Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
p3a0oZ4U7X.exe

Overview

General Information

Sample name:p3a0oZ4U7X.exe
renamed because original name is a hash value
Original sample name:d2b6983ba17597222ebd82bffb6885ff.exe
Analysis ID:1579666
MD5:d2b6983ba17597222ebd82bffb6885ff
SHA1:8bddba09abebe631016751b7c292d941cd85bb36
SHA256:9f5fc1608cb64a1fb6d1f0259d45442eefa2de8aafa5fe26b7df35b12cbbcdf8
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • p3a0oZ4U7X.exe (PID: 4304 cmdline: "C:\Users\user\Desktop\p3a0oZ4U7X.exe" MD5: D2B6983BA17597222EBD82BFFB6885FF)
    • WerFault.exe (PID: 2156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1124 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: p3a0oZ4U7X.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: p3a0oZ4U7X.exeReversingLabs: Detection: 63%
Source: p3a0oZ4U7X.exeVirustotal: Detection: 65%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: p3a0oZ4U7X.exeJoe Sandbox ML: detected
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ae31eb61-c
Source: p3a0oZ4U7X.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: p3a0oZ4U7X.exe, 00000000.00000002.2352730805.000000000144E000.00000004.00000020.00020000.00000000.sdmp, p3a0oZ4U7X.exe, 00000000.00000002.2352730805.00000000014D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: p3a0oZ4U7X.exe, 00000000.00000002.2352730805.000000000144E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
Source: p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443

System Summary

barindex
PE file contains section with special chars
Source: p3a0oZ4U7X.exeStatic PE information: section name:
Source: p3a0oZ4U7X.exeStatic PE information: section name: .idata
Source: p3a0oZ4U7X.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1124
Source: p3a0oZ4U7X.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: p3a0oZ4U7X.exeStatic PE information: Section: tlvpoemj ZLIB complexity 0.9943260832979025
Source: classification engineClassification label: mal100.evad.winEXE@2/5@14/1
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4304
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0a48e6ff-9a0d-449b-8c3f-e2ac700c52acJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: p3a0oZ4U7X.exeReversingLabs: Detection: 63%
Source: p3a0oZ4U7X.exeVirustotal: Detection: 65%
Source: p3a0oZ4U7X.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\p3a0oZ4U7X.exe "C:\Users\user\Desktop\p3a0oZ4U7X.exe"
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1124
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSection loaded: winrnr.dllJump to behavior
Source: p3a0oZ4U7X.exeStatic file information: File size 4462592 > 1048576
Source: p3a0oZ4U7X.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: p3a0oZ4U7X.exeStatic PE information: Raw size of tlvpoemj is bigger than: 0x100000 < 0x1b9000

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeUnpacked PE file: 0.2.p3a0oZ4U7X.exe.6a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tlvpoemj:EW;rkzldfqv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tlvpoemj:EW;rkzldfqv:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: p3a0oZ4U7X.exeStatic PE information: real checksum: 0x44983f should be: 0x449886
Source: p3a0oZ4U7X.exeStatic PE information: section name:
Source: p3a0oZ4U7X.exeStatic PE information: section name: .idata
Source: p3a0oZ4U7X.exeStatic PE information: section name:
Source: p3a0oZ4U7X.exeStatic PE information: section name: tlvpoemj
Source: p3a0oZ4U7X.exeStatic PE information: section name: rkzldfqv
Source: p3a0oZ4U7X.exeStatic PE information: section name: .taggant
Source: p3a0oZ4U7X.exeStatic PE information: section name: tlvpoemj entropy: 7.956360163422751

