0.2.1.d.9.2.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.5.a.7.b.8.d.-.d.4.b.c.-.4.f.c.0.-.9.3.a.8.-.c.0.9.7.4.b.5.6.1.8.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Q.e.M.0.U.A.j.5.P.K...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.e.4.-.0.0.0.1.-.0.0.1.4.-.5.2.f.a.-.c.8.e.9.0.0.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.d.4.1.3.a.d.e.5.3.9.e.3.d.2.e.9.0.d.b.f.7.9.1.c.6.0.c.f.9.e.0.0.0.0.f.f.f.f.!.0.0.0.0.b.0.1.8.c.6.3.7.2.c.f.4.b.f.e.7.6.f.1.a.8.2.6.2.5.b.f.4.1.d.0.d.c.4.a.e.a.c.8.7.!.Q.e.M.0.U.A.j.5.P.K...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5DB.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 06:07:25 2024, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):216834
                                                      Entropy (8bit):1.3806884949703513
                                                      Encrypted:false
                                                      SSDEEP:384:T9pt7D0EqP0D/vctozJ5ftFYkJk68D1mNjLQAwpKeM0m+l5x6Bkzhj4u1cmoxcQK:TXt7D0EqM7/fsS/Dd/+lRPAYjr
                                                      MD5:3EBF9AEBE5E3D1CA83675E005E24C5B6
                                                      SHA1:C7172B335AD8731DC75602D2EA05C639664D548A
                                                      SHA-256:1E3F1916106AE193B72D5225B51F71AB3304B878476913984D47D3CCE4E7758C
                                                      SHA-512:B824D83D2713397CCB9E6E10DF6BCA9B69E712B7845532529336048400B5F4B83287896911768511DC28C586DE6DD9AD299F468C2E74DB9E93DA04A655907357
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:MDMP..a..... .........hg............D...........D...X............ ......t....z..........`.......8...........T...........H,...".......... !...........#..............................................................................eJ.......#......GenuineIntel............T.............hg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8D9.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8352
                                                      Entropy (8bit):3.7036205695375406
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJUYjN6p776YEIBSU967gmfsbOyprF89bDW3SsfyLW5Mm:R6lXJUSN6x6YEuSU967gmfsbOdDW3Rfv
                                                      MD5:99680A254B826FED60E64CFA28BBE4B3
                                                      SHA1:4C6D7FF5478A536C1F0C1DD04C41DC52A6A8EE11
                                                      SHA-256:EB9179246B44C5AF77C4DCB1484C39E64BE27387B1BD6BC89FEBC58032CA9914
                                                      SHA-512:C3ABAE18542181F3C618ED7EC7EEDF032845F316AA3874EA3B15CFAC298BBA079A913CD0FDF540628EFE96BDAC9B3AC000C4B265EE184C4E0BAF0E51D4E543FE
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.4.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA909.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4594
                                                      Entropy (8bit):4.479390497768082
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsnRJg77aI9qGOFnWpW8VYyYm8M4JT5FHm+q8G0UgMBwzudd:uIjfnjI7Z0W7VOJuKBzudd
                                                      MD5:5F513B4BF656D0DB3132923D7C8E42AD
                                                      SHA1:1205C1BCE3F4FB8C5EB5CF2A7EE7EB15D55A9FB7
                                                      SHA-256:11548DE9A8EF90E91540AA57E44DDA1DEE00533F86D682DFDE041CD8BC611BFB
                                                      SHA-512:32A546340F3EBC6289509D238A8B9F4AF57919462569DF9823CDF07A0A2D2B56C45D7DB57800E5AB983D6ABB472E78A82F24FEC0BCA461D3C9076FB2C7F8A5BB
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643510" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1835008
                                                      Entropy (8bit):4.421560335964115
                                                      Encrypted:false
                                                      SSDEEP:6144:6Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN+0uhiTw:pvloTMW+EZMM6DFyg03w
                                                      MD5:68989205992C876B3901F8C28DD2A945
                                                      SHA1:EFFBAB5960A7DCEE7E1558C3B6BA942CB4FEC531
                                                      SHA-256:887DAFA0576945DD67FA1B2A62D262E4C1E71D2C731E9AA336C33CDC1E506480
                                                      SHA-512:E407DD41E4C824FB55BB773242696FD9E4EF32411723B8E10198BE2183627A024764EB347EAC838F09EAB895C55BA58B2EE2B2AF3BDACAF6156D9A1B9FDEA0F8
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.m...U..............................................................................................................................................................................................................................................................................................................................................|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                      Entropy (8bit):7.986349141596119
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • VXD Driver (31/22) 0.00%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:QeM0UAj5PK.exe
                                                      File size:4'455'424 bytes
                                                      MD5:eef66f7ed3017bb63348c2887fba3211
                                                      SHA1:b018c6372cf4bfe76f1a82625bf41d0dc4aeac87
                                                      SHA256:2c739c3abb40ea9befaa9a095bf529c54c7934659ef0c963bd90653c2459869c
                                                      SHA512:cae7fe33c3e578383aa22c22712bb6a98f77b58b583cfac9df3c66104f610b9f56fe73087605a96baa88a8142be6863c0f79a8dc559a775cbf6f1150e626f41f
                                                      SSDEEP:98304:xi5tVLP5iqsjhf7qmNiG/LaaW7R8BSleLXPzG+RP8Pkr:xetPGpGmIaL+7KSeLXPztRU8r
                                                      TLSH:CE2633005DCAE73EF99B28B1238A364749D65AC0CF27BD335A504D26092FD2C6DD7AD8
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...0.......pH...@..........................`........D...@... ............................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x1083000
                                                      Entrypoint Section:.taggant
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                      DLL Characteristics:DYNAMIC_BASE
                                                      Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp 00007F0C34D50DEAh
                                                      pminub mm0, qword ptr [ebx+00h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      jmp 00007F0C34D52DE5h
                                                      add byte ptr [edx], al
                                                      or al, byte ptr [eax]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], dh
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [edi], bh
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [edx], ah
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [edi], al
                                                      add byte ptr [eax], 00000000h
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      adc byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add cl, byte ptr [edx]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc811640x10glsblkrs
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc811140x18glsblkrs
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      0x10000x7450000x284c00e3d823777f6071c38a99733039007865unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x7460000x1ac0x2003337c3ba8c6b63dffa782dfd9989661aFalse0.580078125data4.580529645165472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      0x7480000x3820000x200bbbeb5baf217869f3fd2a0ca3f1276e8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      glsblkrs0xaca0000x1b80000x1b740086794d8e795b2fd3815ef91b7482706bFalse0.9944007452333523data7.954343742162055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      igcnuqxg0xc820000x10000x4007558ad3226a7d81ae39e8cf22092acd5False0.7451171875data5.845917083048289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .taggant0xc830000x30000x220023c5980a3e6e9bc86933cd29411ad710False0.06502757352941177DOS executable (COM)0.7465676290497293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_MANIFEST0xc811740x152ASCII text, with CRLF line terminators0.6479289940828402

                                                      Imports

                                                      DLLImport
                                                      kernel32.dlllstrcpy

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 23, 2024 07:07:19.278959036 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:19.279005051 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:19.279100895 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:19.291960955 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:19.291975975 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.037637949 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.043230057 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.043245077 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.045449972 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.045527935 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.070892096 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.071219921 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.113955021 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.113970041 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.128185034 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.171334028 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.449395895 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.449503899 CET4434970498.85.100.80192.168.2.5
                                                      Dec 23, 2024 07:07:21.449626923 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.464478970 CET49704443192.168.2.598.85.100.80
                                                      Dec 23, 2024 07:07:21.464504004 CET4434970498.85.100.80192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 23, 2024 07:07:19.138396978 CET6285153192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:19.138551950 CET6285153192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:19.275619984 CET53628511.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:19.276416063 CET53628511.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:22.250968933 CET6285453192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:22.251111031 CET6285453192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:23.541323900 CET53628541.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:23.541363001 CET53628541.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:23.971957922 CET6285553192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:23.972093105 CET6285553192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:24.111779928 CET53628551.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:24.111809969 CET53628551.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:24.280405998 CET6285653192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:24.280538082 CET6285653192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:24.418301105 CET53628561.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:24.418317080 CET53628561.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:24.674685001 CET6285753192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:24.674865007 CET6285753192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:24.811753035 CET53628571.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:24.811844110 CET53628571.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:24.983198881 CET6285853192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:24.983313084 CET6285853192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:25.121886015 CET53628581.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:25.121963024 CET53628581.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:25.291332006 CET6285953192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:25.291440964 CET6285953192.168.2.51.1.1.1
                                                      Dec 23, 2024 07:07:25.428725004 CET53628591.1.1.1192.168.2.5
                                                      Dec 23, 2024 07:07:25.428812027 CET53628591.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 23, 2024 07:07:19.138396978 CET192.168.2.51.1.1.10xecf8Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:19.138551950 CET192.168.2.51.1.1.10xdd15Standard query (0)httpbin.org28IN (0x0001)false
                                                      Dec 23, 2024 07:07:22.250968933 CET192.168.2.51.1.1.10x7005Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:22.251111031 CET192.168.2.51.1.1.10x7811Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:07:23.971957922 CET192.168.2.51.1.1.10xf5cStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:23.972093105 CET192.168.2.51.1.1.10x4d58Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.280405998 CET192.168.2.51.1.1.10x622eStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.280538082 CET192.168.2.51.1.1.10xfb40Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.674685001 CET192.168.2.51.1.1.10xfa0Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.674865007 CET192.168.2.51.1.1.10x86d6Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.983198881 CET192.168.2.51.1.1.10x11c0Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.983313084 CET192.168.2.51.1.1.10x90deStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:07:25.291332006 CET192.168.2.51.1.1.10xa5e3Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:25.291440964 CET192.168.2.51.1.1.10x135eStandard query (0)home.fivetk5ht.top28IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 23, 2024 07:07:19.276416063 CET1.1.1.1192.168.2.50xecf8No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:19.276416063 CET1.1.1.1192.168.2.50xecf8No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:23.541323900 CET1.1.1.1192.168.2.50x7005Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:23.541363001 CET1.1.1.1192.168.2.50x7811Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.111779928 CET1.1.1.1192.168.2.50x4d58Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.111809969 CET1.1.1.1192.168.2.50xf5cName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.418301105 CET1.1.1.1192.168.2.50x622eName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.418317080 CET1.1.1.1192.168.2.50xfb40Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.811753035 CET1.1.1.1192.168.2.50xfa0Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:24.811844110 CET1.1.1.1192.168.2.50x86d6Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:07:25.121886015 CET1.1.1.1192.168.2.50x90deName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:07:25.121963024 CET1.1.1.1192.168.2.50x11c0Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:07:25.428725004 CET1.1.1.1192.168.2.50x135eName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:07:25.428812027 CET1.1.1.1192.168.2.50xa5e3Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • httpbin.org