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A562 second address: F6A566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A566 second address: F6A570 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F65CDA1C256h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A570 second address: F6A579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A7FB second address: F6A801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A801 second address: F6A807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A807 second address: F6A80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A80D second address: F6A815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A815 second address: F6A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A81B second address: F6A827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A827 second address: F6A833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F65CDA1C256h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A9C9 second address: F6A9CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A9CD second address: F6A9D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A9D1 second address: F6A9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6A9DD second address: F6A9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F65CDA1C25Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6ACE1 second address: F6ACE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6ACE5 second address: F6AD05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F65CDA1C25Ah 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65CDA1C25Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6AD05 second address: F6AD0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C74C second address: F6C750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C750 second address: F6C754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C754 second address: F6C75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C75A second address: F6C77C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F65CD790C76h 0x00000009 jng 00007F65CD790C76h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push esi 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 pop esi 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C77C second address: F6C780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C918 second address: F6C922 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65CD790C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C922 second address: F6C98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 712BB830h 0x0000000d mov dword ptr [ebp+122D1B13h], edx 0x00000013 push 00000003h 0x00000015 or si, 2587h 0x0000001a jns 00007F65CDA1C258h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F65CDA1C258h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c add ecx, dword ptr [ebp+122D397Eh] 0x00000042 push 00000003h 0x00000044 mov dword ptr [ebp+122D1BA0h], esi 0x0000004a mov esi, dword ptr [ebp+122D3936h] 0x00000050 push FBE04B6Ah 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 jg 00007F65CDA1C256h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C98A second address: F6C9FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 3BE04B6Ah 0x00000012 mov dl, al 0x00000014 mov ecx, dword ptr [ebp+122D377Eh] 0x0000001a lea ebx, dword ptr [ebp+124546A8h] 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007F65CD790C78h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a mov dword ptr [ebp+122DB604h], edx 0x00000040 pushad 0x00000041 mov edi, dword ptr [ebp+122D376Eh] 0x00000047 mov ax, di 0x0000004a popad 0x0000004b xchg eax, ebx 0x0000004c jmp 00007F65CD790C7Ah 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F65CD790C80h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6C9FB second address: F6CA05 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6CA05 second address: F6CA0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6CADA second address: F6CADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6CADE second address: F6CB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F65CD790C7Ch 0x0000000c popad 0x0000000d pop eax 0x0000000e cld 0x0000000f push 00000003h 0x00000011 jc 00007F65CD790C8Bh 0x00000017 call 00007F65CD790C81h 0x0000001c xor dl, FFFFFFD1h 0x0000001f pop esi 0x00000020 push 00000000h 0x00000022 je 00007F65CD790C81h 0x00000028 jmp 00007F65CD790C7Bh 0x0000002d push 00000003h 0x0000002f movsx ecx, di 0x00000032 push E9AB03F3h 0x00000037 jns 00007F65CD790C7Ah 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 pop edx 0x00000041 xor dword ptr [esp], 29AB03F3h 0x00000048 call 00007F65CD790C82h 0x0000004d mov ch, bh 0x0000004f pop edi 0x00000050 lea ebx, dword ptr [ebp+124546B3h] 0x00000056 jmp 00007F65CD790C88h 0x0000005b push eax 0x0000005c push ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f push ecx 0x00000060 pop ecx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F7F7B2 second address: F7F7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8DE61 second address: F8DE79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F65CD790C78h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jc 00007F65CD790C76h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8BE97 second address: F8BE9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C148 second address: F8C166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD790C7Ch 0x00000009 pop ecx 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jns 00007F65CD790C76h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C295 second address: F8C2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65CDA1C256h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C3FD second address: F8C403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C403 second address: F8C407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C407 second address: F8C40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C6AA second address: F8C6B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C82C second address: F8C846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD790C84h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C846 second address: F8C84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C84F second address: F8C85B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F65CD790C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C9CB second address: F8C9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8C9D4 second address: F8C9D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8CDDD second address: F8CDE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8CF3E second address: F8CF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F65CD790C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F82B3D second address: F82B6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F65CDA1C25Eh 0x00000011 popad 0x00000012 pushad 0x00000013 jnp 00007F65CDA1C256h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F4F01E second address: F4F03F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C87h 0x00000009 je 00007F65CD790C76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F4F03F second address: F4F043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F4F043 second address: F4F06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F65CD790C88h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F4F06C second address: F4F070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8DD07 second address: F8DD11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F65CD790C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8DD11 second address: F8DD25 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007F65CDA1C256h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F8DD25 second address: F8DD29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F901DE second address: F901F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Ah 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jno 00007F65CDA1C256h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F94ADF second address: F94AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F94AE7 second address: F94AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F65CDA1C256h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5C8BB second address: F5C8E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F65CD790C76h 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F65CD790C87h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5C8E4 second address: F5C8E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F97F57 second address: F97F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F97F5D second address: F97F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9C78F second address: F9C793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9C793 second address: F9C7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F65CDA1C256h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9C7A7 second address: F9C7B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9C7B1 second address: F9C7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9C7B5 second address: F9C7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9CD62 second address: F9CD81 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65CDA1C256h 0x00000008 jmp 00007F65CDA1C265h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9CEFF second address: F9CF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9CF0D second address: F9CF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 je 00007F65CDA1C256h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D833 second address: F9D838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D838 second address: F9D854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C268h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D8FC second address: F9D940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F65CD790C89h 0x0000000b pop ecx 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 jmp 00007F65CD790C86h 0x00000017 jbe 00007F65CD790C7Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D940 second address: F9D955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 call 00007F65CDA1C259h 0x0000000b push ecx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D955 second address: F9D965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 jp 00007F65CD790C7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D965 second address: F9D996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F65CDA1C266h 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F65CDA1C25Ch 0x0000001a jng 00007F65CDA1C256h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D996 second address: F9D99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D99C second address: F9D9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D9A0 second address: F9D9C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jo 00007F65CD790C76h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D9C1 second address: F9D9EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CDA1C25Ch 0x00000008 jmp 00007F65CDA1C25Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F65CDA1C256h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9D9EF second address: F9D9F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9DB17 second address: F9DB45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F65CDA1C267h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F65CDA1C25Ah 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9DDB7 second address: F9DDBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F9E607 second address: F9E60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA085E second address: FA0863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA00DC second address: FA00FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA0863 second address: FA087F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CD790C7Dh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA087F second address: FA0885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA2016 second address: FA201B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA29B1 second address: FA29B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA2738 second address: FA273C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA29B6 second address: FA29E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F65CDA1C25Ah 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65CDA1C268h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F50B81 second address: F50B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F50B87 second address: F50BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65CDA1C25Ch 0x0000000d jmp 00007F65CDA1C267h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F50BB2 second address: F50BB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA89A5 second address: FA89A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA89A9 second address: FA89B3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F65CD790C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA89B3 second address: FA89B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA89B8 second address: FA89C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA89C6 second address: FA89D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA89D0 second address: FA8A5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F65CD790C76h 0x00000009 jmp 00007F65CD790C83h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 mov dword ptr [ebp+124670ECh], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F65CD790C78h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F65CD790C78h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov di, 1A72h 0x00000054 sbb ebx, 19077600h 0x0000005a xchg eax, esi 0x0000005b pushad 0x0000005c jmp 00007F65CD790C7Fh 0x00000061 jg 00007F65CD790C7Ch 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA8C11 second address: FA8C33 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65CDA1C266h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FACA5F second address: FACA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F65CD790C76h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FACA6C second address: FACAA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F65CDA1C25Ch 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F65CDA1C267h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F618E0 second address: F618E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F618E7 second address: F618FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CDA1C25Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAE036 second address: FAE03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAE03A second address: FAE03E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAE03E second address: FAE0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F65CD790C86h 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 mov dword ptr [ebp+122D2381h], edi 0x00000017 jmp 00007F65CD790C88h 0x0000001c push 00000000h 0x0000001e mov bx, AD80h 0x00000022 push 00000000h 0x00000024 jmp 00007F65CD790C84h 0x00000029 xchg eax, esi 0x0000002a jmp 00007F65CD790C80h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 jmp 00007F65CD790C80h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAE0C1 second address: FAE0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAD1CA second address: FAD1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CD790C83h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAE0C6 second address: FAE0CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAF0A2 second address: FAF0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAF0A6 second address: FAF0AC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FAF0AC second address: FAF0B6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65CD790C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB00C4 second address: FB00E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F65CDA1C256h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB21A8 second address: FB21D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F65CD790C7Ch 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB32F2 second address: FB32FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F65CDA1C256h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB32FD second address: FB330A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB330A second address: FB330F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB6430 second address: FB6447 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB34DE second address: FB34F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C260h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB8852 second address: FB8858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FBB6C4 second address: FBB6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F6349D second address: F634B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F65CD790C7Ch 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC5EC5 second address: FC5EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC5EC9 second address: FC5EF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F65CD790C85h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC5EF8 second address: FC5F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC5F02 second address: FC5F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC55BA second address: FC55F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CDA1C267h 0x00000009 pop esi 0x0000000a jg 00007F65CDA1C26Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FB9682 second address: FB9688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC5A47 second address: FC5A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F65CDA1C25Dh 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FC5A61 second address: FC5A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCB38D second address: FCB3CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F65CDA1C260h 0x0000000f pop edi 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007F65CDA1C25Ch 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCB474 second address: FCB49B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65CD790C7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F65CD790C7Bh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCB55D second address: FCB561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCB561 second address: FCB5A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push ebx 0x00000019 jc 00007F65CD790C76h 0x0000001f pop ebx 0x00000020 pop eax 0x00000021 mov eax, dword ptr [eax] 0x00000023 jg 00007F65CD790C7Eh 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e jo 00007F65CD790C7Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCF28B second address: FCF292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCF7E9 second address: FCF7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F65CD790C76h 0x0000000a jnp 00007F65CD790C76h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCF7FA second address: FCF808 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65CDA1C258h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCFC26 second address: FCFC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD790C88h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FCFECB second address: FCFEFA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F65CDA1C256h 0x00000008 jmp 00007F65CDA1C269h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F65CDA1C256h 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD0074 second address: FD007A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD007A second address: FD008F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F65CDA1C25Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD01C8 second address: FD01E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F65CD790C80h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F65CD790C8Ah 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD01E7 second address: FD01ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD60FF second address: FD6103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD4D9C second address: FD4DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD4DA2 second address: FD4DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD4DAC second address: FD4DB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD508F second address: FD50C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65CD790C87h 0x00000010 jmp 00007F65CD790C87h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD50C8 second address: FD50CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD50CC second address: FD50D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD522E second address: FD5238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F65CDA1C256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD5238 second address: FD528C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F65CD790C89h 0x0000000e pop eax 0x0000000f js 00007F65CD790CEDh 0x00000015 pushad 0x00000016 jmp 00007F65CD790C84h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD57E3 second address: FD57EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD5B2D second address: FD5B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push edi 0x0000000a pushad 0x0000000b jmp 00007F65CD790C7Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD5B47 second address: FD5B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD4814 second address: FD481E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F65CD790C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FD481E second address: FD4822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F527E5 second address: F527F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F527F9 second address: F527FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA692B second address: FA692F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA692F second address: FA6973 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F65CDA1C258h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jo 00007F65CDA1C25Bh 0x0000002c mov edi, 48345B6Ah 0x00000031 lea eax, dword ptr [ebp+1248E685h] 0x00000037 mov dh, B5h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6973 second address: F82B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, esi 0x0000000b call dword ptr [ebp+122D2C87h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F65CD790C76h 0x0000001a jmp 00007F65CD790C84h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6B1F second address: FA6B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6E3C second address: FA6E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6F92 second address: FA6FA0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6FA0 second address: FA6FB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F65CD790C7Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6FB6 second address: FA6FCF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push esi 0x0000000e je 00007F65CDA1C256h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6FCF second address: FA6FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA6FD3 second address: FA6FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jp 00007F65CDA1C256h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7282 second address: FA7287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7287 second address: FA72C1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65CDA1C258h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 jmp 00007F65CDA1C25Ch 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F65CDA1C264h 0x00000021 push esi 0x00000022 pop esi 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA72C1 second address: FA72D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F65CD790C78h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA72D7 second address: FA72DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7CC5 second address: FA7CCB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7CCB second address: FA7CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F65CDA1C256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7CD5 second address: FA7D2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F65CD790C86h 0x00000011 nop 0x00000012 call 00007F65CD790C86h 0x00000017 mov dword ptr [ebp+122D1BDFh], esi 0x0000001d pop edi 0x0000001e lea eax, dword ptr [ebp+1248E6C9h] 0x00000024 nop 0x00000025 push ecx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7D2B second address: FA7D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007F65CDA1C25Fh 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDADE7 second address: FDADED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDADED second address: FDADFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDADFD second address: FDAE28 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65CD790C8Fh 0x00000008 jmp 00007F65CD790C89h 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F65CD790C76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDAE28 second address: FDAE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDB34F second address: FDB355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDB355 second address: FDB368 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F65CDA1C256h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDB368 second address: FDB37D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F65CD790C76h 0x0000000d jnc 00007F65CD790C76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDB37D second address: FDB382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDB4E2 second address: FDB4E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FDE9E6 second address: FDE9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE4506 second address: FE4525 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65CD790C86h 0x00000008 jmp 00007F65CD790C80h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE327B second address: FE3293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C264h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE3293 second address: FE3298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE33DE second address: FE33E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE2F86 second address: FE2F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE2F8E second address: FE2FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F65CDA1C256h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F65CDA1C256h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE2FA3 second address: FE2FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE2FA7 second address: FE2FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FE3D8B second address: FE3D9A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65CD790C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FED692 second address: FED69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65CDA1C256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FED69C second address: FED6A6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65CD790C76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FED6A6 second address: FED6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jnp 00007F65CDA1C256h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FED6B9 second address: FED6EF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65CD790C76h 0x00000008 jp 00007F65CD790C76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F65CD790C86h 0x00000016 jno 00007F65CD790C76h 0x0000001c push edi 0x0000001d pop edi 0x0000001e jns 00007F65CD790C76h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FED800 second address: FED80D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FED949 second address: FED94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF1CF0 second address: FF1CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF1561 second address: FF1576 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF16B5 second address: FF16D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65CDA1C264h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF19E7 second address: FF1A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F65CD790C76h 0x00000009 jmp 00007F65CD790C82h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF1A0B second address: FF1A10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF61CB second address: FF61E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD790C82h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF61E4 second address: FF61EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F65CDA1C256h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF61EF second address: FF61FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF657F second address: FF65A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007F65CDA1C25Ah 0x0000000d jc 00007F65CDA1C256h 0x00000013 jmp 00007F65CDA1C25Bh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF65A3 second address: FF65A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FF65A9 second address: FF65AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFB56E second address: FFB581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFB87A second address: FFB89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F65CDA1C256h 0x0000000a pushad 0x0000000b jmp 00007F65CDA1C266h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFB89F second address: FFB8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F65CD790C76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBA04 second address: FFBA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBA08 second address: FFBA3A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65CD790C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F65CD790C81h 0x00000010 js 00007F65CD790C76h 0x00000016 popad 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f ja 00007F65CD790C76h 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBA3A second address: FFBA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C25Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBA4F second address: FFBA5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBBB1 second address: FFBBBD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBBBD second address: FFBBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBBC1 second address: FFBBC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA76BE second address: FA7742 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65CD790C7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F65CD790C78h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+1248E6C4h] 0x0000002d mov edi, dword ptr [ebp+122D389Eh] 0x00000033 add eax, ebx 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F65CD790C78h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f nop 0x00000050 push edi 0x00000051 push esi 0x00000052 jmp 00007F65CD790C86h 0x00000057 pop esi 0x00000058 pop edi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jl 00007F65CD790C78h 0x00000062 push esi 0x00000063 pop esi 0x00000064 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7742 second address: FA7748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA7748 second address: FA77C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F65CD790C78h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 add cx, AD4Ch 0x0000002b jno 00007F65CD790C7Ah 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F65CD790C78h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov edx, eax 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA77C2 second address: FA77C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FA77C6 second address: FA77CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBEB2 second address: FFBECA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F65CDA1C256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F65CDA1C25Ch 0x00000012 jc 00007F65CDA1C256h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBECA second address: FFBED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F65CD790C76h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBED6 second address: FFBEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFBEDA second address: FFBEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F65CD790C83h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFCB58 second address: FFCB7B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65CDA1C25Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F65CDA1C25Ch 0x00000011 jnl 00007F65CDA1C256h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: FFCB7B second address: FFCB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100381D second address: 1003822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100399D second address: 10039A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1003C57 second address: 1003C64 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1003C64 second address: 1003C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1003F5D second address: 1003F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100481E second address: 1004839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F65CD790C84h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1004839 second address: 100483F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100483F second address: 1004845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1004845 second address: 100484B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009986 second address: 100998A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100998A second address: 100999F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CDA1C25Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100999F second address: 10099B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10099B2 second address: 10099B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10089B4 second address: 10089BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F65CD790C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10089BE second address: 10089C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1008CD8 second address: 1008CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1008CDE second address: 1008CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1008CE8 second address: 1008CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F65CD790C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1008E33 second address: 1008E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009308 second address: 1009320 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65CD790C7Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a jg 00007F65CD790C76h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009320 second address: 1009324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009324 second address: 1009346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C85h 0x00000007 jnp 00007F65CD790C76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009346 second address: 1009359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F65CDA1C256h 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007F65CDA1C256h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009359 second address: 100937B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F65CD790C76h 0x0000000b je 00007F65CD790C76h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F65CD790C76h 0x0000001c jnl 00007F65CD790C76h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009663 second address: 1009695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F65CDA1C260h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F65CDA1C266h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1009695 second address: 100969C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100969C second address: 10096B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CDA1C25Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F65CDA1C256h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100E4F3 second address: 100E4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100E4F7 second address: 100E522 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F65CDA1C25Eh 0x00000008 jmp 00007F65CDA1C265h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100E522 second address: 100E528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 100E528 second address: 100E52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10106BB second address: 10106C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10106C3 second address: 10106C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10106C7 second address: 10106D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F65CD790C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10106D7 second address: 10106DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10106DB second address: 10106DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5FED3 second address: F5FED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5FED7 second address: F5FEE6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65CD790C76h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1016CC7 second address: 1016CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F65CDA1C256h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F65CDA1C256h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1016CDC second address: 1016CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F65CD790C76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1016CEE second address: 1016CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1016F8C second address: 1016F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1016F90 second address: 1016FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F65CDA1C256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F65CDA1C260h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1017388 second address: 101738E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 101738E second address: 101739A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 101739A second address: 10173A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10173A0 second address: 10173A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 101761B second address: 1017635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F65CD790C85h 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F65CD790C7Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1017635 second address: 1017684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F65CDA1C256h 0x00000009 jmp 00007F65CDA1C269h 0x0000000e jmp 00007F65CDA1C264h 0x00000013 jmp 00007F65CDA1C25Ah 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push edi 0x0000001d jns 00007F65CDA1C256h 0x00000023 pop edi 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1017684 second address: 10176AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007F65CD790C7Ch 0x0000000b pushad 0x0000000c jmp 00007F65CD790C83h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 101874F second address: 1018757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1018757 second address: 1018762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1018762 second address: 1018766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10166EA second address: 10166FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 10166FA second address: 101670B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jns 00007F65CDA1C256h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 101670B second address: 101670F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 101BA9E second address: 101BAA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5780A second address: F5780E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5780E second address: F5782A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C268h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F5782A second address: F5783A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnc 00007F65CD790C76h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 102066C second address: 1020694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F65CDA1C256h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F65CDA1C267h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1020694 second address: 102069A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 102DDF1 second address: 102DDF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1031938 second address: 1031963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F65CD790C7Dh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F65CD790C85h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1049001 second address: 1049006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F592CD second address: F592D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F592D2 second address: F592F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F65CDA1C256h 0x0000000a pop ecx 0x0000000b jmp 00007F65CDA1C25Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 jns 00007F65CDA1C256h 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: F592F9 second address: F59301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1047D0E second address: 1047D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C262h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1047D28 second address: 1047D2D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1047E81 second address: 1047E8B instructions: 0x00000000 rdtsc 0x00000002 je 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 104837D second address: 1048383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1048383 second address: 1048387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 104EBD6 second address: 104EBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 104EBDA second address: 104EBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 109C8C4 second address: 109C8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 109C8C8 second address: 109C8E9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65CDA1C256h 0x00000008 jmp 00007F65CDA1C267h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 109C4A1 second address: 109C4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 109C4A5 second address: 109C4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 109C4AE second address: 109C4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 109C4B4 second address: 109C4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b jmp 00007F65CDA1C265h 0x00000010 popad 0x00000011 jc 00007F65CDA1C27Ah 0x00000017 jbe 00007F65CDA1C270h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1160F3E second address: 1160F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1161351 second address: 116138D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Fh 0x00000007 jmp 00007F65CDA1C267h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jo 00007F65CDA1C256h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007F65CDA1C256h 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 116138D second address: 11613A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F65CD790C7Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 11613A4 second address: 11613BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65CDA1C262h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1161843 second address: 1161852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F65CD790C76h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 116197A second address: 116197E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 116197E second address: 1161998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F65CD790C7Fh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1165D71 second address: 1165D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F65CDA1C256h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1165E0F second address: 1165E1D instructions: 0x00000000 rdtsc 0x00000002 js 00007F65CD790C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1165FC2 second address: 1165FD8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65CDA1C256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F65CDA1C256h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 1165FD8 second address: 1165FDE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 116637E second address: 1166385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80010 second address: 6E80014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80014 second address: 6E8001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8001A second address: 6E8002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8002B second address: 6E8005C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F65CDA1C25Ah 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F65CDA1C265h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8005C second address: 6E8006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8006C second address: 6E800BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000030h] 0x00000011 pushad 0x00000012 push eax 0x00000013 call 00007F65CDA1C25Bh 0x00000018 pop esi 0x00000019 pop edi 0x0000001a movzx ecx, bx 0x0000001d popad 0x0000001e sub esp, 18h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F65CDA1C25Ah 0x0000002a xor cx, 8A38h 0x0000002f jmp 00007F65CDA1C25Bh 0x00000034 popfd 0x00000035 mov dx, ax 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E800BC second address: 6E80160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F65CD790C7Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F65CD790C87h 0x00000017 mov si, DC2Fh 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007F65CD790C84h 0x00000022 jmp 00007F65CD790C85h 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F65CD790C83h 0x00000033 jmp 00007F65CD790C83h 0x00000038 popfd 0x00000039 mov cx, 92DFh 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80160 second address: 6E80197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C265h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c jmp 00007F65CDA1C25Eh 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edx, ax 0x00000018 mov ecx, 268E5F45h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80197 second address: 6E801FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dl 0x00000005 jmp 00007F65CD790C7Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F65CD790C7Bh 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F65CD790C84h 0x0000001b add cx, 9D38h 0x00000020 jmp 00007F65CD790C7Bh 0x00000025 popfd 0x00000026 mov dx, si 0x00000029 popad 0x0000002a mov esi, dword ptr [762C06ECh] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F65CD790C81h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E801FA second address: 6E80277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F65CDA1C25Eh 0x00000010 jne 00007F65CDA1D147h 0x00000016 pushad 0x00000017 call 00007F65CDA1C25Eh 0x0000001c mov edx, eax 0x0000001e pop eax 0x0000001f jmp 00007F65CDA1C267h 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 jmp 00007F65CDA1C266h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F65CDA1C25Eh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80277 second address: 6E8028D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8028D second address: 6E80291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80291 second address: 6E802AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E802AC second address: 6E80303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65CDA1C262h 0x00000009 sub eax, 0A6C02A8h 0x0000000f jmp 00007F65CDA1C25Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 call dword ptr [76290B60h] 0x0000001e mov eax, 75A0E5E0h 0x00000023 ret 0x00000024 jmp 00007F65CDA1C266h 0x00000029 push 00000044h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F65CDA1C25Ah 0x00000034 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80303 second address: 6E80307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80307 second address: 6E8030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8030D second address: 6E80313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80313 second address: 6E8033A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007F65CDA1C264h 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov si, bx 0x00000015 push ebx 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8033A second address: 6E803CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65CD790C80h 0x00000009 or ax, 54F8h 0x0000000e jmp 00007F65CD790C7Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F65CD790C88h 0x0000001a or eax, 6722AF58h 0x00000020 jmp 00007F65CD790C7Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F65CD790C82h 0x00000031 sub si, B9B8h 0x00000036 jmp 00007F65CD790C7Bh 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, edi 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F65CD790C85h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E803CC second address: 6E803F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CDA1C25Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E803F2 second address: 6E80402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80402 second address: 6E80416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80416 second address: 6E8041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8041C second address: 6E80460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F65CDA1C25Bh 0x00000015 add ecx, 21A9F39Eh 0x0000001b jmp 00007F65CDA1C269h 0x00000020 popfd 0x00000021 mov edi, ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E804A8 second address: 6E804C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F65CD790C7Eh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E804C6 second address: 6E804CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E804CA second address: 6E80587 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F65CD790C83h 0x00000008 or esi, 2145A91Eh 0x0000000e jmp 00007F65CD790C89h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx esi, di 0x00000019 popad 0x0000001a test esi, esi 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F65CD790C89h 0x00000023 jmp 00007F65CD790C7Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F65CD790C88h 0x0000002f xor eax, 631DA8A8h 0x00000035 jmp 00007F65CD790C7Bh 0x0000003a popfd 0x0000003b popad 0x0000003c je 00007F663CB4FDC3h 0x00000042 jmp 00007F65CD790C86h 0x00000047 sub eax, eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F65CD790C7Ch 0x00000050 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80587 second address: 6E805AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F65CDA1C25Bh 0x00000013 movzx ecx, di 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E805AA second address: 6E805DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65CD790C87h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E805DC second address: 6E805F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C264h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E805F4 second address: 6E8060B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CD790C7Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8060B second address: 6E80611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80611 second address: 6E80615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80615 second address: 6E8063A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+0Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65CDA1C25Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8063A second address: 6E80658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 4Ch 0x00000005 mov si, CEDFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebx+4Ch] 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 mov bx, cx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov esi, 407B6665h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80658 second address: 6E806D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esi+10h], eax 0x00000008 jmp 00007F65CDA1C267h 0x0000000d mov eax, dword ptr [ebx+50h] 0x00000010 pushad 0x00000011 mov cx, A7CBh 0x00000015 jmp 00007F65CDA1C260h 0x0000001a popad 0x0000001b mov dword ptr [esi+14h], eax 0x0000001e jmp 00007F65CDA1C260h 0x00000023 mov eax, dword ptr [ebx+54h] 0x00000026 jmp 00007F65CDA1C260h 0x0000002b mov dword ptr [esi+18h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F65CDA1C267h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E806D2 second address: 6E8078F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CD790C7Fh 0x00000008 pushfd 0x00000009 jmp 00007F65CD790C88h 0x0000000e jmp 00007F65CD790C85h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [ebx+58h] 0x0000001a pushad 0x0000001b mov dx, 49BEh 0x0000001f popad 0x00000020 mov dword ptr [esi+1Ch], eax 0x00000023 jmp 00007F65CD790C85h 0x00000028 mov eax, dword ptr [ebx+5Ch] 0x0000002b pushad 0x0000002c push ecx 0x0000002d pushfd 0x0000002e jmp 00007F65CD790C83h 0x00000033 add si, EBCEh 0x00000038 jmp 00007F65CD790C89h 0x0000003d popfd 0x0000003e pop eax 0x0000003f mov si, bx 0x00000042 popad 0x00000043 mov dword ptr [esi+20h], eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F65CD790C86h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8078F second address: 6E807F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+60h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F65CDA1C265h 0x00000015 add ax, F816h 0x0000001a jmp 00007F65CDA1C261h 0x0000001f popfd 0x00000020 call 00007F65CDA1C260h 0x00000025 call 00007F65CDA1C262h 0x0000002a pop ecx 0x0000002b pop edi 0x0000002c popad 0x0000002d mov dword ptr [esi+24h], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E807F9 second address: 6E8080C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8080C second address: 6E80812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80971 second address: 6E80992 instructions: 0x00000000 rdtsc 0x00000002 mov si, 6B27h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F65CD790C7Ch 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 popad 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80992 second address: 6E80996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80996 second address: 6E8099C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8099C second address: 6E809B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 mov al, bh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E809B7 second address: 6E809FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ACh 0x00000005 jmp 00007F65CD790C80h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+20h] 0x00000010 jmp 00007F65CD790C80h 0x00000015 mov dword ptr [esi+40h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F65CD790C87h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E809FE second address: 6E80A30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+00000080h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F65CDA1C25Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80A30 second address: 6E80A71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a jmp 00007F65CD790C84h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F65CD790C7Dh 0x00000018 call 00007F65CD790C80h 0x0000001d pop esi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80A71 second address: 6E80ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C260h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F65CDA1C261h 0x00000011 sub ax, 44E6h 0x00000016 jmp 00007F65CDA1C261h 0x0000001b popfd 0x0000001c movzx ecx, dx 0x0000001f popad 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80ABB second address: 6E80ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80ABF second address: 6E80AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80AC5 second address: 6E80AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80AD3 second address: 6E80AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80B58 second address: 6E80B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80B5C second address: 6E80B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80B62 second address: 6E80B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80B68 second address: 6E80B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80B6C second address: 6E80BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e mov si, di 0x00000011 popad 0x00000012 js 00007F663CB4F7BBh 0x00000018 jmp 00007F65CD790C89h 0x0000001d mov eax, dword ptr [ebp-0Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80BA6 second address: 6E80BAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80BAC second address: 6E80BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80BB2 second address: 6E80BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CDA1C25Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80BCE second address: 6E80BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lea eax, dword ptr [ebx+78h] 0x0000000d jmp 00007F65CD790C7Ch 0x00000012 push 00000001h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bx, B670h 0x0000001b mov cx, dx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80BF4 second address: 6E80C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CDA1C260h 0x00000008 jmp 00007F65CDA1C262h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80C23 second address: 6E80C29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80C29 second address: 6E80C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movzx ecx, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov bl, 