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.54970498.85.100.804434324C:\Users\user\Desktop\QeM0UAj5PK.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-12-23 06:07:21 UTC52OUTGET /ip HTTP/1.1
                                                      Host: httpbin.org
                                                      Accept: */*
                                                      2024-12-23 06:07:21 UTC224INHTTP/1.1 200 OK
                                                      Date: Mon, 23 Dec 2024 06:07:21 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 31
                                                      Connection: close
                                                      Server: gunicorn/19.9.0
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: true
                                                      2024-12-23 06:07:21 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                      Data Ascii: { "origin": "8.46.123.189"}


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:01:07:14
                                                      Start date:23/12/2024
                                                      Path:C:\Users\user\Desktop\QeM0UAj5PK.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\QeM0UAj5PK.exe"
                                                      Imagebase:0x30000
                                                      File size:4'455'424 bytes
                                                      MD5 hash:EEF66F7ED3017BB63348C2887FBA3211
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:01:07:24
                                                      Start date:23/12/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1132
                                                      Imagebase:0xe20000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:0.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:122
                                                        Total number of Limit Nodes:1
                                                        execution_graph 14665 6e302ea 14666 6e302ed 14665->14666 14669 6e30305 14666->14669 14670 6e30311 14669->14670 14672 6e3031d 14669->14672 14673 6e30338 Process32FirstW 14672->14673 14675 6e303be 14673->14675 14874 6e30069 14875 6e300b3 14874->14875 14876 6e301b6 Process32FirstW 14875->14876 14877 6e301ae 14876->14877 14676 6e302f7 14677 6e3031d Process32FirstW 14676->14677 14678 6e30311 14677->14678 14805 6e300f7 14806 6e300f9 14805->14806 14809 6e301b6 14806->14809 14813 6e301c7 14809->14813 14810 6e3020d Process32FirstW 14810->14813 14811 6e3025c 14812 6e30277 Process32FirstW 14811->14812 14815 6e3026d 14812->14815 14813->14810 14813->14811 14814 6e3025f Process32FirstW 14813->14814 14814->14813 14816 6e30305 Process32FirstW 14815->14816 14817 6e301ae 14816->14817 14878 6df044b 14879 6df046c GetLogicalDrives 14878->14879 14881 6df04c1 14879->14881 14818 6e400fb 14819 6e400ea 14818->14819 14824 6e40216 14819->14824 14825 6e40235 Process32NextW 14824->14825 14827 6e4045c 14825->14827 14679 6e402c5 14680 6e402b8 14679->14680 14680->14679 14681 6e4043f Process32NextW 14680->14681 14682 6e4045c 14681->14682 14828 6e400c8 14829 6e400d8 14828->14829 14831 6e400e6 14828->14831 14836 6e400f4 14829->14836 14832 6e40216 Process32NextW 14831->14832 14833 6e40202 Process32NextW 14832->14833 14835 6e4045c 14833->14835 14837 6e4010f 14836->14837 14838 6e40216 Process32NextW 14837->14838 14839 6e40202 Process32NextW 14838->14839 14841 6e4045c 14839->14841 14657 6e4044b 14658 6e40417 14657->14658 14659 6e4043f Process32NextW 14658->14659 14660 6e40459 14658->14660 14659->14660 14703 6e40222 14704 6e40212 Process32NextW 14703->14704 14706 6e4045c 14704->14706 15007 6e40122 15008 6e40126 15007->15008 15009 6e40216 Process32NextW 15008->15009 15010 6e40202 Process32NextW 15009->15010 15012 6e4045c 15010->15012 14894 6e3002c 14899 6e30052 14894->14899 14897 6e301b6 Process32FirstW 14898 6e301ae 14897->14898 14900 6e30072 14899->14900 14901 6e301b6 Process32FirstW 14900->14901 14902 6e30048 14901->14902 14902->14897 14793 6e30337 14794 6e3035c Process32FirstW 14793->14794 14796 6e303be 14794->14796 14707 6e3023a 14726 6e3025f 14707->14726 14709 6e3025c 14732 6e30277 14709->14732 14711 6e3025f Process32FirstW 14713 6e301c7 14711->14713 14713->14709 14713->14711 14717 6e3020d 14713->14717 14715 6e30305 Process32FirstW 14716 6e302f6 14715->14716 14721 6e301c7 14717->14721 14718 6e3025f Process32FirstW 14718->14721 14719 6e3025c 14720 6e30277 Process32FirstW 14719->14720 14723 6e3026d 14720->14723 14721->14717 14721->14718 14721->14719 14722 6e3020d Process32FirstW 14721->14722 14722->14721 14724 6e30305 Process32FirstW 14723->14724 14725 6e302f6 14724->14725 14725->14713 14727 6e30266 14726->14727 14728 6e30277 Process32FirstW 14727->14728 14729 6e3026d 14728->14729 14730 6e30305 Process32FirstW 14729->14730 14731 6e302f6 14730->14731 14731->14713 14733 6e302a6 14732->14733 14734 6e30305 Process32FirstW 14733->14734 14735 6e3026d 14734->14735 14735->14715 14655 6e40439 Process32NextW 14656 6e4045c 14655->14656 14854 6df0480 14855 6df0483 GetLogicalDrives 14854->14855 14857 6df04c1 14854->14857 14855->14857 14903 6e30000 14904 6e30024 14903->14904 14905 6e30052 Process32FirstW 14904->14905 14906 6e30048 14904->14906 14905->14906 14907 6e301b6 Process32FirstW 14906->14907 14908 6e301ae 14907->14908 14909 6e40000 14910 6e4000f 14909->14910 14911 6e400f4 2 API calls 14910->14911 14912 6e400e6 14911->14912 14913 6e40216 Process32NextW 14912->14913 14914 6e40202 Process32NextW 14913->14914 14916 6e4045c 14914->14916 14976 6e30198 14980 6e301c7 14976->14980 14977 6e3020d Process32FirstW 14977->14980 14978 6e3025c 14979 6e30277 Process32FirstW 14978->14979 14982 6e3026d 14979->14982 14980->14977 14980->14978 14981 6e3025f Process32FirstW 14980->14981 14981->14980 14983 6e30305 Process32FirstW 14982->14983 14984 6e302f6 14983->14984

                                                        Executed Functions

                                                        Function 06DD0A2E Relevance: .2, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3fbdf9b179fe98a37df3d78928edcbd49cdf6d6d185b113444f5ceb17d61127
                                                        • Instruction ID: 8993f7b912f7fcb8c96faf3342be20409d695b71a7cdedb982d59aced355ba38
                                                        • Opcode Fuzzy Hash: c3fbdf9b179fe98a37df3d78928edcbd49cdf6d6d185b113444f5ceb17d61127
                                                        • Instruction Fuzzy Hash: 493150EF18C114BDB282E9816B18DFBAB7DE5D6630B318427F847E1542E2D48F4D51B1
                                                        Function 06DF044B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 6df044b-6df048f 3 6df0496-6df04b3 GetLogicalDrives 0->3 5 6df04c1-6df0712 3->5 34 6df0715-6df0716 5->34 35 6df0729-6df0752 34->35 38 6df0717-6df0727 35->38 39 6df0754-6df0755 35->39 38->35 39->34 40 6df0757-6df07f4 call 6df07ed 39->40 48 6df0801 40->48 48->48
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE(?,?), ref: 06DF04AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482177238.0000000006DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6df0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: f28d669fdb9f88db38432c196c5ba66ba912335c41e5bef8b642c3cbe7133aed
                                                        • Instruction ID: e9b6464c0565ef83824c12845b61036ba56f3cb2e2a8f9dafbd3c89feaceb6ce
                                                        • Opcode Fuzzy Hash: f28d669fdb9f88db38432c196c5ba66ba912335c41e5bef8b642c3cbe7133aed
                                                        • Instruction Fuzzy Hash: 1231BFEB16C111FE73C283552774AB66A7DE1DA2303328426F687D7603E6C4CA8955F2
                                                        Function 06DF04F3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 49 6df04f3-6df04f7 50 6df04bc-6df04ee 49->50 51 6df04f9-6df0712 49->51 50->51 80 6df0715-6df0716 51->80 81 6df0729-6df0752 80->81 84 6df0717-6df0727 81->84 85 6df0754-6df0755 81->85 84->81 85->80 86 6df0757-6df07f4 call 6df07ed 85->86 94 6df0801 86->94 94->94
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482177238.0000000006DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6df0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\
                                                        • API String ID: 0-3379428675
                                                        • Opcode ID: db94ac112bfd2e11fc2df6431c06248fafd3dbd3a6bf4edc8807b38e05ded3ab
                                                        • Instruction ID: b9878575a37e204a12cabd5c3c29ccf91319bf93ca7a04d100533f29478c8407
                                                        • Opcode Fuzzy Hash: db94ac112bfd2e11fc2df6431c06248fafd3dbd3a6bf4edc8807b38e05ded3ab
                                                        • Instruction Fuzzy Hash: 9E3122DB52D251EE73C287A513746B52A79A5EB2303328026B6CBD7603E1C8CA8551F2
                                                        Function 06DF04CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 95 6df04cc-6df04cd 96 6df04cf 95->96 97 6df046c-6df04b3 GetLogicalDrives 95->97 99 6df04d1-6df0712 96->99 105 6df04c1-6df04c6 97->105 130 6df0715-6df0716 99->130 105->99 131 6df0729-6df0752 130->131 134 6df0717-6df0727 131->134 135 6df0754-6df0755 131->135 134->131 135->130 136 6df0757-6df07f4 call 6df07ed 135->136 144 6df0801 136->144 144->144
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE(?,?), ref: 06DF04AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482177238.0000000006DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6df0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 4b3f51f47131bb0d9c304ba690c7afdf9af5aabd8d7bb2878646882eb887b99a
                                                        • Instruction ID: 56f0f4e2401a3703af6870ee12f6afeae6ff1440c474cc8a1c3191517c46f865
                                                        • Opcode Fuzzy Hash: 4b3f51f47131bb0d9c304ba690c7afdf9af5aabd8d7bb2878646882eb887b99a
                                                        • Instruction Fuzzy Hash: 1F31F0DB53C111EE73C2835517746B56A79A1DA2303328426B6CBD7603E5C8CA8555F2
                                                        Function 06DF0480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 145 6df0480-6df0481 146 6df04cf 145->146 147 6df0483-6df048f 145->147 149 6df04d1-6df0712 146->149 153 6df0496-6df04b3 GetLogicalDrives 147->153 181 6df0715-6df0716 149->181 157 6df04c1-6df04c6 153->157 157->149 182 6df0729-6df0752 181->182 185 6df0717-6df0727 182->185 186 6df0754-6df0755 182->186 185->182 186->181 187 6df0757-6df07f4 call 6df07ed 186->187 195 6df0801 187->195 195->195
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE(?,?), ref: 06DF04AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482177238.0000000006DF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6df0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 503a5afbd24372b551c32b23f8c6a03f5c110916b505a311b0bf13f5b7b877fa
                                                        • Instruction ID: 3df8b6f599f8e88c8e800715330e359de0236c27b1a682338fe85fdbc6926149
                                                        • Opcode Fuzzy Hash: 503a5afbd24372b551c32b23f8c6a03f5c110916b505a311b0bf13f5b7b877fa
                                                        • Instruction Fuzzy Hash: 3F3120DB53D111EE77C2836517746B52B39A5DA2303328026F68B8B603E6C8CA8A55F2
                                                        Function 06E400C8 Relevance: 1.8, APIs: 1, Instructions: 291COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 196 6e400c8-6e400d6 197 6e40103-6e40109 196->197 198 6e400d8-6e400e9 call 6e400f4 196->198 199 6e400ea-6e400f6 197->199 200 6e4010b-6e4010d 197->200 198->199 203 6e4010f-6e40204 call 6e40216 199->203 200->203 219 6e40206-6e4020c 203->219 220 6e40231 203->220 221 6e40212-6e4021d 219->221 220->221 222 6e40233 220->222 221->220 223 6e40235-6e40434 221->223 222->223 250 6e4043f-6e40446 Process32NextW 223->250 251 6e4045c-6e4054e call 6e40550 250->251
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34fbf6054ebd0c3db4d553bd468deeaa451b643839bbce499ba2eccf6833db47
                                                        • Instruction ID: 3cc11a14a40ed2cf780d5151ecd7c95ac50fe6c98c419d79d2794f1b0dbabe36
                                                        • Opcode Fuzzy Hash: 34fbf6054ebd0c3db4d553bd468deeaa451b643839bbce499ba2eccf6833db47
                                                        • Instruction Fuzzy Hash: 8751E7E714C321BD73C2A3753A58AFA6B6EE1D2230731A436FA07D7642E7944B0E50B1
                                                        Function 06E40181 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 263 6e40181-6e40182 264 6e40184-6e401cd 263->264 265 6e401d0-6e401d5 263->265 267 6e401d8-6e40204 call 6e40216 264->267 265->267 275 6e40206-6e4020c 267->275 276 6e40231 267->276 278 6e40212-6e4021d 275->278 276->278 279 6e40233 276->279 278->276 280 6e40235-6e40434 278->280 279->280 307 6e4043f-6e40446 Process32NextW 280->307 308 6e4045c-6e4054e call 6e40550 307->308
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 889799c174bc03697529f3a06fe680c5a1372a224cb57ee8b00d4f6160948532
                                                        • Instruction ID: f5303e2110fa3c4e0fefdf6452737b510a0d2fc3dbaadcccde79b74b26c1d506
                                                        • Opcode Fuzzy Hash: 889799c174bc03697529f3a06fe680c5a1372a224cb57ee8b00d4f6160948532
                                                        • Instruction Fuzzy Hash: AD51C2E714C361BD73C2A3753A58EFA6B6EE5E6230331A436FA47D7543E2944A0A50B0
                                                        Function 06E400FB Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 320 6e400fb-6e40109 321 6e400ea-6e400f6 320->321 322 6e4010b-6e4010d 320->322 324 6e4010f-6e40204 call 6e40216 321->324 322->324 339 6e40206-6e4020c 324->339 340 6e40231 324->340 341 6e40212-6e4021d 339->341 340->341 342 6e40233 340->342 341->340 343 6e40235-6e40434 341->343 342->343 370 6e4043f-6e40446 Process32NextW 343->370 371 6e4045c-6e4054e call 6e40550 370->371