58h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80C3D second address: 6E80C77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ax, F5D5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jmp 00007F65CD790C80h 0x00000013 lea eax, dword ptr [ebp-08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F65CD790C87h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80CD9 second address: 6E80D49 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F65CDA1C25Dh 0x00000008 adc eax, 60B05AE6h 0x0000000e jmp 00007F65CDA1C261h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov edi, eax 0x00000019 pushad 0x0000001a mov si, 4FB3h 0x0000001e movzx esi, dx 0x00000021 popad 0x00000022 test edi, edi 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F65CDA1C261h 0x0000002b and cl, FFFFFFF6h 0x0000002e jmp 00007F65CDA1C261h 0x00000033 popfd 0x00000034 movzx esi, bx 0x00000037 popad 0x00000038 js 00007F663CDDABD2h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80D49 second address: 6E80D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80D5D second address: 6E80E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c jmp 00007F65CDA1C266h 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 jmp 00007F65CDA1C260h 0x00000019 lea eax, dword ptr [ebx+70h] 0x0000001c jmp 00007F65CDA1C260h 0x00000021 push 00000001h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F65CDA1C25Eh 0x0000002a jmp 00007F65CDA1C265h 0x0000002f popfd 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F65CDA1C25Eh 0x00000037 sbb ch, FFFFFF98h 0x0000003a jmp 00007F65CDA1C25Bh 0x0000003f popfd 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 popad 0x00000044 nop 0x00000045 jmp 00007F65CDA1C264h 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e pushfd 0x0000004f jmp 00007F65CDA1C25Ch 0x00000054 or ax, 5728h 0x00000059 jmp 00007F65CDA1C25Bh 0x0000005e popfd 0x0000005f movzx eax, bx 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80E31 second address: 6E80E3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80E3F second address: 6E80E9E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F65CDA1C260h 0x00000008 or ah, FFFFFFB8h 0x0000000b jmp 00007F65CDA1C25Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov bl, cl 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-18h] 0x00000019 jmp 00007F65CDA1C25Bh 0x0000001e nop 0x0000001f jmp 00007F65CDA1C266h 0x00000024 push eax 0x00000025 pushad 0x00000026 mov ebx, 75C6B6F4h 0x0000002b mov dx, 4E60h 0x0000002f popad 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80E9E second address: 6E80EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80EA2 second address: 6E80EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80EA6 second address: 6E80EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80EE0 second address: 6E80F55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65CDA1C267h 0x00000009 and si, 034Eh 0x0000000e jmp 00007F65CDA1C269h 0x00000013 popfd 0x00000014 mov ecx, 1653BB57h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edi, eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov esi, edx 0x00000023 pushfd 0x00000024 jmp 00007F65CDA1C25Bh 0x00000029 xor si, 315Eh 0x0000002e jmp 00007F65CDA1C269h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80F55 second address: 6E80FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, B572h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test edi, edi 0x0000000e pushad 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F65CD790C7Bh 0x00000016 sub esi, 41CD4B6Eh 0x0000001c jmp 00007F65CD790C89h 0x00000021 popfd 0x00000022 jmp 00007F65CD790C80h 0x00000027 popad 0x00000028 mov ecx, 7FC1A901h 0x0000002d popad 0x0000002e js 00007F663CB4F37Dh 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F65CD790C7Ah 0x0000003b sbb cl, 00000018h 0x0000003e jmp 00007F65CD790C7Bh 0x00000043 popfd 0x00000044 mov cx, A5CFh 0x00000048 popad 0x00000049 mov eax, dword ptr [ebp-14h] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F65CD790C81h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80FE4 second address: 6E80FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C25Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E80FF4 second address: 6E8101E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F65CD790C85h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8101E second address: 6E8108D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c jmp 00007F65CDA1C25Eh 0x00000011 mov edx, 762C06ECh 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F65CDA1C25Eh 0x0000001d or eax, 4BE6FB98h 0x00000023 jmp 00007F65CDA1C25Bh 0x00000028 popfd 0x00000029 mov ch, 8Dh 0x0000002b popad 0x0000002c mov eax, 00000000h 0x00000031 jmp 00007F65CDA1C260h 0x00000036 lock cmpxchg dword ptr [edx], ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov ah, DFh 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8108D second address: 6E810AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810AA second address: 6E810AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810AE second address: 6E810B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810B2 second address: 6E810B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810B8 second address: 6E810BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810BE second address: 6E810C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810C2 second address: 6E810C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810C6 second address: 6E810D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810D6 second address: 6E810E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E810E5 second address: 6E81161 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F663CDDA830h 0x0000000f jmp 00007F65CDA1C25Eh 0x00000014 mov edx, dword ptr [ebp+08h] 0x00000017 jmp 00007F65CDA1C260h 0x0000001c mov eax, dword ptr [esi] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ax, bx 0x00000024 pushfd 0x00000025 jmp 00007F65CDA1C269h 0x0000002a sub cl, 00000016h 0x0000002d jmp 00007F65CDA1C261h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81161 second address: 6E811CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F65CD790C7Ch 0x00000012 adc al, 00000068h 0x00000015 jmp 00007F65CD790C7Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F65CD790C88h 0x00000021 jmp 00007F65CD790C85h 0x00000026 popfd 0x00000027 popad 0x00000028 mov eax, dword ptr [esi+04h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E811CE second address: 6E811D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E811D4 second address: 6E811DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E811DA second address: 6E8121F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e jmp 00007F65CDA1C260h 0x00000013 mov eax, dword ptr [esi+08h] 0x00000016 jmp 00007F65CDA1C260h 0x0000001b mov dword ptr [edx+08h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov dx, 6BD0h 0x00000025 mov cl, dh 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8121F second address: 6E812FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 6794h 0x00000007 pushfd 0x00000008 jmp 00007F65CD790C7Dh 0x0000000d sub esi, 5BC8A856h 0x00000013 jmp 00007F65CD790C81h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [esi+0Ch] 0x0000001f pushad 0x00000020 mov dh, ch 0x00000022 pushfd 0x00000023 jmp 00007F65CD790C89h 0x00000028 sub ax, 4C66h 0x0000002d jmp 00007F65CD790C81h 0x00000032 popfd 0x00000033 popad 0x00000034 mov dword ptr [edx+0Ch], eax 0x00000037 jmp 00007F65CD790C7Eh 0x0000003c mov eax, dword ptr [esi+10h] 0x0000003f jmp 00007F65CD790C80h 0x00000044 mov dword ptr [edx+10h], eax 0x00000047 jmp 00007F65CD790C80h 0x0000004c mov eax, dword ptr [esi+14h] 0x0000004f jmp 00007F65CD790C80h 0x00000054 mov dword ptr [edx+14h], eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushfd 0x0000005b jmp 00007F65CD790C7Dh 0x00000060 xor al, FFFFFF86h 0x00000063 jmp 00007F65CD790C81h 0x00000068 popfd 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E812FB second address: 6E8131E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65CDA1C25Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8131E second address: 6E8132E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8132E second address: 6E81332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81332 second address: 6E8136E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+18h], eax 0x0000000b jmp 00007F65CD790C87h 0x00000010 mov eax, dword ptr [esi+1Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F65CD790C85h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8136E second address: 6E8137E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C25Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8137E second address: 6E81398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+1Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81398 second address: 6E813B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C267h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E813B3 second address: 6E813F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bl, 6Fh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+20h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F65CD790C89h 0x00000015 pop eax 0x00000016 call 00007F65CD790C81h 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E813F0 second address: 6E81487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+20h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F65CDA1C25Eh 0x00000013 and eax, 2E2673C8h 0x00000019 jmp 00007F65CDA1C25Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F65CDA1C268h 0x00000025 sbb ax, 7628h 0x0000002a jmp 00007F65CDA1C25Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov eax, dword ptr [esi+24h] 0x00000034 jmp 00007F65CDA1C266h 0x00000039 mov dword ptr [edx+24h], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F65CDA1C267h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81487 second address: 6E8149F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8149F second address: 6E814B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+28h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CDA1C25Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E814B6 second address: 6E814DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65CD790C85h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E814DF second address: 6E81538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c jmp 00007F65CDA1C25Eh 0x00000011 mov dword ptr [edx+2Ch], ecx 0x00000014 jmp 00007F65CDA1C260h 0x00000019 mov ax, word ptr [esi+30h] 0x0000001d jmp 00007F65CDA1C260h 0x00000022 mov word ptr [edx+30h], ax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov bl, E8h 0x0000002b mov ebx, eax 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81538 second address: 6E8158F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov ah, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ax, word ptr [esi+32h] 0x0000000e jmp 00007F65CD790C84h 0x00000013 mov word ptr [edx+32h], ax 0x00000017 jmp 00007F65CD790C80h 0x0000001c mov eax, dword ptr [esi+34h] 0x0000001f pushad 0x00000020 mov di, cx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F65CD790C88h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8158F second address: 6E815AF instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [edx+34h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CDA1C263h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E815AF second address: 6E8165C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f jmp 00007F65CD790C7Eh 0x00000014 jne 00007F663CB4EDADh 0x0000001a pushad 0x0000001b mov dx, ax 0x0000001e call 00007F65CD790C7Ah 0x00000023 pushfd 0x00000024 jmp 00007F65CD790C82h 0x00000029 adc eax, 233932A8h 0x0000002f jmp 00007F65CD790C7Bh 0x00000034 popfd 0x00000035 pop esi 0x00000036 popad 0x00000037 or dword ptr [edx+38h], FFFFFFFFh 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F65CD790C80h 0x00000042 adc eax, 6E232508h 0x00000048 jmp 00007F65CD790C7Bh 0x0000004d popfd 0x0000004e popad 0x0000004f or dword ptr [edx+3Ch], FFFFFFFFh 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F65CD790C80h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8165C second address: 6E8166B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8166B second address: 6E81680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov ecx, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or dword ptr [edx+40h], FFFFFFFFh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81680 second address: 6E81696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C262h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E81696 second address: 6E8169C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E8169C second address: 6E816A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E816A0 second address: 6E816E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a mov bx, BF1Ah 0x0000000e pushfd 0x0000000f jmp 00007F65CD790C7Bh 0x00000014 sub cl, FFFFFFBEh 0x00000017 jmp 00007F65CD790C89h 0x0000001c popfd 0x0000001d popad 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 push ebx 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6EC0C87 second address: 6EC0C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C25Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6EC0C99 second address: 6EC0CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F65CD790C7Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F65CD790C87h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6EC0CCA second address: 6EC0CD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6EC0CD0 second address: 6EC0CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6EC0CD4 second address: 6EC0CFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F65CDA1C25Bh 0x00000015 mov cx, 287Fh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6EC0CFA second address: 6EC0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E1003C second address: 6E10042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10042 second address: 6E10066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10066 second address: 6E1006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E1006A second address: 6E10087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10087 second address: 6E100A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, ebx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E100A3 second address: 6E100A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10710 second address: 6E10720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C25Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10720 second address: 6E1076B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov eax, 55C6D24Bh 0x00000012 pushfd 0x00000013 jmp 00007F65CD790C80h 0x00000018 add ax, 5758h 0x0000001d jmp 00007F65CD790C7Bh 0x00000022 popfd 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 movsx ebx, cx 0x00000029 mov bx, ax 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E1076B second address: 6E1077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E1077A second address: 6E10792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10792 second address: 6E10796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10796 second address: 6E107BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65CD790C89h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E107BD second address: 6E107C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E107C3 second address: 6E107DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E107DA second address: 6E107EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, AAh 0x0000000e movsx ebx, ax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10BB6 second address: 6E10BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F65CD790C80h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10BDB second address: 6E10BE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10BE1 second address: 6E10BE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10BE7 second address: 6E10BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E10BEB second address: 6E10BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E60AB6 second address: 6E60ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E60ABA second address: 6E60AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E60AC0 second address: 6E60AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CDA1C25Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40015 second address: 6E4003C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 640B2863h 0x00000010 mov si, E7BFh 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E4003C second address: 6E40089 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 2E9FCD90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F65CDA1C269h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F65CDA1C25Eh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F65CDA1C267h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40089 second address: 6E4008F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E4008F second address: 6E40093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40093 second address: 6E40097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40097 second address: 6E400AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF0h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CDA1C25Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E400AE second address: 6E400CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD790C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 051B6586h 0x00000014 mov edi, 39B85412h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E400CE second address: 6E40163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CDA1C266h 0x00000008 pushfd 0x00000009 jmp 00007F65CDA1C262h 0x0000000e sub ecx, 306D6B58h 0x00000014 jmp 00007F65CDA1C25Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f mov cx, 362Bh 0x00000023 pushfd 0x00000024 jmp 00007F65CDA1C260h 0x00000029 sbb ecx, 698175B8h 0x0000002f jmp 00007F65CDA1C25Bh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F65CDA1C269h 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F65CDA1C25Dh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40163 second address: 6E40173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD790C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40173 second address: 6E40199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65CDA1C260h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40199 second address: 6E4019F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E4019F second address: 6E401B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E401B2 second address: 6E401B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E401B8 second address: 6E401BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E401BC second address: 6E401CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E401CB second address: 6E401CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E401CF second address: 6E401D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E401D5 second address: 6E4027F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 761734FEh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F65CDA1C262h 0x00000011 mov dword ptr [esp], edi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F65CDA1C25Eh 0x0000001b or eax, 58F423F8h 0x00000021 jmp 00007F65CDA1C25Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F65CDA1C268h 0x0000002d sub esi, 6890FE58h 0x00000033 jmp 00007F65CDA1C25Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov edi, dword ptr [ebp+08h] 0x0000003d pushad 0x0000003e mov al, F5h 0x00000040 jmp 00007F65CDA1C261h 0x00000045 popad 0x00000046 mov dword ptr [esp+24h], 00000000h 0x0000004e jmp 00007F65CDA1C25Eh 0x00000053 lock bts dword ptr [edi], 00000000h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b movsx edx, ax 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E4027F second address: 6E40284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E40284 second address: 6E402F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CDA1C265h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F663DF2E3ECh 0x0000000f pushad 0x00000010 mov ecx, 4C3E6663h 0x00000015 jmp 00007F65CDA1C268h 0x0000001a popad 0x0000001b pop edi 0x0000001c jmp 00007F65CDA1C260h 0x00000021 pop esi 0x00000022 jmp 00007F65CDA1C260h 0x00000027 pop ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007F65CDA1C25Dh 0x00000030 push ecx 0x00000031 pop edx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E402F8 second address: 6E402FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E402FE second address: 6E4034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a pushad 0x0000000b mov dh, 44h 0x0000000d call 00007F65CDA1C25Ah 0x00000012 pushfd 0x00000013 jmp 00007F65CDA1C262h 0x00000018 jmp 00007F65CDA1C265h 0x0000001d popfd 0x0000001e pop esi 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F65CDA1C25Ah 0x00000028 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E708A5 second address: 6E708AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E708AB second address: 6E708B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E708B1 second address: 6E708B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E708B5 second address: 6E708B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E708B9 second address: 6E70901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, 686A2728h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F65CD790C87h 0x00000017 xor si, F06Eh 0x0000001c jmp 00007F65CD790C89h 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRDTSC instruction interceptor: First address: 6E70901 second address: 6E70958 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 8DF7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F65CDA1C268h 0x00000011 sub ch, 00000018h 0x00000014 jmp 00007F65CDA1C25Bh 0x00000019 popfd 0x0000001a pushad 0x0000001b call 00007F65CDA1C266h 0x00000020 pop esi 0x00000021 mov dh, F8h 0x00000023 popad 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSpecial instruction interceptor: First address: DEB9E1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSpecial instruction interceptor: First address: F978A7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSpecial instruction interceptor: First address: DEBA07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSpecial instruction interceptor: First address: FA6AB0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeCode function: 0_2_06E50987 rdtsc 0_2_06E50987
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeAPI coverage: 5.7 %
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exe TID: 3636Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exe TID: 3636Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: p3a0oZ4U7X.exe, p3a0oZ4U7X.exe, 00000000.00000002.2351989858.0000000000F71000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.6.drBinary or memory string: VMware
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: p3a0oZ4U7X.exe, 00000000.00000002.2352730805.00000000014D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.drBinary or memory string: vmci.sys
Source: p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.drBinary or memory string: VMware20,1
Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: p3a0oZ4U7X.exe, 00000000.00000002.2351989858.0000000000F71000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeCode function: 0_2_06EF078A Start: 06EF0A91 End: 06EF07C80_2_06EF078A
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeCode function: 0_2_06EF0468 Start: 06EF04BC End: 06EF04A30_2_06EF0468
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile opened: NTICE
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile opened: SICE
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeCode function: 0_2_06E50987 rdtsc 0_2_06E50987
Source: p3a0oZ4U7X.exe, p3a0oZ4U7X.exe, 00000000.00000002.2351989858.0000000000F71000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: jProgram Manager
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\p3a0oZ4U7X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
Source: p3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
p3a0oZ4U7X.exe63%ReversingLabsWin32.Trojan.Amadey
p3a0oZ4U7X.exe65%VirustotalBrowse
p3a0oZ4U7X.exe100%AviraTR/Crypt.TPM.Gen
p3a0oZ4U7X.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    httpbin.org
    		98.85.100.80
    		truefalse
      		high
      home.fivetk5ht.top
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlp3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://html4/loose.dtdp3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpp3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://httpbin.org/ipbeforep3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/http-cookies.htmlp3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1p3a0oZ4U7X.exe, 00000000.00000002.2352730805.000000000144E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851p3a0oZ4U7X.exe, 00000000.00000002.2352730805.000000000144E000.00000004.00000020.00020000.00000000.sdmp, p3a0oZ4U7X.exe, 00000000.00000002.2352730805.00000000014D1000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://upx.sf.netAmcache.hve.6.drfalse
                            		high
                            https://curl.se/docs/alt-svc.htmlp3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://.cssp3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.jpgp3a0oZ4U7X.exe, 00000000.00000002.2350479654.0000000000C7D000.00000040.00000001.01000000.00000003.sdmp, p3a0oZ4U7X.exe, 00000000.00000003.2194368580.0000000007186000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  98.85.100.80
                                  		httpbin.orgUnited States
                                  		11351TWC-11351-NORTHEASTUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1579666
                                  Start date and time:2024-12-23 07:17:33 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 19s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:16
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:p3a0oZ4U7X.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:d2b6983ba17597222ebd82bffb6885ff.exe
                                  Detection:MAL
                                  Classification:mal100.evad.winEXE@2/5@14/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.189.173.21, 13.107.246.63, 20.190.181.4, 20.223.35.26, 40.126.53.7, 150.171.27.10, 20.109.210.53
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  01:18:35API Interceptor6x Sleep call for process: p3a0oZ4U7X.exe modified
                                  01:18:43API Interceptor1x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  98.85.100.803mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                    QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                      GO33c8HVWG.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                            gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                              5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  jDSFvyBr1P.exeGet hashmaliciousUnknownBrowse
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      httpbin.org3mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                                      • 98.85.100.80
                                                      QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      GO33c8HVWG.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      Yda6AxtlVP.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 34.226.108.155
                                                      5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      bg.microsoft.map.fastly.netlKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                      • 199.232.214.172
                                                      #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 199.232.214.172
                                                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                                                      • 199.232.214.172
                                                      Company Information.pdf.lnkGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                      • 199.232.210.172
                                                      HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                      • 199.232.210.172
                                                      1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                      • 199.232.210.172