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 77102e0cd3335995b561f88b9d77ec53189e5508e9020bf053119dc648002b32
                                                        • Instruction ID: 91a8693c749fa20c4e26fde4be220ec7a6419d192b901d48a1a8e3cd27cce71b
                                                        • Opcode Fuzzy Hash: 77102e0cd3335995b561f88b9d77ec53189e5508e9020bf053119dc648002b32
                                                        • Instruction Fuzzy Hash: AA5196A714C321BD73C2A7713B58EFA676EE5D6330331A436FA07D7542E7944A0A50B1
                                                        Function 06E400F4 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 383 6e400f4-6e40204 call 6e40216 399 6e40206-6e4020c 383->399 400 6e40231 383->400 401 6e40212-6e4021d 399->401 400->401 402 6e40233 400->402 401->400 403 6e40235-6e40434 401->403 402->403 430 6e4043f-6e40446 Process32NextW 403->430 431 6e4045c-6e4054e call 6e40550 430->431
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d72e34865b4bd2a10b3812cbd38dd4f62915cf437197072380dc0478b7322cb4
                                                        • Instruction ID: ab345738d5af55cc781d2d9fc15a0005c45df4324090c6579fe74d2e0482200d
                                                        • Opcode Fuzzy Hash: d72e34865b4bd2a10b3812cbd38dd4f62915cf437197072380dc0478b7322cb4
                                                        • Instruction Fuzzy Hash: CB5173AB14C321BD73C2A3753B58EFA6B6EE5D6230331A436FA07D7542E7944A0E50B1
                                                        Function 06E40122 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 443 6e40122-6e40204 call 6e40216 458 6e40206-6e4020c 443->458 459 6e40231 443->459 460 6e40212-6e4021d 458->460 459->460 461 6e40233 459->461 460->459 462 6e40235-6e40434 460->462 461->462 489 6e4043f-6e40446 Process32NextW 462->489 490 6e4045c-6e4054e call 6e40550 489->490
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d4a8599ace2ce510bd59fb31092a9af6e05fdfc229a80d38a9c05967b150b51
                                                        • Instruction ID: 6b0119b827816a5bbc1429513e1d50c5e61172a2e0b765224e7c6f2f4cd534ac
                                                        • Opcode Fuzzy Hash: 1d4a8599ace2ce510bd59fb31092a9af6e05fdfc229a80d38a9c05967b150b51
                                                        • Instruction Fuzzy Hash: 555173EB14C321BD73C2A2713B58EFA6B6EE5D6330331A436FA07D7542E7944A0A50B1
                                                        Function 06E40147 Relevance: 1.7, APIs: 1, Instructions: 244COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 502 6e40147-6e40204 call 6e40216 516 6e40206-6e4020c 502->516 517 6e40231 502->517 518 6e40212-6e4021d 516->518 517->518 519 6e40233 517->519 518->517 520 6e40235-6e40434 518->520 519->520 547 6e4043f-6e40446 Process32NextW 520->547 548 6e4045c-6e4054e call 6e40550 547->548
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d71120500590c08e429a5a79ddee5192762d04e85d756edb4566396e7db16acf
                                                        • Instruction ID: bd598c02e1cdccacf7a3be725371eadaccfef5bbda2e8e4b44d02aa4ef5b1eb3
                                                        • Opcode Fuzzy Hash: d71120500590c08e429a5a79ddee5192762d04e85d756edb4566396e7db16acf
                                                        • Instruction Fuzzy Hash: B05174E714C321BD73C2A7713A58EFA6B6EE5E6330331A436FA07D7542E7944A0A50B1
                                                        Function 06E40151 Relevance: 1.7, APIs: 1, Instructions: 244COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 560 6e40151-6e40204 call 6e40216 574 6e40206-6e4020c 560->574 575 6e40231 560->575 576 6e40212-6e4021d 574->576 575->576 577 6e40233 575->577 576->575 578 6e40235-6e40434 576->578 577->578 605 6e4043f-6e40446 Process32NextW 578->605 606 6e4045c-6e4054e call 6e40550 605->606
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83d3d4bf064d9583b33574c41abdcffc803b4081d24f9102ffe34a7ee756ab41
                                                        • Instruction ID: 4b68a5f4df0fb65f9ea1250b8e858329f1c6a60d5e6b35f1a699a244650b7e25
                                                        • Opcode Fuzzy Hash: 83d3d4bf064d9583b33574c41abdcffc803b4081d24f9102ffe34a7ee756ab41
                                                        • Instruction Fuzzy Hash: 584185EB14C321BD73C2A2753B58EFA5B6EE5E6330331A436FA07D7542E7944A0A50B1
                                                        Function 06E40163 Relevance: 1.7, APIs: 1, Instructions: 243COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 618 6e40163-6e40204 call 6e40216 629 6e40206-6e4020c 618->629 630 6e40231 618->630 631 6e40212-6e4021d 629->631 630->631 632 6e40233 630->632 631->630 633 6e40235-6e40434 631->633 632->633 660 6e4043f-6e40446 Process32NextW 633->660 661 6e4045c-6e4054e call 6e40550 660->661
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5df196b254e047f082b3c97fb15c56ee16f05f07f229502abcb8b1657f98271c
                                                        • Instruction ID: 9b5172342d14bc7673ffea44f95c84a1928db0747ca55a591a1faf7888350aa4
                                                        • Opcode Fuzzy Hash: 5df196b254e047f082b3c97fb15c56ee16f05f07f229502abcb8b1657f98271c
                                                        • Instruction Fuzzy Hash: 204172EB14C321BD7382A2753A58EFA5B6EE5E6230331A436FA07D7543E7944A0A50B1
                                                        Function 06E4018E Relevance: 1.7, APIs: 1, Instructions: 233COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 673 6e4018e-6e40204 call 6e40216 683 6e40206-6e4020c 673->683 684 6e40231 673->684 685 6e40212-6e4021d 683->685 684->685 686 6e40233 684->686 685->684 687 6e40235-6e40434 685->687 686->687 714 6e4043f-6e40446 Process32NextW 687->714 715 6e4045c-6e4054e call 6e40550 714->715
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab113365b48117ee5c39d46ed5c89ca65eb132cba0096f6a488eedf3e1aabfd2
                                                        • Instruction ID: 4a9d11c45e3832cd0d0b81bcbcf13f3603a83a4591809f4cee96503d2ce8b736
                                                        • Opcode Fuzzy Hash: ab113365b48117ee5c39d46ed5c89ca65eb132cba0096f6a488eedf3e1aabfd2
                                                        • Instruction Fuzzy Hash: AE4163EB14C321BD73C2A2713B58EFA5B6EE5E6230335A436FA07D7543E7944A0A50B1
                                                        Function 06E401AD Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 727 6e401ad-6e401af 729 6e401b1 727->729 730 6e401bb-6e401c2 727->730 731 6e401b3-6e401c2 729->731 732 6e4014b-6e401ba 729->732 733 6e401c7-6e40204 call 6e40216 730->733 731->733 732->730 742 6e40206-6e4020c 733->742 743 6e40231 733->743 745 6e40212-6e4021d 742->745 743->745 746 6e40233 743->746 745->743 747 6e40235-6e40434 745->747 746->747 777 6e4043f-6e40446 Process32NextW 747->777 778 6e4045c-6e4054e call 6e40550 777->778
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1524a650836dcf5af5a516507940b0a42b944dbf54b7d9f7f69685458f7c1347
                                                        • Instruction ID: 15f1fd5deea45b12ef056fe40f16a9ca53a9bb03a3ce19b7679fc0cd256c2da3
                                                        • Opcode Fuzzy Hash: 1524a650836dcf5af5a516507940b0a42b944dbf54b7d9f7f69685458f7c1347
                                                        • Instruction Fuzzy Hash: 3C41A3AB14C321BD73C2A2713B58EFA5B6EE5E2230331A436FA07D7543E7944A0A50B1
                                                        Function 06E4019D Relevance: 1.7, APIs: 1, Instructions: 229COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 790 6e4019d-6e40204 call 6e40216 799 6e40206-6e4020c 790->799 800 6e40231 790->800 801 6e40212-6e4021d 799->801 800->801 802 6e40233 800->802 801->800 803 6e40235-6e40434 801->803 802->803 830 6e4043f-6e40446 Process32NextW 803->830 831 6e4045c-6e4054e call 6e40550 830->831
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4472705a4fe8de83e5a65eb2dc0464268f37ae51531f7de6ba32c09832e9aa42
                                                        • Instruction ID: 70b207915cffd139ed3836f92dea9daaf0f7f0b6a121454001a68718cce2dd0f
                                                        • Opcode Fuzzy Hash: 4472705a4fe8de83e5a65eb2dc0464268f37ae51531f7de6ba32c09832e9aa42
                                                        • Instruction Fuzzy Hash: 5C4185A714C311BD7382A2713B58EFA5B6EE5E6330331A436FA07D7543E7944A0A50B1
                                                        Function 06E40222 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52176d482a4817489d050a1c9daf0871c3ec96aa42b413fcf89594f1993978ee
                                                        • Instruction ID: 47a87dc1ccbf9ded5f138ef15bf2cd09b5aa2f00dcab244d13efa71da0bb8ca8
                                                        • Opcode Fuzzy Hash: 52176d482a4817489d050a1c9daf0871c3ec96aa42b413fcf89594f1993978ee
                                                        • Instruction Fuzzy Hash: B54164EB14C321BD73C2A2713B58EFA676EE5E6330731A436B607D7443E7944A0A50B5
                                                        Function 06E40216 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 2cc61d51f992f274be9b93dd6e05fbe530bbb5a1df583fd2c540a8506a9b253f
                                                        • Instruction ID: 042979e6b592433cd4dd51c2bd2e16ce03add7c518928447a77f25c35ba0177f
                                                        • Opcode Fuzzy Hash: 2cc61d51f992f274be9b93dd6e05fbe530bbb5a1df583fd2c540a8506a9b253f
                                                        • Instruction Fuzzy Hash: 1E3171EB14C321BD73C2A3613B58EFA5B6EE1E6330731A436BA07D7443E7944A0A50B1
                                                        Function 06E4024A Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 352aaa9a912a21ee9ffd4e827cc1ec1035cfff6ce1acb21251485ade858ec154
                                                        • Instruction ID: 7b303ec568002fa8dc6f1056520fcbd134d4490e06cf3b99ee02b309ec3bde7c
                                                        • Opcode Fuzzy Hash: 352aaa9a912a21ee9ffd4e827cc1ec1035cfff6ce1acb21251485ade858ec154
                                                        • Instruction Fuzzy Hash: A63172EB14C321BD73C2A3713B58EFA5B6EE1E6630731A436BA07D7442E7844A0A10F1
                                                        Function 06E40276 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: cdc3f96a871b6970adc9047a10febf54738e0342e96c51a46dcc1b62fa9e91c7
                                                        • Instruction ID: c4667af567c431420296cf6c2e0ebbac955555bf0c6da9889ddd608b9721e1d9
                                                        • Opcode Fuzzy Hash: cdc3f96a871b6970adc9047a10febf54738e0342e96c51a46dcc1b62fa9e91c7
                                                        • Instruction Fuzzy Hash: 563196E614C311BE7382A3717F58EFA5B6DE1E6630731A436B607D7443E7840A0A50F1
                                                        Function 06E4024F Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: c7ec068514872819a397bed2c64f721ebec699fb62d010b832baf9f9951937c9
                                                        • Instruction ID: cbab2c06d362b5758b2624f698c460260ec55412125666de3fe416c317459e68
                                                        • Opcode Fuzzy Hash: c7ec068514872819a397bed2c64f721ebec699fb62d010b832baf9f9951937c9
                                                        • Instruction Fuzzy Hash: 763172EA14C321BD73C2A3713B58EFA5B6EE1E6330731A436BA07D6443E7844A0A50F0
                                                        Function 06E402E7 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 30325c049741c635975481249f4137d25e32a6981f7f6405202e990073da27de
                                                        • Instruction ID: efa143448ed8fc41a0004f219dba7b65bb135a3a59e71a7db60fcb4659b48019
                                                        • Opcode Fuzzy Hash: 30325c049741c635975481249f4137d25e32a6981f7f6405202e990073da27de
                                                        • Instruction Fuzzy Hash: 633150EB14C321BD73C2A2753B58EFA5B6EE1E6630335A436BA07D7442E7844A4A50F0
                                                        Function 06E40303 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 5c695f5433f356759ec81ecb0648e9fc28e799645583c39d4af7ccd8f1b26e0e
                                                        • Instruction ID: a26e793412d022c14128c8d02f97cf426e4f13d64cb871fcc7f1d23b7830e8f0
                                                        • Opcode Fuzzy Hash: 5c695f5433f356759ec81ecb0648e9fc28e799645583c39d4af7ccd8f1b26e0e
                                                        • Instruction Fuzzy Hash: 9C31A5EB14C321BD7382A2757A58EFA5B6EE5E6230331A436F607D6503E3844A0B50B0
                                                        Function 06E402C5 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 3a197712274ab773ee9148e155692d5ff0ba623ea9d621d5869b7efa192ce694
                                                        • Instruction ID: 7932d4937e4d75abd323fc75dcfe778b250f1dab3bad5c78f033cf26b9ff19fd
                                                        • Opcode Fuzzy Hash: 3a197712274ab773ee9148e155692d5ff0ba623ea9d621d5869b7efa192ce694
                                                        • Instruction Fuzzy Hash: A53173EA14C311BD73C2A7717A58EFA6B6DE5E2230331A436F607D7443E3844A4A50B1
                                                        Function 06E40269 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 497c6e01e8d17bcbbe9427714b2ba861ad9588d6abd18872e0d955a8838203b8
                                                        • Instruction ID: a62bae708f8a29197a7464207d4cf5d2728d4aeb74b2bca95315f23514dee7f5
                                                        • Opcode Fuzzy Hash: 497c6e01e8d17bcbbe9427714b2ba861ad9588d6abd18872e0d955a8838203b8
                                                        • Instruction Fuzzy Hash: 47315EEB14C321BD73C2A2713B58EFA5B6EE1E6630331A436BA07D6442E7844A0A50B1
                                                        Function 06E4029F Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: f9fface3144177e89c208a3730fda800a5caaafd1caecd4b8a72f9ab6d5d1fd3
                                                        • Instruction ID: 80ff5cbbbba66efa97003af351fff6ce54bc62c18352bfb9e0d4dc62c3d1f10b
                                                        • Opcode Fuzzy Hash: f9fface3144177e89c208a3730fda800a5caaafd1caecd4b8a72f9ab6d5d1fd3
                                                        • Instruction Fuzzy Hash: 8E3176E714C311BD73C2A2717B58EFA6B6EE1E6630731A436F607D7442E3944B0A50B1
                                                        Function 06E30388 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-0000001D,-0000001D,4B948B45,4532390F), ref: 06E303BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482279792.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e30000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID:
                                                        • API String ID: 2623510744-0
                                                        • Opcode ID: 995bc5addcf4a01ed7f0a827b2a14a3f9bb4c659ecc16250985139d8087aa0f9
                                                        • Instruction ID: 611dfa58dd3181bb125bc6f6822dc956d79f21d8b79d2fdf3dd9c5afbbfc9403
                                                        • Opcode Fuzzy Hash: 995bc5addcf4a01ed7f0a827b2a14a3f9bb4c659ecc16250985139d8087aa0f9
                                                        • Instruction Fuzzy Hash: D13170EB28D2717DB39381512F5CDFA5B2EE4E3730335A866F846C6442E2844F4E90B1
                                                        Function 06E3031D Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-0000001D,-0000001D,4B948B45,4532390F), ref: 06E303BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482279792.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e30000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID:
                                                        • API String ID: 2623510744-0
                                                        • Opcode ID: 13c85c4a96da540bf8650a7b413b36ff2dcebef7c37cfad6de03c7ca8c827e33
                                                        • Instruction ID: 3ef5432c33e10480a683201721e6d1e36231202bfe3554ced4bac6e4fa04efc4
                                                        • Opcode Fuzzy Hash: 13c85c4a96da540bf8650a7b413b36ff2dcebef7c37cfad6de03c7ca8c827e33
                                                        • Instruction Fuzzy Hash: D621C5EB28D231BD729291812F2CDFA572EE4E6B70334E426F807C6542E2C44F5A90B1
                                                        Function 06E40324 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 6a508b4f4fe82b3d010bbf6d0d004daf459e12c46a7f72be6832a88fce816a84
                                                        • Instruction ID: 4a05981a9956da4164de60a133c27de89146ef466298dee440fd6e19b9028b04
                                                        • Opcode Fuzzy Hash: 6a508b4f4fe82b3d010bbf6d0d004daf459e12c46a7f72be6832a88fce816a84
                                                        • Instruction Fuzzy Hash: 642165EB14C3117D7382A2713B58EFA5B6EE5E2670335A436FA07D6502E3884B4F50B1
                                                        Function 06E30337 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-0000001D,-0000001D,4B948B45,4532390F), ref: 06E303BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482279792.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e30000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID:
                                                        • API String ID: 2623510744-0
                                                        • Opcode ID: ca343a04e3133769cb779e3d19f9341d0dfcb54dc7c482fd8c771e34ab11edbf
                                                        • Instruction ID: 57b28119ecef2f7c3207e5624eff004d310ae50945bc7bb723e7d23ae09d2e1d
                                                        • Opcode Fuzzy Hash: ca343a04e3133769cb779e3d19f9341d0dfcb54dc7c482fd8c771e34ab11edbf
                                                        • Instruction Fuzzy Hash: 2821F8EB24D261BDB29281912F5CDFA572EE4E67303359466F806C6542E2C44F5E90B2
                                                        Function 06E30351 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-0000001D,-0000001D,4B948B45,4532390F), ref: 06E303BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482279792.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e30000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID:
                                                        • API String ID: 2623510744-0
                                                        • Opcode ID: 7bd90bf3807b1601526cb49e7ade386fb263c5b455064f93e38b1e48f245378e
                                                        • Instruction ID: 934cb1d9accb51df1c6aae9abf937964294c3fc37524e273f331c01affe26245
                                                        • Opcode Fuzzy Hash: 7bd90bf3807b1601526cb49e7ade386fb263c5b455064f93e38b1e48f245378e
                                                        • Instruction Fuzzy Hash: 2B21D8EB28D231BD728291912F6CEFA572EE4E6B70331D426F807C6546E2C44F5E90B1
                                                        Function 06E40339 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 880cc9fde52e4845fc0f38121f13fb59d0cc5eb54c313e188e231ac0887dd343
                                                        • Instruction ID: d4c86fb45fa7e0dd635efa18adfa7700025f987b6b1b20d76973b9e698fc0cbb
                                                        • Opcode Fuzzy Hash: 880cc9fde52e4845fc0f38121f13fb59d0cc5eb54c313e188e231ac0887dd343
                                                        • Instruction Fuzzy Hash: E82156EB24C3217D7382A2613B58EFA5B6EE4E2370335A437FA07D6503E3844A0B50B1
                                                        Function 06E4034A Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: dfd1892db57b625c1bdea59ecc8b2634852b5db5ba332df20c8e0b185ac18b00
                                                        • Instruction ID: 56a92f478b341b560814b9069a88ff9be32fb20513049b69207ba3f5cffcaef7
                                                        • Opcode Fuzzy Hash: dfd1892db57b625c1bdea59ecc8b2634852b5db5ba332df20c8e0b185ac18b00
                                                        • Instruction Fuzzy Hash: A42185F724C322BE7382B2657A54EFA6B6EE5E2270331A436F503D7402E3944A0B50B1
                                                        Function 06E3036A Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-0000001D,-0000001D,4B948B45,4532390F), ref: 06E303BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482279792.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e30000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID:
                                                        • API String ID: 2623510744-0
                                                        • Opcode ID: 9d9f03e9b1924ce60cde746c56923dfd78bcd704a4fdeb2b971f58cbf603e2f2
                                                        • Instruction ID: 7842239f9ad30b6caa460c6e9a1efc7c64105c73e0a4bbae62c0ba97c0d8d44a
                                                        • Opcode Fuzzy Hash: 9d9f03e9b1924ce60cde746c56923dfd78bcd704a4fdeb2b971f58cbf603e2f2
                                                        • Instruction Fuzzy Hash: 81210CEB28D221BDB29291812F1CAFA572EE5E6730330D426F806D6442E2C44F4E90B1
                                                        Function 06E4038C Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: a7579d98e780b5fbc20f8953115a70323b569aaf509d2d702de53660536e5695
                                                        • Instruction ID: 54d9dc5e28cd15557f7b71bedeb0b8932f9e4e69604a03b05b21abc72eb8c557
                                                        • Opcode Fuzzy Hash: a7579d98e780b5fbc20f8953115a70323b569aaf509d2d702de53660536e5695
                                                        • Instruction Fuzzy Hash: 102162E714C3217D7393A2653B64AFB5B6EE4F2270335A436FA07D6503E2884A0F50B1
                                                        Function 06E40375 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 08b703af272fa1fe197424253d3e7481bed03a6f41fec0bb1be2b85808256ca8
                                                        • Instruction ID: f4fe14c3b7d643ae5b4fd0aa4242a80e0d6cbdedd3e436ced3ed51c75ad472d2
                                                        • Opcode Fuzzy Hash: 08b703af272fa1fe197424253d3e7481bed03a6f41fec0bb1be2b85808256ca8
                                                        • Instruction Fuzzy Hash: A82136EB24C3217D7383A2653B54EFA5B6EE4F2270335A437FA07D6506E7844A0B50B1
                                                        Function 06E4037E Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 5a6c53aff4dc6eff9bca083ec6eb86b0b49bf9d5a898a3e8f2b6606812022244
                                                        • Instruction ID: b75ec2cbb29c4287ff38fae0005029b7e351ef11a7da20b54614cfd30a791805
                                                        • Opcode Fuzzy Hash: 5a6c53aff4dc6eff9bca083ec6eb86b0b49bf9d5a898a3e8f2b6606812022244
                                                        • Instruction Fuzzy Hash: AD2151EB24C321BD7382A2653B54AFA5B6EE4E2270335A436FA03D6506E6844A0B10B1
                                                        Function 06E40394 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 733ce5ba2993eea0425256b3b04c3f426c5d272211726c0ae238c74e75317955
                                                        • Instruction ID: 51ca7e00bca86e6090ebf28bc11f95038fdb0c06264b86e45c9aaedde0fc3269
                                                        • Opcode Fuzzy Hash: 733ce5ba2993eea0425256b3b04c3f426c5d272211726c0ae238c74e75317955
                                                        • Instruction Fuzzy Hash: 8D216FEB24C3217D7383A2653B549FA9B6EE4F2270335A436FA43D6403E6884A0B50B1
                                                        Function 06E40424 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: e5c2e5bf31e316b0a70d03e5eb18d53bf975790569c4c41077847cf590c174d3
                                                        • Instruction ID: 7487663960b069a0c8b8f52a9bb97364a50eb6438ae92de678fac7192767b2a1
                                                        • Opcode Fuzzy Hash: e5c2e5bf31e316b0a70d03e5eb18d53bf975790569c4c41077847cf590c174d3
                                                        • Instruction Fuzzy Hash: 251172EB24C3217D7392B2653B54AFA9B2EE0E2670335A437FA03D6506E2944A0F50B1
                                                        Function 06E403B8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 4a88a8a41dba02cb4967e2206337eca2105d52889b0a72cea2d6027bc0b34e2e
                                                        • Instruction ID: 79593b79e183bcead29698086716e1a5f40bc6d64b360a0725054535257348a0
                                                        • Opcode Fuzzy Hash: 4a88a8a41dba02cb4967e2206337eca2105d52889b0a72cea2d6027bc0b34e2e
                                                        • Instruction Fuzzy Hash: EC1142EB24C3217D7382B2653B54AFA5B6EE4F2670335A436FA07DB506E2854A0B50B1
                                                        Function 06E403E9 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: c83a73473063c81d732f193d06c029e1d902a7cc7169ca5e5769bd82273749e5
                                                        • Instruction ID: 1351ee24abd0e2c5422f5daa33f3305b061e8293db7bd54d439f4ca1fb898c46
                                                        • Opcode Fuzzy Hash: c83a73473063c81d732f193d06c029e1d902a7cc7169ca5e5769bd82273749e5
                                                        • Instruction Fuzzy Hash: E41163DB24C3117D7382A3653F58AFA976EE0F22703359436FA07DA507E6844A4F50B1
                                                        Function 06E403D3 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: ff00f921b00a81af984cd845b2e637aae510232a874ec03099bf0bdaec388efe
                                                        • Instruction ID: d92e52724fd3e44baadb7a20c47aac46798b64fc18baf3bae8bb49facd80e6b6
                                                        • Opcode Fuzzy Hash: ff00f921b00a81af984cd845b2e637aae510232a874ec03099bf0bdaec388efe
                                                        • Instruction Fuzzy Hash: ED1193EB24C311BD7382A2617F14AFA672EE0F22703319436FA03D6406E7884A0B50B1
                                                        Function 06E4044B Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: a605eb0311d28b871d0663f9a1a2a696b777062fef7f98cd8f95d49152154b2d
                                                        • Instruction ID: 1c7084107b365a6158af4a9c497de4b0394b1f2dec10ae566636b4f33f1a807f
                                                        • Opcode Fuzzy Hash: a605eb0311d28b871d0663f9a1a2a696b777062fef7f98cd8f95d49152154b2d
                                                        • Instruction Fuzzy Hash: 80114FEB24C2227C7296A2A17F549FB976EE4F2370335E437F942CA406E3844A0B50B1
                                                        Function 06E403FF Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 508b164fc7aab16a396bc0709ba4d7d602d21620fcc11467bd466583b9e374e1
                                                        • Instruction ID: 682cd258311de5340c579aec6dc5cac9d90f60253e01106ce407541b0e1a87d1
                                                        • Opcode Fuzzy Hash: 508b164fc7aab16a396bc0709ba4d7d602d21620fcc11467bd466583b9e374e1
                                                        • Instruction Fuzzy Hash: B01130EB24C2117D7396A2613F649FA976EE0F2270335E436FA03C6406E3844A0F60B1
                                                        Function 06E4040F Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 15b2b5683d50f6ee4fe3159bb228934fcc6adcccf5286be824ba38e570c6852c
                                                        • Instruction ID: f4556c6214f4a1a2329e7a9a3a7916844f713fe4d94b1e10bd79972ad95870e9
                                                        • Opcode Fuzzy Hash: 15b2b5683d50f6ee4fe3159bb228934fcc6adcccf5286be824ba38e570c6852c
                                                        • Instruction Fuzzy Hash: 7A111EEB24C2227D7296A2653F649FB976EE0E2670335E436F947C6406E3844A0F60B1
                                                        Function 06E40439 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32NextW.KERNEL32(00000049,00000049,00000049,?), ref: 06E40441
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID: NextProcess32
                                                        • String ID:
                                                        • API String ID: 1850201408-0
                                                        • Opcode ID: 7a505ab78165398f0f673eb1737898b2fe92cbd498e53edc181bebcb9dd1a17a
                                                        • Instruction ID: c9205e8993aa29e8bd9e0f3afe781b4c5442c9478d1bc11e693444815c47a02f
                                                        • Opcode Fuzzy Hash: 7a505ab78165398f0f673eb1737898b2fe92cbd498e53edc181bebcb9dd1a17a
                                                        • Instruction Fuzzy Hash: 8F01DAEB24C2217C7296A2A53F64EFB976EE4E2770335D437F906C6446E3884A0F54B1