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      TWC-11351-NORTHEASTUS3mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                                      • 98.85.100.80
                                                      QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      GO33c8HVWG.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      5wgTw8pA13.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      bwyUxrKbYN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 98.85.100.80
                                                      jDSFvyBr1P.exeGet hashmaliciousUnknownBrowse
                                                      • 98.85.100.80
                                                      sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 67.253.209.186

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_p3a0oZ4U7X.exe_fbb8c1c281295aba592c6c61f1918d57db657972_08226c0f_1bc029a5-8628-4237-9057-247c8d6de141\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9433628716828892
                                                      Encrypted:false
                                                      SSDEEP:192:vjDfG7I0BU/gju0ZrPMtwzuiFZZ24IO8bU:rTyjBU/gj5zuiFZY4IO8b
                                                      MD5:2D4592FA4A648B6150FF321261747C56
                                                      SHA1:E43BA88F49D3D028DFCDDB80F49031CC12D2F966
                                                      SHA-256:567016E62B407FD4E57E990F2A78FD507134BB7333AA0D814A57475CA4B80819
                                                      SHA-512:2EFE5290D4D17D3F749BA7FD41C897D9DA42E51206B42C907ED980A1D2F581C003EF543864194F0D5D43EEDBE5AD7E3753BE3B0E764EF6553C502AA8DC70ABFC
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.0.8.3.1.7.6.2.1.3.6.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.0.8.3.1.8.9.6.5.1.6.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.c.0.2.9.a.5.-.8.6.2.8.-.4.2.3.7.-.9.0.5.7.-.2.4.7.c.8.d.6.d.e.1.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.4.d.4.c.0.2.-.7.f.e.e.-.4.d.a.1.-.8.b.6.d.-.e.b.e.c.4.c.7.c.c.9.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.3.a.0.o.Z.4.U.7.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.0.-.0.0.0.1.-.0.0.1.5.-.e.1.7.c.-.7.a.7.b.0.2.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.5.4.0.c.8.a.b.4.d.e.a.1.a.f.d.a.1.5.7.4.8.2.0.1.d.2.4.c.c.2.0.0.0.0.f.f.f.f.!.0.0.0.0.8.b.d.d.b.a.0.9.a.b.e.b.e.6.3.1.0.1.6.7.5.1.b.7.c.2.9.2.d.9.4.1.c.d.8.5.b.b.3.6.!.p.3.a.0.o.Z.4.U.7.X...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2602.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 06:18:37 2024, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):209818
                                                      Entropy (8bit):1.4084519621672804
                                                      Encrypted:false
                                                      SSDEEP:768:DN3UuB4Eq214OKSDNLQSauEl7IZ/BOtc8gyfhC7qGG:hUuBlXNL09tc8gyp6q/
                                                      MD5:30C8F9D3F089080F802D693F46AF6AE0
                                                      SHA1:0315B04A2D9D12E8627B4EBF848AFD70FD9D8CEA
                                                      SHA-256:CEAEA4AB91392E55ABE67BF0ADC35DB36E49BF61AA54456E4B49D5FB61BA3A5D
                                                      SHA-512:3727F09DC5B07BEC0E74CDDB154F5C1055C4A484A88528712F29750AA0CB7F93F6957349412747E8089EDF011F99B74C030F06426DAEA1519D510015163A89CD
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:MDMP..a..... .........ig............D...........D...X............ ......4....z..........`.......8...........T...........H,..R........... !...........#..............................................................................eJ.......#......GenuineIntel............T.............ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER277A.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8348
                                                      Entropy (8bit):3.698722650639417
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJ9pT6PSCe6Y2DXSU9Gygmf8bMpro89boXsfaR4m:R6lXJ36P26Y6SU9Gygmf8bUocfa7
                                                      MD5:B2C1319EC00235EC3224600148F2CD63
                                                      SHA1:7647925786883A67F30D858D493E4A5DADADE026
                                                      SHA-256:C37A97C36E6EA83EF39446FBEFDBC00B71923EA2324011103CDAC2FE4677F275
                                                      SHA-512:277786A405E71EF56B1DB7B4D95E09EFCA71E0479E9928B1C5AC8746104832886736BA40B0F07A1CB9885802810D0E5C0B6385525DE1AAD95FEE75DE594FFAA0
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.4.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER27AA.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4594
                                                      Entropy (8bit):4.457970129848217
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsndJg77aI9daWpW8VYYYm8M4JQm5F+6P+q8GGS+zSeTd:uIjfn3I7fb7VwJQEPwS+zSGd
                                                      MD5:8872B58D3B3895DB93919CC5CC7DCBC8
                                                      SHA1:3807F5AAC463B1B0B326FDDA5204560038861948
                                                      SHA-256:95065E5CFFF4D674FC101E7D1316A367BF350EDC02A91FE2DA604692C9BE10F1
                                                      SHA-512:6F1F5A2C91E2706C879945719A332E4824D84138352A874A4A5685739FEDD559399E0D6C0E1647E1CB7E186256ACAF98207AEAA9B8E005ACC86F92ED6C0ABB3B
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643521" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1835008
                                                      Entropy (8bit):4.468579053914327
                                                      Encrypted:false
                                                      SSDEEP:6144:ZzZfpi6ceLPx9skLmb0fIZWSP3aJG8nAgeiJRMMhA2zX4WABluuNqjDH5S:xZHtIZWOKnMM6bFp4j4
                                                      MD5:679027A53CADCA0092FDEE0A1D60B7F2
                                                      SHA1:19B141D9B9A3639E44B1C865888D7312D76297AB
                                                      SHA-256:546ED0E3E7D547F626317AEFFEC63F39AD5A841121C8948C41D0523CDCB2E026
                                                      SHA-512:77356A08DAEDD9FD3A3A62F184E0D5A322CB57D0D2C1F1482CCB1671AA88AE222791FE6E564CC1BCBDBE06E30C27B9A9FC414DF0CFC6327EBCAB761CC9765A94
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.K...U...............................................................................................................................................................................................................................................................................................................................................t..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                      Entropy (8bit):7.98330632143305
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • VXD Driver (31/22) 0.00%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:p3a0oZ4U7X.exe
                                                      File size:4'462'592 bytes
                                                      MD5:d2b6983ba17597222ebd82bffb6885ff
                                                      SHA1:8bddba09abebe631016751b7c292d941cd85bb36
                                                      SHA256:9f5fc1608cb64a1fb6d1f0259d45442eefa2de8aafa5fe26b7df35b12cbbcdf8
                                                      SHA512:d06a1e92cbe77bf935c9e1ff87a249d50f66ad6025e7c62073b2cd05fa795688e50243660bc45f76ae7c322e2872a7d248c1a079eeb81317a9249bfef45690f0
                                                      SSDEEP:98304:HA6zHZqBcfqs4biWvYXRNNSaZwrSFbooVC20ORIHN9:g6TFfgbieYtUAIHN9
                                                      TLSH:1926333CC8B0DCF1C512D339D670A63825A48A5AC6ED3774A0A38179D45BEBF6369C27
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...........pH...@.................................?.D...@... ............................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x108d000
                                                      Entrypoint Section:.taggant
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                      DLL Characteristics:DYNAMIC_BASE
                                                      Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp 00007F65CCE7FF9Ah
                                                      psadbw mm0, qword ptr [ebx+00h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      jmp 00007F65CCE81F95h
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc8bd200x10tlvpoemj
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc8bcd00x18tlvpoemj
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      0x10000x7450000x284c0003ae98813ea495d04fa0b1e53f87b3a8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x7460000x1ac0x200b1c5ae9fd333a31876db627799dcaac2False0.58203125data4.514687990395279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      0x7480000x38b0000x2003462d7898b8c89db3a064b28b59a2606unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      tlvpoemj0xad30000x1b90000x1b90000f782881eac523e87cd2ac1099d70917False0.9943260832979025data7.956360163422751IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      rkzldfqv0xc8c0000x10000x4009d12d8094775c2508951e3dcb7bf6586False0.8134765625data6.247446516461207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .taggant0xc8d0000x30000x22005489c778ddf8e01361741f1ed518ff39False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_MANIFEST0xc8bd300x152ASCII text, with CRLF line terminators0.6479289940828402