                                                        Function 06DD030F Relevance: .7, Instructions: 681COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9fba40bdda1c5aef0c28b8b612b4e86253b15930c2df65b3a517813d778a6fd
                                                        • Instruction ID: abcb933e3ae5145a816c53271bf0ca46cdc272988f1b33b73d04aff61b7930e0
                                                        • Opcode Fuzzy Hash: b9fba40bdda1c5aef0c28b8b612b4e86253b15930c2df65b3a517813d778a6fd
                                                        • Instruction Fuzzy Hash: 68E1F5EB54C111BDF382A9816B54BFA6B7EE7D7330F308026F887D6642E2D48B4951B1
                                                        Function 06DD028D Relevance: .7, Instructions: 678COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec9b78a61350fe39d156a876df646b1cd592d1cbaf24948dfa6b455051ff4632
                                                        • Instruction ID: 8774e32fb7e06988939ddb3ce690f59cfb616bf9a5d2be96e7fdfcb9ca463856
                                                        • Opcode Fuzzy Hash: ec9b78a61350fe39d156a876df646b1cd592d1cbaf24948dfa6b455051ff4632
                                                        • Instruction Fuzzy Hash: E2E1F5EB54C111BDF382A9816B54BFA6B7EE7D7330F308026F887D6642E2D48B4951B1
                                                        Function 06DD0299 Relevance: .7, Instructions: 677COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 188486efdfb8c21f961223bca31518134b2e325a63bd5d87f032773ddf40dcdf
                                                        • Instruction ID: 22f0dc8d9006878e3667ca4896d0e0000bddb37ad5aea77582647d7f3d5294dd
                                                        • Opcode Fuzzy Hash: 188486efdfb8c21f961223bca31518134b2e325a63bd5d87f032773ddf40dcdf
                                                        • Instruction Fuzzy Hash: D4E105EB54C111BDF382A9816B54BFA6B7EE7D7330F308026F887D6642E2D48B4951B1
                                                        Function 06DD02A2 Relevance: .7, Instructions: 673COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f380d0951bdcbd730135adfeed308bb7aa26125666c5197b9668c8733e368e48
                                                        • Instruction ID: f9f23f6aa9c93271104095ef54ec9801a47c73e8f3e6ed081d35ae00869ab1b8
                                                        • Opcode Fuzzy Hash: f380d0951bdcbd730135adfeed308bb7aa26125666c5197b9668c8733e368e48
                                                        • Instruction Fuzzy Hash: F9D1F5EB54C111BDF382A9816B54BFA6B7EE7D7330F308026F887D6642E2D48B4951B1
                                                        Function 06DD0328 Relevance: .7, Instructions: 666COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 740623d30cb79a49d552b3644f6f47570864c18a6abeb26a7b43263853aab97d
                                                        • Instruction ID: 706efe05c178a86435dc61db571ac8c47b9990219c3f802340ef83fe9f709a44
                                                        • Opcode Fuzzy Hash: 740623d30cb79a49d552b3644f6f47570864c18a6abeb26a7b43263853aab97d
                                                        • Instruction Fuzzy Hash: 6DD1F3EB54C110BDF382A9816B54BFA6B7EE7D6330F308026F887D6642E2D48B4955B1
                                                        Function 06DD02F7 Relevance: .7, Instructions: 656COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92b779d8096442e14a6bd04d16473d3c1f5023a7764844bd20bd503c788c0be2
                                                        • Instruction ID: 7fbbd7f28ebb67d3d3f9132f6905a8603a604a6973c183c706beb67fb0f1f87b
                                                        • Opcode Fuzzy Hash: 92b779d8096442e14a6bd04d16473d3c1f5023a7764844bd20bd503c788c0be2
                                                        • Instruction Fuzzy Hash: 13D1E4EB54C110BDF382A9816B54BFAAB7EE7D7330F308026F487D6642E2D48B4955B1
                                                        Function 06DD02E1 Relevance: .7, Instructions: 656COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3d79e2d4615498ec4af42f573ffa6f686741c1494b78c042f189542168d60b71
                                                        • Instruction ID: 13fb5e6fe66717d1c927ed5d7d5698af528011722c6f3bfe7184ebec27d936ee
                                                        • Opcode Fuzzy Hash: 3d79e2d4615498ec4af42f573ffa6f686741c1494b78c042f189542168d60b71
                                                        • Instruction Fuzzy Hash: 4DD1E5EB54C110BDF382A9816B54BFA6B7EE7D6330F308026F487D6642E2D48B4955B1
                                                        Function 06DD02D2 Relevance: .7, Instructions: 655COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 66bbe113ec7f345cedbc9aa9f10a23a4603681c234866adb8a16d4d87573d1f2
                                                        • Instruction ID: 4a9d9514063c37dabbc96099c84481c31e90b0f60e9104d3dce4f4657cdc4168
                                                        • Opcode Fuzzy Hash: 66bbe113ec7f345cedbc9aa9f10a23a4603681c234866adb8a16d4d87573d1f2
                                                        • Instruction Fuzzy Hash: 2ED1F4EB54C110BDF382A9816B54BFA6B7EE7D7330F308026F487D6642E2D88B4955B1
                                                        Function 06DD034F Relevance: .6, Instructions: 648COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a53cac8d38f53609f38c1956ec8ecb8ae40dfb1a8ea449ddcf70a8d15327b2e8
                                                        • Instruction ID: 928858ae559ef9ad464f419a5a732b5d03134045d4fcbedc57953cbc3079aea4
                                                        • Opcode Fuzzy Hash: a53cac8d38f53609f38c1956ec8ecb8ae40dfb1a8ea449ddcf70a8d15327b2e8
                                                        • Instruction Fuzzy Hash: 2FD1E4EB54C111BDF382A9816B54BFA6B7EE7D7330F308026F887D6642E2D48A4951B1
                                                        Function 06DD0339 Relevance: .6, Instructions: 642COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cae65979d584e9e01585ff4c605ab30116a35986147863442cbd00c31ac0235e
                                                        • Instruction ID: 92ed592106abc4d1004a15aab5c8fcccbca8eb7d437c68b8000a9cbf1d15fd89
                                                        • Opcode Fuzzy Hash: cae65979d584e9e01585ff4c605ab30116a35986147863442cbd00c31ac0235e
                                                        • Instruction Fuzzy Hash: 66D1F4EB54C114BDF382A9816B54BFA6B7EE7D6330F308026F487E6642E2D48B4D51B1
                                                        Function 06DD035F Relevance: .6, Instructions: 636COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 866df4215f3478d1775b10fc904f0d6abf79a52354790f1c15b76d60aaad1512
                                                        • Instruction ID: f2d7a8c5f817ba297a2aeafb51c997dcb5a15ea97353720f0acbd4442fe391c1
                                                        • Opcode Fuzzy Hash: 866df4215f3478d1775b10fc904f0d6abf79a52354790f1c15b76d60aaad1512
                                                        • Instruction Fuzzy Hash: D8D1F4EB54C110BDF382A9816B54BFA6B7EE7D6330F308026F487D6642E2D88B4D51B1
                                                        Function 06DD0379 Relevance: .6, Instructions: 623COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bbda9de4da27c55ff796b9c06a8611a297c2ef0a83be7899053c0b08016ba039
                                                        • Instruction ID: 1c6d70b2e4679a5ccaa16f185c19bfa678fff6f974df14b48d348191b972dfae
                                                        • Opcode Fuzzy Hash: bbda9de4da27c55ff796b9c06a8611a297c2ef0a83be7899053c0b08016ba039
                                                        • Instruction Fuzzy Hash: A3D1F5EB54C110BDF382A9816B54BFA6B7EE7D7330F308026F487D6642E2D48A4D55B1
                                                        Function 06DD038F Relevance: .6, Instructions: 617COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1b6b819a4d67e8865eddb4e3471d8dc33e2fe819e863ea5a6e8dc02ea6b22a8c
                                                        • Instruction ID: 15051c67e8840074ce645cd12ac3a64c8cd56d1a7e996ed093c58f02ceff9793
                                                        • Opcode Fuzzy Hash: 1b6b819a4d67e8865eddb4e3471d8dc33e2fe819e863ea5a6e8dc02ea6b22a8c
                                                        • Instruction Fuzzy Hash: A2D1F5EB54C110BDF382A9816B54BFAAB7EE7D7330F308026F447D6642E2E48A4D55B1
                                                        Function 06DD03A5 Relevance: .6, Instructions: 610COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 903668a593dc0f913f1c9c12a0f925936c327c62d4d600f3f48531f6d176ad1a
                                                        • Instruction ID: a32924cc492a791c9ca9846ef768ba389b48fabfb1a047152e6f29c72f84320a
                                                        • Opcode Fuzzy Hash: 903668a593dc0f913f1c9c12a0f925936c327c62d4d600f3f48531f6d176ad1a
                                                        • Instruction Fuzzy Hash: 2FC1F5EB54C110BDF382A9816B54BFAAB7EE7D7330F308026F447E6642E2D48A4D55B1
                                                        Function 06DD043F Relevance: .6, Instructions: 602COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 748c13314056d4f6b5ec8dc51499656c03de8e0eaa9e18cfe72227d2abd1444c
                                                        • Instruction ID: c849c17474c44ec3e3917572a49ca1bad7620319366cc5ee7a9a48b8976dfb95
                                                        • Opcode Fuzzy Hash: 748c13314056d4f6b5ec8dc51499656c03de8e0eaa9e18cfe72227d2abd1444c
                                                        • Instruction Fuzzy Hash: C6C116EB54C100BDF382AD816B54BFA6B7EE7D7730F308026F447E6642E2E48A4955B1
                                                        Function 06DD03B9 Relevance: .6, Instructions: 601COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce82090fe806b253d69ad26eda49024790e2f9a7508ac82dfc6620b4a6f61a87
                                                        • Instruction ID: 15aa199ffd92fda8e59cc1e20c967e66658cb54e13081981788ead5e049df474
                                                        • Opcode Fuzzy Hash: ce82090fe806b253d69ad26eda49024790e2f9a7508ac82dfc6620b4a6f61a87
                                                        • Instruction Fuzzy Hash: 11C105EB44C110BDF382A9816B54BFAAB7EE7D7330F308026F447D6642E2E48A4955B1
                                                        Function 06DD03D9 Relevance: .6, Instructions: 597COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2ebeb4ec9d159808519893edff3e7c6a81131050854b34d34a00d5b05389118
                                                        • Instruction ID: 0a670cbcbb89859d2f78ec63df6722acf1001222a09992271e612ef107c8ff3f
                                                        • Opcode Fuzzy Hash: d2ebeb4ec9d159808519893edff3e7c6a81131050854b34d34a00d5b05389118
                                                        • Instruction Fuzzy Hash: 91C118EB54C100BDF382A9816B54BFA677EE7D7330F308026F447E6642E2D48A4D55B1
                                                        Function 06DD03C2 Relevance: .6, Instructions: 597COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c45e2b267425e6e8b3b1bac9371314dcb63cdea2b8bdc2c8f807083c74338f53
                                                        • Instruction ID: 662faa38f6c48e8b00075532168fdbad63d2209fc2ec607bab0adc7b146cde47
                                                        • Opcode Fuzzy Hash: c45e2b267425e6e8b3b1bac9371314dcb63cdea2b8bdc2c8f807083c74338f53
                                                        • Instruction Fuzzy Hash: 8AC105EB54C110BDF382AD816B54BFAAB7EE7D7330F308026F447D6642E2E48A4955B1
                                                        Function 06DD041D Relevance: .6, Instructions: 575COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c536d2ae4fdec814ab435e185e24632aef6aeb1a3ec6065cfceeae76e56b52e4
                                                        • Instruction ID: 642e864bf8a7c0ddc7862dd417edfe49d6d3e33987c40694b26b8a915414d306
                                                        • Opcode Fuzzy Hash: c536d2ae4fdec814ab435e185e24632aef6aeb1a3ec6065cfceeae76e56b52e4
                                                        • Instruction Fuzzy Hash: 65C1F5EB54C110BDF382A9816B54BFA6B7EE7D7330F308026F487E6642E2D48A4D55B1
                                                        Function 06DD0409 Relevance: .6, Instructions: 574COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eca3a04a5f33834e0761bb7ada47fc356b86610c20d1c85f98fc754c5a258c50
                                                        • Instruction ID: 5f9bdd45a1652f8cb1bdcec4cad20d4fd13275be29218afb2452a9014db223b3
                                                        • Opcode Fuzzy Hash: eca3a04a5f33834e0761bb7ada47fc356b86610c20d1c85f98fc754c5a258c50
                                                        • Instruction Fuzzy Hash: 3CC1F6EB54C100BDF382AD816B54BFA6B7EF7D6330F308026F447E6642E2E48A4955B1
                                                        Function 06DD045D Relevance: .6, Instructions: 558COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b45c3d1271da014990b42a3e3eb676075f59f80fc5ada7054cc4d686ae3df5fa
                                                        • Instruction ID: 14e645aa67ea95e4f84cace7e93a43ee9a7cd23fd0aeea37fa2c11e9ff1c96a4
                                                        • Opcode Fuzzy Hash: b45c3d1271da014990b42a3e3eb676075f59f80fc5ada7054cc4d686ae3df5fa
                                                        • Instruction Fuzzy Hash: 37C116EB44C100BDF382A9816B54BFAAB7EE7D6330F308026F447E6642E2D48B4D55B1
                                                        Function 06DD0495 Relevance: .5, Instructions: 541COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09c348a1c076717bcf54c457cc3b7817315b485840356f3d85fc68b5af21ccdb
                                                        • Instruction ID: ef43790270313e9d2cfbbe1e4c4caec4d5c88a14a6a9e83273e76cb2c1b2c215
                                                        • Opcode Fuzzy Hash: 09c348a1c076717bcf54c457cc3b7817315b485840356f3d85fc68b5af21ccdb
                                                        • Instruction Fuzzy Hash: 2FB1E5EB44C104BDF382A9816B54BFAA77EE7D6330F308026F447E6642E2D48B4D55B1
                                                        Function 06DD048C Relevance: .5, Instructions: 540COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5424068f92d86ac4a5f99092803e6a8755c07c66641156a848d4cc0793c2c72f
                                                        • Instruction ID: b2c20cd9023dcd95aaa8509918658e071a5a72872aac6a6e19eed0aae2cbef47