                                                      Imports

                                                      DLLImport
                                                      kernel32.dlllstrcpy

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 23, 2024 07:18:32.210582018 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:32.210640907 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:32.210716009 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:32.229002953 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:32.229039907 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:33.974776030 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:33.983369112 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:33.983406067 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:33.984663010 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:33.984731913 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.007879019 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.008071899 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:34.049578905 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.049617052 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:34.099520922 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.111408949 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.155339956 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:34.431889057 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:34.432579994 CET4434972098.85.100.80192.168.2.6
                                                      Dec 23, 2024 07:18:34.432648897 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.457423925 CET49720443192.168.2.698.85.100.80
                                                      Dec 23, 2024 07:18:34.457444906 CET4434972098.85.100.80192.168.2.6

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 23, 2024 07:18:32.068715096 CET6005453192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:32.068797112 CET6005453192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:32.208328009 CET53600541.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:32.208343983 CET53600541.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:35.376949072 CET6043653192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:35.377085924 CET6043653192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:35.807895899 CET53604361.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:35.951687098 CET53604361.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:36.177797079 CET6043753192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:36.177881956 CET6043753192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:36.316448927 CET53604371.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:36.316720009 CET53604371.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:36.550051928 CET6043853192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:36.550249100 CET6043853192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:36.689007998 CET53604381.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:36.689053059 CET53604381.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:37.006443024 CET6043953192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:37.006584883 CET6043953192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:37.145056963 CET53604391.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:37.145078897 CET53604391.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:37.325862885 CET6044053192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:37.325922012 CET6044053192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:37.465871096 CET53604401.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:37.465899944 CET53604401.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:37.659663916 CET6044153192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:37.659764051 CET6044153192.168.2.61.1.1.1
                                                      Dec 23, 2024 07:18:37.799125910 CET53604411.1.1.1192.168.2.6
                                                      Dec 23, 2024 07:18:37.799153090 CET53604411.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 23, 2024 07:18:32.068715096 CET192.168.2.61.1.1.10x7d9cStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:32.068797112 CET192.168.2.61.1.1.10x4df0Standard query (0)httpbin.org28IN (0x0001)false
                                                      Dec 23, 2024 07:18:35.376949072 CET192.168.2.61.1.1.10x6517Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:35.377085924 CET192.168.2.61.1.1.10x3cf4Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.177797079 CET192.168.2.61.1.1.10x5d34Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.177881956 CET192.168.2.61.1.1.10x848Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.550051928 CET192.168.2.61.1.1.10xcd8eStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.550249100 CET192.168.2.61.1.1.10xaad9Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.006443024 CET192.168.2.61.1.1.10x6a3bStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.006584883 CET192.168.2.61.1.1.10x6178Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.325862885 CET192.168.2.61.1.1.10xdabeStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.325922012 CET192.168.2.61.1.1.10xd948Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.659663916 CET192.168.2.61.1.1.10xaab9Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.659764051 CET192.168.2.61.1.1.10x10fStandard query (0)home.fivetk5ht.top28IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 23, 2024 07:18:32.208328009 CET1.1.1.1192.168.2.60x7d9cNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:32.208328009 CET1.1.1.1192.168.2.60x7d9cNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:35.807895899 CET1.1.1.1192.168.2.60x3cf4Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:18:35.951687098 CET1.1.1.1192.168.2.60x6517Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.316448927 CET1.1.1.1192.168.2.60x848Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.316720009 CET1.1.1.1192.168.2.60x5d34Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.689007998 CET1.1.1.1192.168.2.60xcd8eName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:36.689053059 CET1.1.1.1192.168.2.60xaad9Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.145056963 CET1.1.1.1192.168.2.60x6178Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.145078897 CET1.1.1.1192.168.2.60x6a3bName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.465871096 CET1.1.1.1192.168.2.60xd948Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.465899944 CET1.1.1.1192.168.2.60xdabeName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.799125910 CET1.1.1.1192.168.2.60x10fName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                      Dec 23, 2024 07:18:37.799153090 CET1.1.1.1192.168.2.60xaab9Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:19:19.210280895 CET1.1.1.1192.168.2.60x192aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                      Dec 23, 2024 07:19:19.210280895 CET1.1.1.1192.168.2.60x192aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • httpbin.org

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.64972098.85.100.804434304C:\Users\user\Desktop\p3a0oZ4U7X.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-12-23 06:18:34 UTC52OUTGET /ip HTTP/1.1
                                                      Host: httpbin.org
                                                      Accept: */*
                                                      2024-12-23 06:18:34 UTC224INHTTP/1.1 200 OK
                                                      Date: Mon, 23 Dec 2024 06:18:34 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 31
                                                      Connection: close
                                                      Server: gunicorn/19.9.0
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: true
                                                      2024-12-23 06:18:34 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                      Data Ascii: { "origin": "8.46.123.189"}


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:01:18:28
                                                      Start date:23/12/2024
                                                      Path:C:\Users\user\Desktop\p3a0oZ4U7X.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\p3a0oZ4U7X.exe"
                                                      Imagebase:0x6a0000
                                                      File size:4'462'592 bytes
                                                      MD5 hash:D2B6983BA17597222EBD82BFFB6885FF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:01:18:37
                                                      Start date:23/12/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1124
                                                      Imagebase:0x70000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:0.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:75
                                                        Total number of Limit Nodes:0
                                                        execution_graph 10720 6e702e2 10725 6e7030d 10720->10725 10726 6e70321 GetLogicalDrives 10725->10726 10728 6e7046a 10726->10728 10875 6e7006c 10876 6e7007f 10875->10876 10878 6e7008b 10875->10878 10883 6e70095 10876->10883 10879 6e70216 GetLogicalDrives 10878->10879 10880 6e70203 10879->10880 10881 6e7030d GetLogicalDrives 10880->10881 10882 6e7030b 10880->10882 10881->10880 10884 6e700ad 10883->10884 10885 6e70216 GetLogicalDrives 10884->10885 10886 6e70203 10885->10886 10887 6e7030d GetLogicalDrives 10886->10887 10888 6e7030b 10886->10888 10887->10886 10709 6ea0873 10710 6ea0817 Process32FirstW 10709->10710 10711 6ea0839 10709->10711 10710->10711 10937 6e701fa 10938 6e7020a 10937->10938 10939 6e7030d GetLogicalDrives 10938->10939 10940 6e7030b 10938->10940 10939->10938 10889 6e70057 10890 6e70024 10889->10890 10891 6e70061 10889->10891 10890->10889 10899 6e70045 10890->10899 10893 6e70095 GetLogicalDrives 10891->10893 10894 6e7008b 10893->10894 10895 6e70216 GetLogicalDrives 10894->10895 10896 6e70203 10895->10896 10897 6e7030d GetLogicalDrives 10896->10897 10898 6e7030b 10896->10898 10897->10896 10900 6e70061 10899->10900 10901 6e70095 GetLogicalDrives 10900->10901 10902 6e7008b 10901->10902 10903 6e70216 GetLogicalDrives 10902->10903 10904 6e70203 10903->10904 10905 6e7030d GetLogicalDrives 10904->10905 10906 6e7030b 10904->10906 10905->10904 10845 6e700d0 10846 6e700db 10845->10846 10851 6e70216 10846->10851 10852 6e70241 10851->10852 10853 6e7030d GetLogicalDrives 10852->10853 10854 6e7030b 10852->10854 10853->10852 10859 6ea04d3 10860 6ea04e3 Process32FirstW 10859->10860 10862 6ea0839 10860->10862 10863 6e700a2 10864 6e7008a 10863->10864 10864->10863 10865 6e70216 GetLogicalDrives 10864->10865 10866 6e70203 10865->10866 10867 6e7030d GetLogicalDrives 10866->10867 10868 6e7030b 10866->10868 10867->10866 10869 6e700b7 10870 6e700db 10869->10870 10871 6e70216 GetLogicalDrives 10870->10871 10872 6e70203 10871->10872 10873 6e7030d GetLogicalDrives 10872->10873 10874 6e7030b 10872->10874 10873->10872 10907 6e70000 10909 6e70012 10907->10909 10908 6e70045 GetLogicalDrives 10908->10909 10909->10908 10910 6e70061 10909->10910 10911 6e70095 GetLogicalDrives 10910->10911 10912 6e7008b 10911->10912 10913 6e70216 GetLogicalDrives 10912->10913 10914 6e70203 10913->10914 10915 6e7030d GetLogicalDrives 10914->10915 10916 6e7030b 10914->10916 10915->10914 10837 6e7031f 10838 6e70337 GetLogicalDrives 10837->10838 10840 6e7046a 10838->10840