                                                        • Opcode Fuzzy Hash: 5424068f92d86ac4a5f99092803e6a8755c07c66641156a848d4cc0793c2c72f
                                                        • Instruction Fuzzy Hash: E2B105EB44C100BDF382A9816B54BFAA77EE7D6330F308026F447E6642E2D48B4D55B1
                                                        Function 06DD04A5 Relevance: .5, Instructions: 537COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfea4a4e48327f284856952122541fc48c44426f9ed9fae7dc0f88f571f42b5f
                                                        • Instruction ID: ef4c5aa2f8d6560d97bf5e102f386ddc67301488f452d4336f33efb195b9286a
                                                        • Opcode Fuzzy Hash: dfea4a4e48327f284856952122541fc48c44426f9ed9fae7dc0f88f571f42b5f
                                                        • Instruction Fuzzy Hash: 23B1F4EB54C104BDF382A9816B54BFAA77EE7D6330F308026F447E6642E2D48B4D55B1
                                                        Function 06DD04D8 Relevance: .5, Instructions: 518COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5980041a80ee6beb5802913f4b9024a212be7780d73104b467a1b7e5c6028952
                                                        • Instruction ID: d42665d5d3fe0441dea007fa7b57d2c7151084490349004b4dea31fdceefe639
                                                        • Opcode Fuzzy Hash: 5980041a80ee6beb5802913f4b9024a212be7780d73104b467a1b7e5c6028952
                                                        • Instruction Fuzzy Hash: DEB1F6EB44C114BDF382A9816B54BFAA77EE7D6330F308026F847E6642E2D48B4D55B1
                                                        Function 06DD04E4 Relevance: .5, Instructions: 517COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ebf1b3c05df12b0b482a8ea2f3d736de1d95fface09ae3ab22f56a102b8ed4d4
                                                        • Instruction ID: a45277882a8facc045ea0b114488da5b100fc9c85ea8bd45bb8e05df4ae81294
                                                        • Opcode Fuzzy Hash: ebf1b3c05df12b0b482a8ea2f3d736de1d95fface09ae3ab22f56a102b8ed4d4
                                                        • Instruction Fuzzy Hash: 2BB1F6EB44C110BDF382A9816B54BFAAB7EE7D6330F308026F847D6642E2D48B4D55B1
                                                        Function 06DD0515 Relevance: .5, Instructions: 503COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df32ed9c8f06474b9eedb98cdbf5c984e1159d4d0a5d5d7d9e5204873b77b8d1
                                                        • Instruction ID: e530f4e70073b28d3a6a024206547268a133112ab1c742f2bd5bb1f0dc5a9680
                                                        • Opcode Fuzzy Hash: df32ed9c8f06474b9eedb98cdbf5c984e1159d4d0a5d5d7d9e5204873b77b8d1
                                                        • Instruction Fuzzy Hash: C3A1E6EB54C110BDF382A9816B54BFAA77EE7D6330F308026F847D5642E2D88B4D55B1
                                                        Function 06DD0541 Relevance: .5, Instructions: 501COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f05f699ed7e0e1201f873b959a4a391cefc0dab46cb33e43e875f59e743d49ca
                                                        • Instruction ID: b86cba3a22fc724346144b664ddd85bc2002229be32e53f13c0f192cfed52d12
                                                        • Opcode Fuzzy Hash: f05f699ed7e0e1201f873b959a4a391cefc0dab46cb33e43e875f59e743d49ca
                                                        • Instruction Fuzzy Hash: 6EA105EB44C110BDB382A9816B54AFA6B7EE7D7330F308026F887D6642E2D48B4D55B1
                                                        Function 06DD0533 Relevance: .5, Instructions: 485COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 681e1bf800a7a173ddd30955ad17fad6c8a045326b18a0318078d8576eafd205
                                                        • Instruction ID: 4b01d4cd56b9577e8c8c817f30c99ffa5074f7e89114f28075391cb21a163cee
                                                        • Opcode Fuzzy Hash: 681e1bf800a7a173ddd30955ad17fad6c8a045326b18a0318078d8576eafd205
                                                        • Instruction Fuzzy Hash: A8A1F5EB44C110BDB382A9816B54BFAA77EE7D6730F308026F847E6642E2D48B4D55B1
                                                        Function 06DD056F Relevance: .5, Instructions: 484COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3fe2c625e1390c3d7b158ea1222bfeaf6c0effa520d8415b1577f141f0b2fd19
                                                        • Instruction ID: 5facfa50fe2e3119f799ee731fb8307d09bbc586160942105900937d0ca39fa7
                                                        • Opcode Fuzzy Hash: 3fe2c625e1390c3d7b158ea1222bfeaf6c0effa520d8415b1577f141f0b2fd19
                                                        • Instruction Fuzzy Hash: 8BA108EB54C110BDB382AD816B54AFAAB7EE6D7730F308026F847D6642E2D48B4D15F1
                                                        Function 06DD0588 Relevance: .5, Instructions: 477COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c61a5bf3245c29568a068dad21532335a211520ce8d3557e8b9653fbaa07a275
                                                        • Instruction ID: e1c09b1caacf4e833cb9e6c927909cade9d5f3712f4d38766783595ea7dee3d1
                                                        • Opcode Fuzzy Hash: c61a5bf3245c29568a068dad21532335a211520ce8d3557e8b9653fbaa07a275
                                                        • Instruction Fuzzy Hash: E39107EB54C110BDB382B9816B54AFAAB7EE6D7730F308026F847D6642E2D48B4D15F1
                                                        Function 06DD059A Relevance: .5, Instructions: 474COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 97ffafb264f97a9d92762d5df96e6567baeac0429ae7f6d1b5fe09faf5b9530f
                                                        • Instruction ID: a3a28ba816e2aa049f0f952b28b1cf7f0b2bfd7a35f1e3eaea45078a8676281e
                                                        • Opcode Fuzzy Hash: 97ffafb264f97a9d92762d5df96e6567baeac0429ae7f6d1b5fe09faf5b9530f
                                                        • Instruction Fuzzy Hash: DB9139EB54C110BDB382B9816B54AFAAB7EE2D7330F308026F847D6642E2D48B4D11F1
                                                        Function 06DD05B1 Relevance: .5, Instructions: 473COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f1820638c8872040d0987fdda22aa14e161df2366de269283cb57f074b8d2439
                                                        • Instruction ID: 7a458576fc7f5a9a2f235e6ab32443d3878bbbbb0b95e53d804d6f1171d84a1c
                                                        • Opcode Fuzzy Hash: f1820638c8872040d0987fdda22aa14e161df2366de269283cb57f074b8d2439
                                                        • Instruction Fuzzy Hash: D99119EB54C110BDB382A9816B54AFAAB7EE6D7730F308026F847D6642E2D48F4D51F1
                                                        Function 06DD0680 Relevance: .5, Instructions: 467COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45255599a222f502b4ef6ee0b6f10feeab3de361667a5ecdc3378afa7b71ca4f
                                                        • Instruction ID: 6f534376056dd2e459897265c91cb0409579540a7a4199a513e628d71856d424
                                                        • Opcode Fuzzy Hash: 45255599a222f502b4ef6ee0b6f10feeab3de361667a5ecdc3378afa7b71ca4f
                                                        • Instruction Fuzzy Hash: 7A9114EB54C110BDB382B9816B54AFAAB7EE6D7730F308026F487D6642E2D48B4D51F1
                                                        Function 06DD05CA Relevance: .5, Instructions: 466COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af8d30dcc54f57008a1a79d8564a1abdacc7c7ec13b6a5f41d9d5fc6a9e7aa6a
                                                        • Instruction ID: 7eead74f41525545d8d9d725a1f257808386ac4a4baa11e543a5f91e005e0d4f
                                                        • Opcode Fuzzy Hash: af8d30dcc54f57008a1a79d8564a1abdacc7c7ec13b6a5f41d9d5fc6a9e7aa6a
                                                        • Instruction Fuzzy Hash: 809128EB54C110BDB382A9816B54AFAAB7EE6D7730F308026F847D6642E2D48F4D51F1
                                                        Function 06DD05E8 Relevance: .5, Instructions: 460COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34f409e4ed07ebc9c7f3cdd3f4e0b2ac127d8ec121da9cea01a868d9ae4b066d
                                                        • Instruction ID: 2f52230326fa4e9f48276ac2fe5094ce9b487e0a037caf8ae7d31ca6a1dd357b
                                                        • Opcode Fuzzy Hash: 34f409e4ed07ebc9c7f3cdd3f4e0b2ac127d8ec121da9cea01a868d9ae4b066d
                                                        • Instruction Fuzzy Hash: ED9104EB54C110BDB382B9816B54AFAAB7EE6D7730F308026F487D6642E2D48B4D51F1
                                                        Function 06DD061C Relevance: .4, Instructions: 440COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed95b490bb0ab4f0b9476694e11b35e3343a6e90d4a729bd61369080ef0b5190
                                                        • Instruction ID: 33e39b241573dd51d6b41f3e5300b07e2b7ecdc7917fa920c5465492772f0899
                                                        • Opcode Fuzzy Hash: ed95b490bb0ab4f0b9476694e11b35e3343a6e90d4a729bd61369080ef0b5190
                                                        • Instruction Fuzzy Hash: 769115EB54C110BDB382B9816B54AFAAB3EE6D7730F308026F487D6642E2D48B4D55F1
                                                        Function 06DD063A Relevance: .4, Instructions: 429COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ea030ab8f07aa5cde4827d0c79789be94b4271047337b18000cf8bf56b50e43
                                                        • Instruction ID: f4d42159a5c42bbfd51217e7c411e8536e9bdfa1ad352d2727ca1c7e8872c56b
                                                        • Opcode Fuzzy Hash: 3ea030ab8f07aa5cde4827d0c79789be94b4271047337b18000cf8bf56b50e43
                                                        • Instruction Fuzzy Hash: CD81F5EB54C110BDB382B9816B54AFAAB3EE6D7730F308026F487D6642E2D48B4D55F1
                                                        Function 06DD06C3 Relevance: .4, Instructions: 424COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ebb03ef0b70b523919759e1e6ebee40a7f8224ec2404a0d3e8bb0031f4e04d35
                                                        • Instruction ID: bdb61436dec7b23ffba2bd75aeb63edd3ab96481da8e7336ab71b608351caa6c
                                                        • Opcode Fuzzy Hash: ebb03ef0b70b523919759e1e6ebee40a7f8224ec2404a0d3e8bb0031f4e04d35
                                                        • Instruction Fuzzy Hash: F881E4EB54C110BDB382B9816B54AFAAB7EE6D7730B308026F487D6642E2D48B4D51F1
                                                        Function 06DD0616 Relevance: .4, Instructions: 424COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 394dfb58a77b8430d1d4ed604433c11a7fa06f69f1a548cda9c86cab93270538
                                                        • Instruction ID: 8fa9ead237880b4215f7d8a788e54fa54998602ed16fc3fbc1f37616eb525ac9
                                                        • Opcode Fuzzy Hash: 394dfb58a77b8430d1d4ed604433c11a7fa06f69f1a548cda9c86cab93270538
                                                        • Instruction Fuzzy Hash: 6181E3EB54C110BDB382B9812B54AFAAB3EE6D7730B308026F487D6642E2D48B4D51F1
                                                        Function 06DD06F1 Relevance: .4, Instructions: 416COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e51c698f8ab4dcfa3171f7ab01f9b48e30883957da95cb6854e908958d1a7619
                                                        • Instruction ID: 22ce3b8d9d12a097b0a8f8dba35576e9cd00a7c8cccccfb9868e08650567275c
                                                        • Opcode Fuzzy Hash: e51c698f8ab4dcfa3171f7ab01f9b48e30883957da95cb6854e908958d1a7619
                                                        • Instruction Fuzzy Hash: B381D5EB54C110BDB382B9816B54AFAAB3EE6D7730B308426F487D6642E2D48F4D51F1
                                                        Function 06DD06D6 Relevance: .4, Instructions: 401COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34e93b1a3063efe43fa312d25215ed1c5349708f01286aece6ef7893f5ae3807
                                                        • Instruction ID: a6480fc426e35d35f016849c5a46a6f315bfcfa7835501964ce0a5e91808153e
                                                        • Opcode Fuzzy Hash: 34e93b1a3063efe43fa312d25215ed1c5349708f01286aece6ef7893f5ae3807
                                                        • Instruction Fuzzy Hash: 8B71E3EB54C110BDB382B9816B54AFBA77EE2D7730F308026F887D6642E2D48B4D51B1
                                                        Function 06DD0715 Relevance: .4, Instructions: 393COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26fcf64e53f08a49c544f477469748d2eba284a155df77e3b448c5618ab09b2c
                                                        • Instruction ID: f394002b87beeb58841a45b7903d85c019873bea81eb5706720c579b01f6976c
                                                        • Opcode Fuzzy Hash: 26fcf64e53f08a49c544f477469748d2eba284a155df77e3b448c5618ab09b2c
                                                        • Instruction Fuzzy Hash: D07116EB54C110BDB382B9816B54AFBA77EE6C7730B308426F887D6642E2D48F4D51B1
                                                        Function 06DD0704 Relevance: .4, Instructions: 386COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c19b6c3ce7df3fa9c8c6fcf2c0039963d598b232b3c29a551564d73ea84deaa0
                                                        • Instruction ID: 761116158f5b46ad5620bce726efa29e3e86e0f9701da932d18bd7dd0db73351
                                                        • Opcode Fuzzy Hash: c19b6c3ce7df3fa9c8c6fcf2c0039963d598b232b3c29a551564d73ea84deaa0
                                                        • Instruction Fuzzy Hash: AF71E3EB54C110BDB382B9816B54AFBA77EE6D7730B308026F887D6642E2D48F4D51B1
                                                        Function 06DD0741 Relevance: .4, Instructions: 375COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 360d20e8b3759d74a60a960b617b0c1335ad72b0f7212213beda2a2d9d44038c
                                                        • Instruction ID: 1e2383950e34582ed022a7e6e28a813940cf5272a6e9793b1c9d845df5d65dc5
                                                        • Opcode Fuzzy Hash: 360d20e8b3759d74a60a960b617b0c1335ad72b0f7212213beda2a2d9d44038c
                                                        • Instruction Fuzzy Hash: 0771D2EB54C110BDB382B9816B54AFBA73EE6D7730B308426F887D6642E2D48F4D51B1
                                                        Function 06DD0762 Relevance: .4, Instructions: 357COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e0c7884d7e8a4553f3deca8d75617763e8822e714bd6f12422665253bf1a4ef8
                                                        • Instruction ID: 9f8a8fe24987fb30083a270ade07861c14fdc0de9e18dda0892776614e577ec5
                                                        • Opcode Fuzzy Hash: e0c7884d7e8a4553f3deca8d75617763e8822e714bd6f12422665253bf1a4ef8
                                                        • Instruction Fuzzy Hash: DD61C2EB54C110BDB382B9816B54AFBA73EE6D7730B308426F887D6642E2D48B4D51F1
                                                        Function 06DD0780 Relevance: .4, Instructions: 351COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b35f7df659c2d586bf8141e080d2d115f8b2fe0100e60d7967f23f2a8e8ae688
                                                        • Instruction ID: 0b7801fea769f4d0aba9b1a536a81f108d80505ac106a28b84f1366461b541ab
                                                        • Opcode Fuzzy Hash: b35f7df659c2d586bf8141e080d2d115f8b2fe0100e60d7967f23f2a8e8ae688
                                                        • Instruction Fuzzy Hash: D361D2EB54C110BDB382B9816B54AFAA73EE6D7730B308426F887D6642E2D48B4D11F1
                                                        Function 06DD0773 Relevance: .4, Instructions: 351COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d41f9a8feff4d1d451ab523768830f1233625eb1157b99927ebfdebb0c302a20
                                                        • Instruction ID: e85b96fc521f3842f15aa35c20c21b4e194eb9fbf937ee593d8bc1bfa9a26314
                                                        • Opcode Fuzzy Hash: d41f9a8feff4d1d451ab523768830f1233625eb1157b99927ebfdebb0c302a20
                                                        • Instruction Fuzzy Hash: FB61D4EB54C110BDB382B9816B54AFAA73EE6D7730B308026F887D6642E2D48B4D11F1
                                                        Function 06DD079F Relevance: .3, Instructions: 346COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09edcdc3ce334335f33c74218b91cf0a8fc3dac327bb8635f91943ecca14a728
                                                        • Instruction ID: 5c9bef135b7c71da90ee00ee7aab96d73ab42e471b21b34b71ea4c5ab3b17459
                                                        • Opcode Fuzzy Hash: 09edcdc3ce334335f33c74218b91cf0a8fc3dac327bb8635f91943ecca14a728
                                                        • Instruction Fuzzy Hash: FA61D3EB54C115BCB382B9816B54AFAAB3EE6D7730B308026F487D6642E2D48F4D51F1
                                                        Function 06DD07FE Relevance: .3, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3eede51eb0b67a3294313e29df845a004f38bcee06c21645ed44e39129106413
                                                        • Instruction ID: fd1d5de531cdcb539ce9bc2b0d32b5201473e8fad446025307275b792eb4ebc6
                                                        • Opcode Fuzzy Hash: 3eede51eb0b67a3294313e29df845a004f38bcee06c21645ed44e39129106413
                                                        • Instruction Fuzzy Hash: 0C61D3EB54C114BCB382B9816B54AFAAB3EE6D7730B308027F487D6642E2D48B4D51F1
                                                        Function 06DD07AC Relevance: .3, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abed6ee67ec1bb23f7a126e63c99ef961e5b4529c856a68167cc91d34aee6453
                                                        • Instruction ID: d5f79e1ffa4a997b4d050ce4ed7e7b7f7826961440d6437868e97c86ae6ee166
                                                        • Opcode Fuzzy Hash: abed6ee67ec1bb23f7a126e63c99ef961e5b4529c856a68167cc91d34aee6453
                                                        • Instruction Fuzzy Hash: F161D5EB54C115BDB382B9816B549FBAB3EE6D7730B308026F887D2642E2D48B4D51F1
                                                        Function 06DD082E Relevance: .3, Instructions: 335COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f063c563e7a525cf18997731e045a5c092df8d2dc6ec9aea230977915df9a4ad
                                                        • Instruction ID: 60bec4265b6a3bd8ae098001e50dc7e6a1a023d9674e3619b36be10a4d89bf9f
                                                        • Opcode Fuzzy Hash: f063c563e7a525cf18997731e045a5c092df8d2dc6ec9aea230977915df9a4ad
                                                        • Instruction Fuzzy Hash: F261D5EB54C114BDB382B9816B54DFAAB3EE6D7330B348426F487D6642E2848F4E51F1
                                                        Function 06DD07DE Relevance: .3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 602788ff4d254ceadcebc5cdb13750f0a19396b0d88cf6777d7f736e748817ba
                                                        • Instruction ID: 9182d6003e8deb49214e6a10c7aa1b8b855fcfdaf7fe9322fc2357b3d83a6c90
                                                        • Opcode Fuzzy Hash: 602788ff4d254ceadcebc5cdb13750f0a19396b0d88cf6777d7f736e748817ba
                                                        • Instruction Fuzzy Hash: 5551D3EB14C114BCB382B9816B54EFAA73EE6D7330B308026F487E2642E2C48B4D11F1
                                                        Function 06DD0812 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4508d76003dfb087286957d9597722c087fede454b809a3bdffcdb8928a298e
                                                        • Instruction ID: afd9d9b1bed1a557095a0bbac608233f4f873ffd3cc017da3334a8743b8beae0
                                                        • Opcode Fuzzy Hash: f4508d76003dfb087286957d9597722c087fede454b809a3bdffcdb8928a298e
                                                        • Instruction Fuzzy Hash: 7651C4EB14C114BDB382B9816B54EFB677EE6D7330B308426F487D2642E2D48B4D51B1
                                                        Function 06DD0866 Relevance: .3, Instructions: 293COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d496c79a93c808f4d5c02b6f1ec8e47f53395a61f51b1b277183513b9f894db8
                                                        • Instruction ID: a3cc21410393cbf36db615b932322e8a860ec6e94f57cebc6646b0662ac7f709
                                                        • Opcode Fuzzy Hash: d496c79a93c808f4d5c02b6f1ec8e47f53395a61f51b1b277183513b9f894db8
                                                        • Instruction Fuzzy Hash: B251A0EB54C115BCB382B9816B54EFBA67EE6D7730B308426F887D2642E2D48B4D11B1
                                                        Function 06DD0907 Relevance: .3, Instructions: 292COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64ce8cba23875295697418ed4b0c89fb117c9529bd25185ce0fbefd08a5696bd
                                                        • Instruction ID: 2de8c2d776b11b6a69bd4eb2ea1eeab50a56587cb672ecfb3cd65c02f87f5116
                                                        • Opcode Fuzzy Hash: 64ce8cba23875295697418ed4b0c89fb117c9529bd25185ce0fbefd08a5696bd
                                                        • Instruction Fuzzy Hash: 8751D1EB54C114BDB382E9816B54DFBAB7EE6C6730B308426F843D2242E2D48B4D11B1
                                                        Function 06DD0886 Relevance: .3, Instructions: 287COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 87fa252a40fc2565a97edfef176bee090c75ef2191b0fe32809466be6b2e068b
                                                        • Instruction ID: 09fd8f2d2354f350891e146e186dc9cd31ba1e30602d2d45c40ccaea609b7956
                                                        • Opcode Fuzzy Hash: 87fa252a40fc2565a97edfef176bee090c75ef2191b0fe32809466be6b2e068b
                                                        • Instruction Fuzzy Hash: E4518EEB14C115BDB382A9816B54EFBA77EE6D7730B308426F887D2642E2D48F4D11B1
                                                        Function 06DD089A Relevance: .3, Instructions: 280COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 48caeb50bee02930d594782a4c6228a07fb9c897f3a68b4eb7c2e72188ef12fe
                                                        • Instruction ID: 762f0ee6e0dc0e914ca8212b3aaf3d3562e6cd1c4f30d17bfd51c1fe78794a9b
                                                        • Opcode Fuzzy Hash: 48caeb50bee02930d594782a4c6228a07fb9c897f3a68b4eb7c2e72188ef12fe
                                                        • Instruction Fuzzy Hash: C3519FEF14C115BCB282E9826B14EFBA77EE6D6730B308426F847D2642E2D48B4D11B1
                                                        Function 06DD08D9 Relevance: .3, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3f65fc8aa1524e3a9978e657343983271ac136aeaa7373a87bc17f717dd351fd
                                                        • Instruction ID: 45bcd08fad9005d84be9032d8aec70a0cb4ce6e98be2ac28b8069e3b19d6ee8e
                                                        • Opcode Fuzzy Hash: 3f65fc8aa1524e3a9978e657343983271ac136aeaa7373a87bc17f717dd351fd
                                                        • Instruction Fuzzy Hash: 4851C0EB54C114BDB382E9816B14EFAAB3EE6D6330B348426F483D5142E2948B4D51B2
                                                        Function 06DD0943 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bf73419ce7ff22f4a65ddd314a2d1f4cc61e2bbd01404d82067f0f9c625c375
                                                        • Instruction ID: 8f6ed3805ab80f5e42c6f41e502a99c8c274335d4ca5eda27ecc7a6406ca7789
                                                        • Opcode Fuzzy Hash: 8bf73419ce7ff22f4a65ddd314a2d1f4cc61e2bbd01404d82067f0f9c625c375
                                                        • Instruction Fuzzy Hash: 9A51C3EB54C014BCB382E9816B54EFB6B7EE2D6730B309426F847D1242E2D48F4D51B1
                                                        Function 06DD08CA Relevance: .3, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d87dfc4b3e90265b0e384cd395d73d472204d7f462121d8ec1a4686c555a70a3
                                                        • Instruction ID: 66281eb0cc586c11011783ce58e78c276790b7ff43730983be282cb871483bd5
                                                        • Opcode Fuzzy Hash: d87dfc4b3e90265b0e384cd395d73d472204d7f462121d8ec1a4686c555a70a3
                                                        • Instruction Fuzzy Hash: 75418EEB54C015BDB382A9812B14EFAA63EE2DA730B318426F847E1642E2D48F4D11B1
                                                        Function 06DD08F7 Relevance: .3, Instructions: 251COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 134a57a22eb9073b41bf94ad029e7462a082fc7e84de05d312b46fcf752dc192
                                                        • Instruction ID: e3a9c6806e515fdd78af0136eb46f34405248febd19ac70efb77b70f812a8d83
                                                        • Opcode Fuzzy Hash: 134a57a22eb9073b41bf94ad029e7462a082fc7e84de05d312b46fcf752dc192
                                                        • Instruction Fuzzy Hash: 58416EEB14C015BDB382E9826B58EFBA73EE2D6730B308427F847D5642E2D48B4D11B1
                                                        Function 06DD0929 Relevance: .2, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe858f108ba72395d9e06377820ef6632b1c32c779460125e0344e85d039f612
                                                        • Instruction ID: 1461dc74dde7ca25b8d4238f4f3f4752d0ca3f0ed1d97b08834765da637ebbc0
                                                        • Opcode Fuzzy Hash: fe858f108ba72395d9e06377820ef6632b1c32c779460125e0344e85d039f612
                                                        • Instruction Fuzzy Hash: 28417FEB54C014BDB382E9816B18EFBA73EE2D6730B318427F847D1242E2D48B4D11B1
                                                        Function 06DD0936 Relevance: .2, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b505b12015bf4e14ca20bbcc48a8541cb90ee6ccc9ced42a5a04fdde1434f382
                                                        • Instruction ID: c755e6a28cc01b649ead14445440614fa79abdbd78d8f37061ae294c673cb622
                                                        • Opcode Fuzzy Hash: b505b12015bf4e14ca20bbcc48a8541cb90ee6ccc9ced42a5a04fdde1434f382
                                                        • Instruction Fuzzy Hash: D0416CEB54C115BDB382E9826B18EFBA77EE2D6730B319427F847E1142E2D48B4D11B1
                                                        Function 06DD0972 Relevance: .2, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3faed20823a68f8db4192c37e2e3f94383b267e01a85178534e0ee433b1d701c
                                                        • Instruction ID: 4ea0f971d17347f03af632b6382b3cd02aec02c6adbce8985acd9c4b09fb178a
                                                        • Opcode Fuzzy Hash: 3faed20823a68f8db4192c37e2e3f94383b267e01a85178534e0ee433b1d701c
                                                        • Instruction Fuzzy Hash: AF4190EB14C114BDB382E9816F58EFAAB3DE6D6330B318427F847D5542E2D48B4D51B1
                                                        Function 06DD0961 Relevance: .2, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a2fffd867404bc21d5f243aeac85c98e125ef50eb95c157701f8e368dd93fd4
                                                        • Instruction ID: bded1e8bafb7092ff097ed7a08c10caae48efa368d50b32f67d06b95e64761c5
                                                        • Opcode Fuzzy Hash: 2a2fffd867404bc21d5f243aeac85c98e125ef50eb95c157701f8e368dd93fd4
                                                        • Instruction Fuzzy Hash: 14417EEB54C014BDB382E9816B54EFAAB7EE1D6730B318427F847E5142E2D48B4D51B1
                                                        Function 06DD099B Relevance: .2, Instructions: 220COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2de8a0035c6a44e63c0e3ea7ae74f9c0579d170a7ea360e8a1bd4fffa37cf6b5
                                                        • Instruction ID: 3b3e8cc9df213cc71da556ed25746c451a1abe7c66f4c50630a0b5123cd02a81
                                                        • Opcode Fuzzy Hash: 2de8a0035c6a44e63c0e3ea7ae74f9c0579d170a7ea360e8a1bd4fffa37cf6b5
                                                        • Instruction Fuzzy Hash: AA4180EB14C114BDB382E9816B18EFAAB7DE5D6630B31842BF847D1142E2D48F4D52B1
                                                        Function 06DD09DD Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 17836cededc7358cc25ffa686c86a988cd06d5a47904b67e22ff1d8cd3aaab9b
                                                        • Instruction ID: 1573ed94d94dd49c35cf20db3d1625576ac1b6fc3506eae167134f098b71cb42
                                                        • Opcode Fuzzy Hash: 17836cededc7358cc25ffa686c86a988cd06d5a47904b67e22ff1d8cd3aaab9b
                                                        • Instruction Fuzzy Hash: 39315FEB18C114BDB282E9816B18EFBAB7DE6D7230B319427F847E1142E2D48B4D51B1