                                                        Executed Functions

                                                        Function 06E50987 Relevance: .2, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 555fe98e14b56ad8c504d96e02101e5ce377d6a338e5aba8264758c29e0f5df7
                                                        • Instruction ID: 06efb3c61036f881e188d87976c2b6669ea07d7d84688db062dc01b87e3da819
                                                        • Opcode Fuzzy Hash: 555fe98e14b56ad8c504d96e02101e5ce377d6a338e5aba8264758c29e0f5df7
                                                        • Instruction Fuzzy Hash: B64125EB14D215BC72D2D5822B65AFB676EE1D6730732A827FC07D490AE3880B5D11B1
                                                        Function 06EA051C Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 664COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: YaZX
                                                        • API String ID: 0-4222636603
                                                        • Opcode ID: 66d48b4322c49d4e651b2fe07e4922021aefb0f80344f580df6f1766cfc34a5f
                                                        • Instruction ID: ffea781639f9b2d0f962aa5ff8e51d50d4462c3fe9db8edd0445fdf61f0295b8
                                                        • Opcode Fuzzy Hash: 66d48b4322c49d4e651b2fe07e4922021aefb0f80344f580df6f1766cfc34a5f
                                                        • Instruction Fuzzy Hash: F2D1F1FB14C321BD7382C5456F24AFB676EE6C6738330942AF807CA642E3946E4951F0
                                                        Function 06EA04D3 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 659COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 103 6ea04d3-6ea0815 135 6ea0817-6ea082a Process32FirstW 103->135 136 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 135->136
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 038779fbca84331be751b90b8e6b3ad3a1a11f6a4b1521e8d3e865758663fca8
                                                        • Instruction ID: 2f8f2a18dfac68d4d517fb22b1d8c6e241547a00b9a527df8b64619a54a90e26
                                                        • Opcode Fuzzy Hash: 038779fbca84331be751b90b8e6b3ad3a1a11f6a4b1521e8d3e865758663fca8
                                                        • Instruction Fuzzy Hash: E3D1E0FB24C321BD7382C5456F24AFB676EE6D6738730D42AF807CA642E3946E4951B0
                                                        Function 06EA04ED Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 656COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 311 6ea04ed-6ea0815 341 6ea0817-6ea082a Process32FirstW 311->341 342 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 341->342
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 53f61992c22706645bc9ca087b378ad7c329608aa7dfbe5fa67c808ddda0a991
                                                        • Instruction ID: 3f0ff1fa9ae0e47e76df9bc214ceaf7fd223bf227a97ceb64576c2f5f0ae24d0
                                                        • Opcode Fuzzy Hash: 53f61992c22706645bc9ca087b378ad7c329608aa7dfbe5fa67c808ddda0a991
                                                        • Instruction Fuzzy Hash: 0ED1E0FB24C321BD7382C5456F24AFB676EE6C6738730942AF807CA641E3946E4951F0
                                                        Function 06EA04DD Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 656COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 207 6ea04dd-6ea0815 239 6ea0817-6ea082a Process32FirstW 207->239 240 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 239->240
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 78d5695df57f7cd83dcb3e8308a0269cdf7850827203c10b6e9600b3cc8491a8
                                                        • Instruction ID: ada4302c9385bfb2a5e3415904febc9e88cc6e33bb85ee3afaad1b978c969db8
                                                        • Opcode Fuzzy Hash: 78d5695df57f7cd83dcb3e8308a0269cdf7850827203c10b6e9600b3cc8491a8
                                                        • Instruction Fuzzy Hash: 6ED1E0FB24C321BD7382C5456F24AFA676EE6C6738730942AF807CA642E3946E4955F0
                                                        Function 06EA0532 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 648COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 515 6ea0532-6ea0540 516 6ea056d-6ea0574 515->516 517 6ea0542-6ea0544 515->517 518 6ea0555-6ea0566 516->518 519 6ea0576 516->519 517->518 520 6ea0578-6ea0815 518->520 519->520 545 6ea0817-6ea082a Process32FirstW 520->545 546 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 545->546
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: YaZX
                                                        • API String ID: 0-4222636603
                                                        • Opcode ID: 73cc315d03a0d350c5464a2c7e7c980a0587127c6b016be0d0adbc1de972d198
                                                        • Instruction ID: 2f584adb25aba3da7fea8b2d9d01ec419dd462509a53a55451bc1f030c020207
                                                        • Opcode Fuzzy Hash: 73cc315d03a0d350c5464a2c7e7c980a0587127c6b016be0d0adbc1de972d198
                                                        • Instruction Fuzzy Hash: E7D1F2FB10C321BD7382C5456F24AFB67ADE6D6738730D42AF807DA641E3946E4951B0
                                                        Function 06EA0508 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 648COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 413 6ea0508-6ea0815 443 6ea0817-6ea082a Process32FirstW 413->443 444 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 443->444
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: e3668fe860ce07ee6e6a90de8547374d215a674c70da4b9e0cc7a83cff6f79e6
                                                        • Instruction ID: 400411114f60f4bc9322a543fd0e1f9338b0758c127996d41ce3ecc5e0af7377
                                                        • Opcode Fuzzy Hash: e3668fe860ce07ee6e6a90de8547374d215a674c70da4b9e0cc7a83cff6f79e6
                                                        • Instruction Fuzzy Hash: 28D1E1FB14C321BD7382C5456F14AFB676EE6C6738730D42AF807CA641E3A46E4951B0
                                                        Function 06EA0549 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 636COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 617 6ea0549-6ea0815 643 6ea0817-6ea082a Process32FirstW 617->643 644 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 643->644
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: ec72789b4d27c8599606dc9107642b5570a2225144995e2643099b0cee8edc84
                                                        • Instruction ID: 8890125e4ca5d2280ef25d6b69a8101d708a91311c3b15100ac545955164f09b
                                                        • Opcode Fuzzy Hash: ec72789b4d27c8599606dc9107642b5570a2225144995e2643099b0cee8edc84
                                                        • Instruction Fuzzy Hash: C8D1F1FB20C321BD7382C5456F14AFB676DE6C6738730D42AF807DA642E3A46E4951B0
                                                        Function 06EA059A Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 603COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 715 6ea059a-6ea0815 739 6ea0817-6ea082a Process32FirstW 715->739 740 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 739->740
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 63427109dc516194565295c0b649dbb6babaf26e342315473f9f2ff0f0db6f7e
                                                        • Instruction ID: 83e015336ccea0f0e1ed179af1ddbebfffd19d3e9f8bc24ea2029a0168ea0103
                                                        • Opcode Fuzzy Hash: 63427109dc516194565295c0b649dbb6babaf26e342315473f9f2ff0f0db6f7e
                                                        • Instruction Fuzzy Hash: 0DC1E0FB10C321BD7382C5456F14AFA676DE6D6338330D42AF807DA642E3A46E4955F0
                                                        Function 06EA062D Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 595COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 811 6ea062d-6ea0638 812 6ea063a-6ea063c 811->812 813 6ea05d3-6ea0628 811->813 815 6ea063e-6ea0815 812->815 813->815 835 6ea0817-6ea082a Process32FirstW 815->835 836 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 835->836
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: YaZX
                                                        • API String ID: 0-4222636603
                                                        • Opcode ID: f0cf5e688be55bb42e6e4a994d6b3c8ee0b29b8e5b7d114fb5e1f8026ff1fb45
                                                        • Instruction ID: 1f34dd56edcb5b10caad5324c43cfedd4c00042b46a862d03c450adfa3457a18
                                                        • Opcode Fuzzy Hash: f0cf5e688be55bb42e6e4a994d6b3c8ee0b29b8e5b7d114fb5e1f8026ff1fb45
                                                        • Instruction Fuzzy Hash: 92C1F2FB14C321BD7382C1456F14AFB676EE6D6738330942AF807DA642E3946E8955F0
                                                        Function 06EA05CA Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 591COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 907 6ea05ca-6ea0815 929 6ea0817-6ea082a Process32FirstW 907->929 930 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 929->930
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 7e2561629e8847502dc14018e671909652a68e3f84f79c8dc064b72879319456
                                                        • Instruction ID: 804ebd2bd229294d1142e61e00f35377a4d7b4ec281aab2f16b3bdbba62cffc7
                                                        • Opcode Fuzzy Hash: 7e2561629e8847502dc14018e671909652a68e3f84f79c8dc064b72879319456
                                                        • Instruction Fuzzy Hash: 64C1FFFB14C321BD7382C1456F14AFA676EE6D6338330942AF807DA642E3A46E8951B0
                                                        Function 06EA05EA Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 585COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1001 6ea05ea-6ea05f0 1002 6ea0669-6ea0815 1001->1002 1003 6ea05f2-6ea05fa 1001->1003 1024 6ea0817-6ea082a Process32FirstW 1002->1024 1005 6ea05fc-6ea05ff 1003->1005 1006 6ea0601-6ea0668 1003->1006 1005->1006 1006->1002 1025 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 1024->1025
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: YaZX
                                                        • API String ID: 0-4222636603
                                                        • Opcode ID: 1b82310bbd213ffd833acad3e9e9595731d19eb636e1494ac21793f23a4d4837
                                                        • Instruction ID: a9349100d1632a8dbdc6e1a0cf96c2d290a54f9119f7130d9ddcba569172089c
                                                        • Opcode Fuzzy Hash: 1b82310bbd213ffd833acad3e9e9595731d19eb636e1494ac21793f23a4d4837
                                                        • Instruction Fuzzy Hash: 6AC1F1FB10C321BD7382C5456F64AFA676EE6D6338330946AF807CE641E3A46E8955F0
                                                        Function 06EA0656 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 558COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1096 6ea0656-6ea0657 1097 6ea0659-6ea0664 1096->1097 1098 6ea0617-6ea064f 1096->1098 1099 6ea0666-6ea0815 1097->1099 1098->1099 1117 6ea0817-6ea082a Process32FirstW 1099->1117 1118 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 1117->1118
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: YaZX
                                                        • API String ID: 0-4222636603
                                                        • Opcode ID: f4c68301941ec278ac1a3dc1c96a3c9657ab8d9372cde60fa1a94c145e42483a
                                                        • Instruction ID: 90ffb80fdae210343c2fe8df3d80c41b5d6e7fb72ffb4ba8fbdcad9c7c46fb58
                                                        • Opcode Fuzzy Hash: f4c68301941ec278ac1a3dc1c96a3c9657ab8d9372cde60fa1a94c145e42483a
                                                        • Instruction Fuzzy Hash: 35C112FB10C321BD7382C5456F54AFA676DE6D6338330A42AF407CE641E3A46E8955F0
                                                        Function 06EA067B Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 517COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1189 6ea067b-6ea0815 1204 6ea0817-6ea082a Process32FirstW 1189->1204 1205 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 1204->1205
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 27e84881da33b0930558b900ef7fcc37defb09180279ff7c4f54181e84b41c60
                                                        • Instruction ID: eec4bde0dcd73e343c1cf72e4a74a222eaeb77c821c1801640480cc07ded0a1e
                                                        • Opcode Fuzzy Hash: 27e84881da33b0930558b900ef7fcc37defb09180279ff7c4f54181e84b41c60
                                                        • Instruction Fuzzy Hash: D9B111FB10C321BD7382C5456F54AFA676EE6D6338330A42AF407DE641E3A46E4995F0
                                                        Function 06EA06CE Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 508COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1276 6ea06ce-6ea06d8 1277 6ea06da-6ea0716 1276->1277 1278 6ea072b 1276->1278 1279 6ea072d-6ea0815 1277->1279 1278->1279 1291 6ea0817-6ea082a Process32FirstW 1279->1291 1292 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 1291->1292
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 7c1c9f3ba4b003033c8770c6114d34acd88501e83585ae5dcbc38ce2e0ad7090
                                                        • Instruction ID: bbcb9429494e0a4bb162305a4248feb613ae24cf2e02cbe2e999f988b233a72b
                                                        • Opcode Fuzzy Hash: 7c1c9f3ba4b003033c8770c6114d34acd88501e83585ae5dcbc38ce2e0ad7090
                                                        • Instruction Fuzzy Hash: 39B121FB20C321BD7382C5456F54AFA676EE6D6338330A42AF407CE642E3A46E4945F0
                                                        Function 06EA06C4 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 504COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1363 6ea06c4-6ea0815 1376 6ea0817-6ea082a Process32FirstW 1363->1376 1377 6ea0839-6ea0ea4 call 6ea0926 call 6ea0e0d 1376->1377
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 700bfde0f588ae19c6d81bd38aa8788aff349ce37c86965e36d494ede534415a
                                                        • Instruction ID: aa47c879f65155a09fd13396dfd63afa1f885022b53dd0286cea1b0998a2a361
                                                        • Opcode Fuzzy Hash: 700bfde0f588ae19c6d81bd38aa8788aff349ce37c86965e36d494ede534415a
                                                        • Instruction Fuzzy Hash: 58A101FB20C321BD7382C1456F54AFA676EE6D6338730A42AF807DE641E3A46E4955F0
                                                        Function 06EA06EA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 502COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 9ef105f1d173b023ab115c922e594986477f4605b2d058a121419c2856da1f4a
                                                        • Instruction ID: 7f27d00def54b5f9a43484df81eaa9813cb889abbcd118a35625c58eb11ad44c
                                                        • Opcode Fuzzy Hash: 9ef105f1d173b023ab115c922e594986477f4605b2d058a121419c2856da1f4a
                                                        • Instruction Fuzzy Hash: F2A112FB10C321BE7382C1456F64AFA676EE6D6338730A426F40BDE641E3A46E4955F0
                                                        Function 06EA071B Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 499COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 06a1267d1f3f563bee08ae3b4e68600a860b6b600f79856bf52cc7946aca73a1
                                                        • Instruction ID: 64af2db8fade86d4bb3787dfed4a671c1570da7d34fbe64c1035cc9333cf1abb
                                                        • Opcode Fuzzy Hash: 06a1267d1f3f563bee08ae3b4e68600a860b6b600f79856bf52cc7946aca73a1
                                                        • Instruction Fuzzy Hash: 6CB125FB10C320BEB382C5456F54AFA676EE6D6338730946AF407DE241E3A46E4985F0
                                                        Function 06EA070C Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 484COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 5c5bd135bb0148a9651a00e92f7f939f6bd983a97ec6a031c84103052d7d721f
                                                        • Instruction ID: 361df182c718260f77859c23758f6e91c32ba9dfe815fbf04c2f5d7b26d7ca74
                                                        • Opcode Fuzzy Hash: 5c5bd135bb0148a9651a00e92f7f939f6bd983a97ec6a031c84103052d7d721f
                                                        • Instruction Fuzzy Hash: 1AA122FB10C321BD7382C1456F54AFAA76EE6D6338730A42AF807DE241E3A46E4955F0
                                                        Function 06EA078C Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 475COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: c420b01d2d72bb35a61970775f8f033148b48fc766a5e115f65fbc05ed2eb1d5
                                                        • Instruction ID: a96cf83d1d1699df8090488bf222574878d4e1f272f77e9578bf34131eea7d31
                                                        • Opcode Fuzzy Hash: c420b01d2d72bb35a61970775f8f033148b48fc766a5e115f65fbc05ed2eb1d5
                                                        • Instruction Fuzzy Hash: EFA112FB20C321BD7382C5456F54AFA676EE6D6338330A42AF40BDE201E3A46E4955F0
                                                        Function 06EA0756 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 473COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 1762be9358d86ee5219e2ce88e1277b8c166f85d8b4d6ded64bba6378d2c83ba
                                                        • Instruction ID: 228f582f339d4815cedf6737e46fbf9f6ea4563e596c6288238e5f8f4d5cd1f2
                                                        • Opcode Fuzzy Hash: 1762be9358d86ee5219e2ce88e1277b8c166f85d8b4d6ded64bba6378d2c83ba
                                                        • Instruction Fuzzy Hash: 26A102FB20C321BD7382C5456F54AFA676EE6D6338330A42AF40BDE201E3946E4955F0
                                                        Function 06EA076C Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 472COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: a823c4c1e4de5c1bf89063c7d6aa12d4c80be3be92e1e11be01ae84758919f51
                                                        • Instruction ID: ef5ec66d5d9e78407728d06620e396074ddeb79f334d0a8ce79058b2d1089953
                                                        • Opcode Fuzzy Hash: a823c4c1e4de5c1bf89063c7d6aa12d4c80be3be92e1e11be01ae84758919f51
                                                        • Instruction Fuzzy Hash: 0FA103FB20C321BE7382C5456F54AFAA76EE6D6338330A526F407DE601E3A46E4955F0
                                                        Function 06EA0742 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 39b63cfc35f194404d6d91dc13d3378363d1d1fd941ef30566c6befac902eb14
                                                        • Instruction ID: 92ff6d489b8b7754ec28bee744492520cdf847c0f2c5d88921814ed82405c8b2
                                                        • Opcode Fuzzy Hash: 39b63cfc35f194404d6d91dc13d3378363d1d1fd941ef30566c6befac902eb14
                                                        • Instruction Fuzzy Hash: 08A102FB10C321BD7382C5456B54AFA676EE6D6338730A42AF407DE241E3A46E4955F0
                                                        Function 06EA07CE Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 448COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 8d496d59aa001455da9979a8fd58f47dbece9e70c9b7727bdee63f1a5937e1a1
                                                        • Instruction ID: 866f040cac23e7b09025c5a8a8f67424e5099dba3f946a9f732c60f253f92af7
                                                        • Opcode Fuzzy Hash: 8d496d59aa001455da9979a8fd58f47dbece9e70c9b7727bdee63f1a5937e1a1
                                                        • Instruction Fuzzy Hash: 019122FB10C320BE7382C5456F54AFAA76EE6D6338330A52AF40BDE601E3946E4955F0
                                                        Function 06EA07F1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 433COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: 1064e3e446cfc618df9f9cfadcc2a30e92ff8a0fb635d66a4205098f3186cc59
                                                        • Instruction ID: bf6e03099e6004d23af13939dba219fe8009d74c7f5f5b9c7b8373095995f63b
                                                        • Opcode Fuzzy Hash: 1064e3e446cfc618df9f9cfadcc2a30e92ff8a0fb635d66a4205098f3186cc59
                                                        • Instruction Fuzzy Hash: 8D9104FB10C321BE7382C5456F54AFAA7AEE6D6338330952AF40BDE601E3946E4955F0
                                                        Function 06EA0873 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 418COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Process32FirstW.KERNEL32(-00000043,?,?,000085D1), ref: 06EA081C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355771351.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ea0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: FirstProcess32
                                                        • String ID: YaZX