                                                        Function 06DD09F1 Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce28179443d7fc85b7c5e768bee9c5f64ea4559fc9216d1d2d852e9d0e005105
                                                        • Instruction ID: 53819fb02e44f3f7f8ef5a81a9e03c77a7004419b13daff50c153eed2ba346d5
                                                        • Opcode Fuzzy Hash: ce28179443d7fc85b7c5e768bee9c5f64ea4559fc9216d1d2d852e9d0e005105
                                                        • Instruction Fuzzy Hash: 3041A0EF14C114BDB282A9816B18EFAAB7DE5D7230B318427F847E6142E2D48B4D51B1
                                                        Function 06DD0A19 Relevance: .2, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32047641d6e2cef8032a38712520ee1f6962d714ccc0a612bd1221e599a2250d
                                                        • Instruction ID: eb5170e562d949e7f97a68b90fb9a53b6756a34d1a0fccfb58f01e133913750f
                                                        • Opcode Fuzzy Hash: 32047641d6e2cef8032a38712520ee1f6962d714ccc0a612bd1221e599a2250d
                                                        • Instruction Fuzzy Hash: 92316EEF18C114BDB282EA816B18DFABB7DE5D6630B318426F847E5142E2D48F4D51B1
                                                        Function 06DD0A49 Relevance: .2, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c544272e4c4a95a62c69217c99245d9fcf20167254a22f1dd2f4dc89e3149b3
                                                        • Instruction ID: 5723b8bae3e00406a5f8a93177796f9702ea45f52c77313d193adb7a8299f14a
                                                        • Opcode Fuzzy Hash: 9c544272e4c4a95a62c69217c99245d9fcf20167254a22f1dd2f4dc89e3149b3
                                                        • Instruction Fuzzy Hash: 2A318EEF18C014BDB282E9816B18DFABB3DE5C6630B318436F847E1042E2D48B4D52B1
                                                        Function 06DD0A62 Relevance: .2, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: db93de5ece2b4a90151724c802f4afb3ce6c661f5b594475406a0c9c906e4596
                                                        • Instruction ID: 31c4330963d6ea885561cb8e1c6fe0e0d6da5a31c8e124c7cf803d49b9819840
                                                        • Opcode Fuzzy Hash: db93de5ece2b4a90151724c802f4afb3ce6c661f5b594475406a0c9c906e4596
                                                        • Instruction Fuzzy Hash: 973141EF18C114BDB242E9816B14DFAAB3DE5D6730B318437F847E1542E2D48B4D51B1
                                                        Function 06DD0A89 Relevance: .1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7015f9a610f98ad8d80bc0d4d8e52084573bf6e8c001cb4354dcab37ff497db7
                                                        • Instruction ID: 205a58a701415fab4ebdd6da73e9a72bcb759491829bae7158b1b94fb8a73a64
                                                        • Opcode Fuzzy Hash: 7015f9a610f98ad8d80bc0d4d8e52084573bf6e8c001cb4354dcab37ff497db7
                                                        • Instruction Fuzzy Hash: 62219FFB14C114BDB382EA816B54EFAAB3EE5D6630B318426F847E5142E2D48F0D52B1
                                                        Function 06DD0AA4 Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d81d93acdcb4b3662c39384cc288abf3e104a3351559e34943f70641ab130828
                                                        • Instruction ID: cd03448054eb779f9042798abd349afc3526e4c0d8835f8d13c86c8818b949bd
                                                        • Opcode Fuzzy Hash: d81d93acdcb4b3662c39384cc288abf3e104a3351559e34943f70641ab130828
                                                        • Instruction Fuzzy Hash: 852141FB14C114BDB282E9816B14EFAAB3EE5D6631B318427F847E5142E2D48F4D51B1
                                                        Function 06DD0AC9 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7734c8344bb7484b0f9a85d455a60564e3f02798b56b6790e67b6e5acb504ff1
                                                        • Instruction ID: f3ceb60e0230462981682aea54907543b0286815e5c202983ae640134b627670
                                                        • Opcode Fuzzy Hash: 7734c8344bb7484b0f9a85d455a60564e3f02798b56b6790e67b6e5acb504ff1
                                                        • Instruction Fuzzy Hash: 8E2180EB54C114BCB282E9812B58DFAAB3EE1DA230B318827F847E1542E2D48F4D11B1
                                                        Function 06DD0AB6 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9bdd76e75ab158f289ef5647ae1455168fb1a69d43a3e0b5ad708c79abdc3f80
                                                        • Instruction ID: ebb8437fe4d88acf084937a5ed30995f7aa386ffd1201fa5e7b7747a3cb26c62
                                                        • Opcode Fuzzy Hash: 9bdd76e75ab158f289ef5647ae1455168fb1a69d43a3e0b5ad708c79abdc3f80
                                                        • Instruction Fuzzy Hash: D821B0FB54C114BDB342E9812B54AFAAB3EE5D6230B318426F847E1042E2D48F4D61B1
                                                        Function 06DD0B6A Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64763604281257d208cc0d80157a5e0c2fa9ed0523eb4e1aaf50a0ca5a4b6855
                                                        • Instruction ID: 2055c1cae33e5aa9d3967775680753cc13e732a6a9d1b5aaebb4b8874f6d10cf
                                                        • Opcode Fuzzy Hash: 64763604281257d208cc0d80157a5e0c2fa9ed0523eb4e1aaf50a0ca5a4b6855
                                                        • Instruction Fuzzy Hash: E421C5FF58C114BDB242ED816B18AFAAB3EE5C6234B31C426F846D5042E2D48F0D51B1
                                                        Function 06DD0AE9 Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26024d3f62d2b929bfbfc5f0c52755c5a274b95a7333d3767e8961ed2c5015b9
                                                        • Instruction ID: 6cd45439bb52a3d4e598ee46032bf61367ec5c4913be43a48177cc7c6b080ac4
                                                        • Opcode Fuzzy Hash: 26024d3f62d2b929bfbfc5f0c52755c5a274b95a7333d3767e8961ed2c5015b9
                                                        • Instruction Fuzzy Hash: A41142EF14C114BDB642AA816B18EFAA73EE5DB734B31C426F447E1142E2D48F4D5171
                                                        Function 06DD0B15 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 100b5da35bdb50af3dfd956c1f669be835cff5c5e8a00d4c9ae830995c01ab66
                                                        • Instruction ID: bce7e29cba5bfaffade1589ab47af56a36adc497d0312fef4aaa27bba130bff6
                                                        • Opcode Fuzzy Hash: 100b5da35bdb50af3dfd956c1f669be835cff5c5e8a00d4c9ae830995c01ab66
                                                        • Instruction Fuzzy Hash: 401142FF14C114BDB242AA816B14AFAAB7DE5D6734B318426F447E2082E2D48B4D5171
                                                        Function 06DD0B34 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0eb0c548ad3bc4869b991003590f0ec6187664f0ef654914296fd4a3a59fc558
                                                        • Instruction ID: 1bee2dd3620490c47785afd2ca10c551ec179ca703b0f8af244958ec9e8c4b77
                                                        • Opcode Fuzzy Hash: 0eb0c548ad3bc4869b991003590f0ec6187664f0ef654914296fd4a3a59fc558
                                                        • Instruction Fuzzy Hash: 4E11C8FB54C114BDB342AA816B189FABB3DF6CA234B30846AF407E1042E2E48B0D51B1
                                                        Function 06DD0AE3 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11f75c46a0f7381e22d827e53ee009b383f5f4d4cd41b67787b56958a637c19f
                                                        • Instruction ID: 585f05f06be832d54fa646d9cae4cb407edc2ee1d1533f085e73de45095efc76
                                                        • Opcode Fuzzy Hash: 11f75c46a0f7381e22d827e53ee009b383f5f4d4cd41b67787b56958a637c19f
                                                        • Instruction Fuzzy Hash: 851182EF54C114BDB342AE816B18AFAAB3EE5DA234B318426F447E1082E2D48F4D51B1
                                                        Function 06DD0B58 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd2e183afa5223d2c2bcc87b4298f570032968d101c8261012beeae5968eecb3
                                                        • Instruction ID: 3eef19709e9108176be350c8442dbe9c828044926ad2df0b92b4c4dc804f9b7e
                                                        • Opcode Fuzzy Hash: dd2e183afa5223d2c2bcc87b4298f570032968d101c8261012beeae5968eecb3
                                                        • Instruction Fuzzy Hash: BF0161EF54C115BDB242AA862B18AFEA73DF5DA234B318466F407E2042E2D48F4D5171
                                                        Function 06E80187 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482399983.0000000006E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e80000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bddf3753d5255698d66cc019ca206222abca123650888f0fb20b98ec6e03fcfe
                                                        • Instruction ID: 82def70311aa00bc2fe8194df03bb0dd9e63c0f9a68d60cdc57a508f030d0efc
                                                        • Opcode Fuzzy Hash: bddf3753d5255698d66cc019ca206222abca123650888f0fb20b98ec6e03fcfe
                                                        • Instruction Fuzzy Hash: 8001C8AA24C2047C7B4274B06A24AF71B2ED1C2B38331A516F44EC9557E255494ED0B1
                                                        Function 06DD0B8C Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c033d5085a707a7ee0d5182b25d653e92aa5f156d56750a540632e72d3d2334a
                                                        • Instruction ID: 5567dbb55a9a50cb6698f0a716cf39c0b889976753bb58e3ee0d90f85db71fcb
                                                        • Opcode Fuzzy Hash: c033d5085a707a7ee0d5182b25d653e92aa5f156d56750a540632e72d3d2334a
                                                        • Instruction Fuzzy Hash: A80192FF688114BCF202AA812F18AFBA77DE2D6730B308836F446E1042E2D44B4D6171
                                                        Function 06DD0BAD Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482129039.0000000006DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6dd0000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da0ce68dbb3eb8b16f0e3fa38bd77cd4ba7d953d235c51958ef4545b241c6c0c
                                                        • Instruction ID: a2ebc2c0ad850dfa452a47a698b06bc504ee7d80b61c6d74ff9843f458a7bc95
                                                        • Opcode Fuzzy Hash: da0ce68dbb3eb8b16f0e3fa38bd77cd4ba7d953d235c51958ef4545b241c6c0c
                                                        • Instruction Fuzzy Hash: 6EF01DFF588114BCB642EA912B18AFA7B7DE5D6731B318877F806E1006E2D58E0D6171
                                                        Function 06E801A9 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482399983.0000000006E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e80000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d6b010c7458e0e7f97e476e5a988e745d40621e3565c4f10d060a389b52e633
                                                        • Instruction ID: 1d267938c987a4980e31f1dd8668ac67b7258cd0b0ea47ec1cc130f21e4bdf2f
                                                        • Opcode Fuzzy Hash: 0d6b010c7458e0e7f97e476e5a988e745d40621e3565c4f10d060a389b52e633
                                                        • Instruction Fuzzy Hash: 4EF0A7FB14C3407C7787A5616B149FA2B2EE5C37343319427F40EC5556D2990A8DD171
                                                        Function 06E801C0 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482399983.0000000006E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e80000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 59f4f2ffe8473cac6163d915e8914c7a1e9f5daf0cfe68d4f9b0fad521b8d97e
                                                        • Instruction ID: e6c08d4ad4b65aa9b93ac6d442b834eaf8d5dead94fee3d9e7598e28a909c9d5
                                                        • Opcode Fuzzy Hash: 59f4f2ffe8473cac6163d915e8914c7a1e9f5daf0cfe68d4f9b0fad521b8d97e
                                                        • Instruction Fuzzy Hash: 06E065AB2482147CB24265516F249FA6B2EE1C27343319022F40BC1553E3D90A4D6171
                                                        Function 06E801F8 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482399983.0000000006E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e80000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40b0329a6c7a90e17261da82e57d7d1c2ab26a746ce55104c639071b23028d41
                                                        • Instruction ID: b64007303332d8d5e76f9464e9ef87abe9d18eb2356fe4ab9a84d8eb056e6065
                                                        • Opcode Fuzzy Hash: 40b0329a6c7a90e17261da82e57d7d1c2ab26a746ce55104c639071b23028d41
                                                        • Instruction Fuzzy Hash: 74D0A76724C3049C7181A0A13B306F6170AD0C63302719513E00EC2DA682DC119C8072

                                                        Non-executed Functions

                                                        Function 06E4090F Relevance: .2, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482307569.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e40000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d875505a4ea91493a12685f9cc223f872bb61aa1ce117b0c2805d6953872363e
                                                        • Instruction ID: be8898470e3a2d8868c488ca423a1b19ddd0397f688d803f4d58f9309f21806f
                                                        • Opcode Fuzzy Hash: d875505a4ea91493a12685f9cc223f872bb61aa1ce117b0c2805d6953872363e
                                                        • Instruction Fuzzy Hash: 643133B214C311AEB3C2FB7472909F67BB9FBC633073090B6A207CB601D2A04A4156E1
                                                        Function 06E304B3 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2482279792.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e30000_QeM0UAj5PK.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42b5e13ea8efd0d26ee5d7f4045db67c2cb59f7130874851453e72b61daf4946
                                                        • Instruction ID: 609190ec22701508e58c159fc2b980963a5762edd8e3c7714649dd81543f1907
                                                        • Opcode Fuzzy Hash: 42b5e13ea8efd0d26ee5d7f4045db67c2cb59f7130874851453e72b61daf4946
                                                        • Instruction Fuzzy Hash: 6BF0ECFB25D3716D768B90513B189FA676EE5E2730335E467F842C6042E1848F4B90B1