                                                        • API String ID: 2623510744-4222636603
                                                        • Opcode ID: c28256f6ddec309f2616872c4d91ade4c0b5de4eb6163b784bce4d6a920aef43
                                                        • Instruction ID: a2271e0f367ba0bd0d35945ed47b7e9e38f914e779c835cfa092e86124811da5
                                                        • Opcode Fuzzy Hash: c28256f6ddec309f2616872c4d91ade4c0b5de4eb6163b784bce4d6a920aef43
                                                        • Instruction Fuzzy Hash: AC9134FB10C321BD7382C5456F54AFAA7ADE6D6338330A52AF40BDE601E3906E4941F0
                                                        Function 06E70355 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: b2ae1a57ac25d6d705734f2f7a1fa57dbe0dcdb7d11652e88995765987c7932c
                                                        • Instruction ID: e1c3444cc845da73bfaf5859bd91763591f26fa3901db4ed7b8b2c40a803faff
                                                        • Opcode Fuzzy Hash: b2ae1a57ac25d6d705734f2f7a1fa57dbe0dcdb7d11652e88995765987c7932c
                                                        • Instruction Fuzzy Hash: 7A2179F650C342FFF7D181259E94EFB2B3DABB5324320A01AF812D6181F224454696F1
                                                        Function 06E7030D Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 68fadb6a3625d1ad268767d1dd363577be87e8fb878e076c9edf6a506ca1604f
                                                        • Instruction ID: 2b5695a468a91bafd584bdc48826739fc1babcb70c03d469ea5459fbadd3a8ff
                                                        • Opcode Fuzzy Hash: 68fadb6a3625d1ad268767d1dd363577be87e8fb878e076c9edf6a506ca1604f
                                                        • Instruction Fuzzy Hash: BB1126EA11C312FEB3D0D1626B98EFB272EE6B6330370B116B417D9640F2584A8765F1
                                                        Function 06E703CC Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 30cc8ff139fcc55f0fbd3351f44e34f9a723b0166781d212f0aa578bc1be5915
                                                        • Instruction ID: 81e6cfcfbe2a43089dd0c16ba23c67f3939e116dc89c2c0402176e43dc2c4eb0
                                                        • Opcode Fuzzy Hash: 30cc8ff139fcc55f0fbd3351f44e34f9a723b0166781d212f0aa578bc1be5915
                                                        • Instruction Fuzzy Hash: 092135FA60C341FEF7D08565AA84EFA2B29ABB5724320B01AF8129A140F364864756F0
                                                        Function 06E7031F Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 0194ae7ccc8967e76e520473336d0b18d3b12de2a9f0a494ea942c394eea71ad
                                                        • Instruction ID: a15a7054c0edce61675ba1aba73ff9925ef0e9b2a04c0c7f2570a9b40ee94638
                                                        • Opcode Fuzzy Hash: 0194ae7ccc8967e76e520473336d0b18d3b12de2a9f0a494ea942c394eea71ad
                                                        • Instruction Fuzzy Hash: 1A1126EA11C312FEB3D0D1626B58EFB272EE6B5331330B116B417D9640F2584A8665F1
                                                        Function 06E7032F Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 511a14d5e485f75684cabdd4d2d70bf2435e04b3c4067a93c3937fd4a74fbf70
                                                        • Instruction ID: 26670807f0139c4cf9eb35f0b5802f4f520b3fed9620e15ab255b0abe0f56df1
                                                        • Opcode Fuzzy Hash: 511a14d5e485f75684cabdd4d2d70bf2435e04b3c4067a93c3937fd4a74fbf70
                                                        • Instruction Fuzzy Hash: AF112BEA11C312FEB7D095626B58EF7172EB6B5330370B115B417E9640F258464765F0
                                                        Function 06E70396 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: dc46ad9ac5422a50b03b6b91906f9b80b82157c0711fc4ac05f902151d3554c6
                                                        • Instruction ID: fc3664eb129dc8e009e5a274571f58be856eff41b851b2a290318bfc8bafb4a5
                                                        • Opcode Fuzzy Hash: dc46ad9ac5422a50b03b6b91906f9b80b82157c0711fc4ac05f902151d3554c6
                                                        • Instruction Fuzzy Hash: 8B115CE620C301FEF7D085616A98FF7276EABB5331720B016F413D9241F6584687A6F1
                                                        Function 06E703F4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: d3a2d006ad25bd96b8ae8fe6efa5690b0d10e7fea9849de31b260a6fc1c37cb2
                                                        • Instruction ID: ad77c0066e1f6d282f795ec33d4e4b20ffd7ba05a29bf3911b778853b2a6a9db
                                                        • Opcode Fuzzy Hash: d3a2d006ad25bd96b8ae8fe6efa5690b0d10e7fea9849de31b260a6fc1c37cb2
                                                        • Instruction Fuzzy Hash: 9D118CEA21C311FEF3D195619A44EF72B6EABB5330320B016F423E9640F2584647A6E1
                                                        Function 06E703BB Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 43957cd6db43fc22a17577f8596380107d56010ce19630b40f0e8a12be8e31f2
                                                        • Instruction ID: 7744248d6f720784408083d83b849153e28a7c1bba49e49b2d0d3e5d356aa157
                                                        • Opcode Fuzzy Hash: 43957cd6db43fc22a17577f8596380107d56010ce19630b40f0e8a12be8e31f2
                                                        • Instruction Fuzzy Hash: BB0168EA61C301FEF3D095619A84FFA276AABB4330330B015B423A9140F268868769F0
                                                        Function 06E703E2 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 08cd466310d8db6a9bd9d2abb62adb91ede4ac00873cd717d0ce5bf742aeef54
                                                        • Instruction ID: 2d59b2d1f72b42e958c6ed6c9b1d83243531337793d06ebeada3fb214d91d51e
                                                        • Opcode Fuzzy Hash: 08cd466310d8db6a9bd9d2abb62adb91ede4ac00873cd717d0ce5bf742aeef54
                                                        • Instruction Fuzzy Hash: 27014CE621C305EDF3D09561AA90BFB277EA7B5320760F011F513E5540F2644587A6F0
                                                        Function 06E70419 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 06E7044E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355675005.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e70000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID:
                                                        • API String ID: 999431828-0
                                                        • Opcode ID: 8329d95008b65f13955cdeed3926187ebf93c9a4f708450c741defa6b86f3420
                                                        • Instruction ID: 3ae9b0d5073d83c3183f1b7ef759abbded875d6350407828771cf1fce810fad8
                                                        • Opcode Fuzzy Hash: 8329d95008b65f13955cdeed3926187ebf93c9a4f708450c741defa6b86f3420
                                                        • Instruction Fuzzy Hash: 6A017BF221830AEEE3C09E715D80EFA3779BAB4324721A138F42296444F3249543DAE1
                                                        Function 06E505E1 Relevance: .4, Instructions: 439COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da645f8bdba0afbae7a8bce661c37f28d661ea27f031d41040bdc6b948b72400
                                                        • Instruction ID: f00cc6eda0ca652f751abf12e828002bbb40891a8565fd6dc6781cfc8b4d099d
                                                        • Opcode Fuzzy Hash: da645f8bdba0afbae7a8bce661c37f28d661ea27f031d41040bdc6b948b72400
                                                        • Instruction Fuzzy Hash: 8191CFFB00D315BDF38295816B54BFA67ADE7D6330F32A426FC03D5506E3A80A8A55B1
                                                        Function 06E50611 Relevance: .4, Instructions: 414COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8530a3659845365b621414502ca6d9ebad06f5d5360301f9bddb16720559889
                                                        • Instruction ID: aabe03f5dbd442178e7c43ab2be3b8c5a32011a39890314bf37a8b9debbe3799
                                                        • Opcode Fuzzy Hash: c8530a3659845365b621414502ca6d9ebad06f5d5360301f9bddb16720559889
                                                        • Instruction Fuzzy Hash: 8E81ABFB00D315BDB3C281816B54BFA676DE7D6730B32A426FC07E5506E3A80A8955B1
                                                        Function 06E50671 Relevance: .4, Instructions: 413COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb0cc5e824a8550d6113777fbe9bc0759dd848f010d929ccd667df46063ea499
                                                        • Instruction ID: 24a462053cad6d9ffcf6ba82e57b36c116737d58127738b1a96073455d7cab90
                                                        • Opcode Fuzzy Hash: bb0cc5e824a8550d6113777fbe9bc0759dd848f010d929ccd667df46063ea499
                                                        • Instruction Fuzzy Hash: A281F0FB00D301BDB3C2C1816B14AFAA76DE6C6730B32A427FC03E5506E3980A4D55B1
                                                        Function 06E50627 Relevance: .4, Instructions: 413COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d842711234eb8461f927d85301d19ce36990e778815b02620a55ebe28282d83a
                                                        • Instruction ID: f19d61f2d7dec53c9befeaa053247ce889211e8b4545a3e42db29ae911c11e79
                                                        • Opcode Fuzzy Hash: d842711234eb8461f927d85301d19ce36990e778815b02620a55ebe28282d83a
                                                        • Instruction Fuzzy Hash: 6981ACFB00D315BDB3C291816B54BFA676DE7D6730B32A426FC07E5506E3D80A8915B1
                                                        Function 06E5064B Relevance: .4, Instructions: 405COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 455a690c915474ddd5fd18c1dea72eefdf93ac0c66ac8cfe332cd46d81929aac
                                                        • Instruction ID: 20316e50931b7af08248884683995636852f4f27d697c0ae01b3db51790b3dbf
                                                        • Opcode Fuzzy Hash: 455a690c915474ddd5fd18c1dea72eefdf93ac0c66ac8cfe332cd46d81929aac
                                                        • Instruction Fuzzy Hash: CC81BCFB00C315BDB3C291826B54BFA676DE6D6730B32A426FC07E5506E3980A8D15B1
                                                        Function 06E50658 Relevance: .4, Instructions: 404COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d8c7cb41f80bdfc4fc43653df5b52f94a625eaa6ce22f6644e808c733dfe158a
                                                        • Instruction ID: 4fcf339cedc539e5607254be0fa3ab41f5022a3145d77fac0e320b2896e73b96
                                                        • Opcode Fuzzy Hash: d8c7cb41f80bdfc4fc43653df5b52f94a625eaa6ce22f6644e808c733dfe158a
                                                        • Instruction Fuzzy Hash: 8281DDFB00D311BCB3C2C5826B14AFA676DE2D6730B32E426FC07D5506E3980A4D15B1
                                                        Function 06E50710 Relevance: .4, Instructions: 403COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c2b0b469dcf91643d54c2879122c9b0819679ab0f7939be6801ad345420e5b77
                                                        • Instruction ID: a23e5deb423b086643694fb09278205b88b39c573f0cd605463fd4d62452db17
                                                        • Opcode Fuzzy Hash: c2b0b469dcf91643d54c2879122c9b0819679ab0f7939be6801ad345420e5b77
                                                        • Instruction Fuzzy Hash: 1D81EDFB00D211BDB3C2D5826B54AFA6B6EE6C6730B32A427FC07D5506E3980B4E51B1
                                                        Function 06E506F4 Relevance: .4, Instructions: 398COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd3debb637d0395a3e1a651bead140da3fad3d905014d5091fa78a521a985606
                                                        • Instruction ID: 477b781245109340acc82eaf2ff3dbd5a0c93f5ef6ad4b873a052bf218943320
                                                        • Opcode Fuzzy Hash: fd3debb637d0395a3e1a651bead140da3fad3d905014d5091fa78a521a985606
                                                        • Instruction Fuzzy Hash: EC81BDFB04D315BDB3C2D1826B14AFA676DE6D6730B32A427FC07D5506E3A80A4E15B1
                                                        Function 06E506BC Relevance: .4, Instructions: 396COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8960cff1915588b764a363eae43bb7aadc6a4688b4960b56b4ea7e29c24bd20f
                                                        • Instruction ID: 4f2bba0495424143f5a559a2bd061f7857154636957cab1840d8ac0ae50180a3
                                                        • Opcode Fuzzy Hash: 8960cff1915588b764a363eae43bb7aadc6a4688b4960b56b4ea7e29c24bd20f
                                                        • Instruction Fuzzy Hash: B781DEFB04C214BDB3C2C5816B64AFA676EE6D6730B32A427FC07D5506E3980B4E55B1
                                                        Function 06E506E2 Relevance: .4, Instructions: 381COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5388c688a1a494de9b8a236520965fdb72e49d6e7becf213768522a1e943ea5f
                                                        • Instruction ID: acca2e89a771d68d6914d994d2cacf8e4b58645a777df8df399f9c47c99b99f2
                                                        • Opcode Fuzzy Hash: 5388c688a1a494de9b8a236520965fdb72e49d6e7becf213768522a1e943ea5f
                                                        • Instruction Fuzzy Hash: 4471CDFB04D214BCB3C2D5826B54AFA676EE2D6730B32A427FC07D5506E3980A4D15B1
                                                        Function 06E5073F Relevance: .4, Instructions: 369COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d30f442d0692c6b0a3cbd77e4cb7a668e259b2ca2bb8c89bc9fb3b1d0d455dba
                                                        • Instruction ID: 189896de6bf9d05e67c155b7559a8e60965ad9f92264ecafa1fc041a91b3a158
                                                        • Opcode Fuzzy Hash: d30f442d0692c6b0a3cbd77e4cb7a668e259b2ca2bb8c89bc9fb3b1d0d455dba
                                                        • Instruction Fuzzy Hash: B2719AEB04D214BCB3C291822B64EFAA76EE1D6730732A427FC07D5606E3980B4E11B1
                                                        Function 06E50791 Relevance: .4, Instructions: 369COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 17fb8315111cbda59f6401d3bd14f4e6dc07f44ebb850745fa41679d919d2c44
                                                        • Instruction ID: af437f219020cc705cdbd739586e655ba2b1225b2a625f087f69dded7ac609fc
                                                        • Opcode Fuzzy Hash: 17fb8315111cbda59f6401d3bd14f4e6dc07f44ebb850745fa41679d919d2c44
                                                        • Instruction Fuzzy Hash: F571CEEB04D214BCB382C5426B64EFB676EE5D7730732A826FC07D6606E3980B4E51B1
                                                        Function 06E50758 Relevance: .4, Instructions: 368COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6d0825ee45902e393b8308c899de24edb6e769d20c1d78b97336057db70534b8
                                                        • Instruction ID: 695f3d2b297b5093bc765faa7cf0c418eb5257e9002dfee184380e3897c25234
                                                        • Opcode Fuzzy Hash: 6d0825ee45902e393b8308c899de24edb6e769d20c1d78b97336057db70534b8
                                                        • Instruction Fuzzy Hash: E971CCFB04D215BCB3C2D5822B64AFBA76EE2D6730732A426FC07D5606E3980B4D11B1
                                                        Function 06E50780 Relevance: .4, Instructions: 360COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea8a9dddfd87c2a0bd55aa3e5b16ff2fad026249d6ecd5b91aaada02976812db
                                                        • Instruction ID: c26a74c142d5052ed8687ef948b398bafc7fc38f4d7b3687c3c16ad8373f23ad
                                                        • Opcode Fuzzy Hash: ea8a9dddfd87c2a0bd55aa3e5b16ff2fad026249d6ecd5b91aaada02976812db
                                                        • Instruction Fuzzy Hash: D0617AEB14D215BCB3C295826B64EFBA76EE2D6730732A427FC07D5606E3980B4D11B1
                                                        Function 06E507CD Relevance: .3, Instructions: 343COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: afb3e49c922d6b33f7589f6e428ee8aef7ecc5e98f63bd25c06c0b0d7103b237
                                                        • Instruction ID: bd9e02242d542c5008551af3174f8fe11a04947215d4e70a30ccae083890b523
                                                        • Opcode Fuzzy Hash: afb3e49c922d6b33f7589f6e428ee8aef7ecc5e98f63bd25c06c0b0d7103b237
                                                        • Instruction Fuzzy Hash: C16166EB14D215BC73C295822B64EFBA76EE1D6730732A427FC07D5606E3980A4E11B2
                                                        Function 06E507E1 Relevance: .3, Instructions: 342COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ff5babb1afa538ec946c2328fb411a690c0c61d60c2f39095fdce80cc5a3019
                                                        • Instruction ID: f488201048f37a2cc8dad2d48ccc64bb2467ffda5b387a3b5907027f2cf60f6b
                                                        • Opcode Fuzzy Hash: 0ff5babb1afa538ec946c2328fb411a690c0c61d60c2f39095fdce80cc5a3019
                                                        • Instruction Fuzzy Hash: A65179EB14D215BC73D2C5822B64EFBA76EE5D6730732A427FC07D5606E3980A4E11B1
                                                        Function 06E507FB Relevance: .3, Instructions: 327COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc61ae31b47f798d935886d9f459cce305d149386675e211abc0446f8337b830
                                                        • Instruction ID: bf67f87fb34a565f7d6e44a1fae0a1fe90c932435c37fc5861f458ed7e17076a
                                                        • Opcode Fuzzy Hash: cc61ae31b47f798d935886d9f459cce305d149386675e211abc0446f8337b830
                                                        • Instruction Fuzzy Hash: 8A5188EB04D215BC73C295822B64EFBA76EE1D7730732A426FC07E5A06E3980B4D51B1
                                                        Function 06E50817 Relevance: .3, Instructions: 319COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6ca157d49d415d807974c51a52cfbb1729f970569198e946b2a3f4d0744800f
                                                        • Instruction ID: 0f892197ac6f87635c6227d05f53ab70649cea13ca5c1730f0c8fdb28000f5ea
                                                        • Opcode Fuzzy Hash: b6ca157d49d415d807974c51a52cfbb1729f970569198e946b2a3f4d0744800f
                                                        • Instruction Fuzzy Hash: 115178EB14D215BC73C2D5826B64EFBA76EE1D7730732A426FC07D560AE3980A4E11B1
                                                        Function 06E50831 Relevance: .3, Instructions: 311COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1bd5f2857d25ef8d49abe27823930b0bdd8faa06a76bcfe87329fdf6448ba353
                                                        • Instruction ID: af6e0a1c07c43e4ea1f21a4a26363e52abaf892acc8b7fb51d5e26327ad11797
                                                        • Opcode Fuzzy Hash: 1bd5f2857d25ef8d49abe27823930b0bdd8faa06a76bcfe87329fdf6448ba353
                                                        • Instruction Fuzzy Hash: 7D5177EB14D215BC73D2C5822B64AFBA76EE5D7730732A426FC07D560AE3980B4E11B1
                                                        Function 06E50843 Relevance: .3, Instructions: 308COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ba93781a9f71cf6fb993e770621412573b352b3caf8102321a776f88a132162
                                                        • Instruction ID: d599e982f57a41d2a4343ba876486e11aad5619ea560d82f12b9fcc2609cdbd3
                                                        • Opcode Fuzzy Hash: 9ba93781a9f71cf6fb993e770621412573b352b3caf8102321a776f88a132162
                                                        • Instruction Fuzzy Hash: BA516AEB14D215BC73D2D5822B64EFBA76EE1D6730732A426FC07D560AE3980B4E11B1
                                                        Function 06E50860 Relevance: .3, Instructions: 302COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8ed5b62db88d35d986315258e540e172ef29035d61c4344c9f8c8f33f2307aa8
                                                        • Instruction ID: 03a77bbb8e43fbc63e5d90ec40b60204d6e2511d55cebf19e92251c2374192c5
                                                        • Opcode Fuzzy Hash: 8ed5b62db88d35d986315258e540e172ef29035d61c4344c9f8c8f33f2307aa8
                                                        • Instruction Fuzzy Hash: 5E517CEB14D215BC73D2C5826B64AFBA76EE5D7730732A426FC07D550AE3880B4D11B1
                                                        Function 06E50888 Relevance: .3, Instructions: 299COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3cf0f3b1b6e7f3d43273acd57e799997ddb487ba8ce224d3f3fd96105bf1cc85
                                                        • Instruction ID: 87934c2ad98b66f1c840301f377e8e908697a457ee54f0a74456b4a986de4355
                                                        • Opcode Fuzzy Hash: 3cf0f3b1b6e7f3d43273acd57e799997ddb487ba8ce224d3f3fd96105bf1cc85
                                                        • Instruction Fuzzy Hash: 5C518AEB14D211BCB3C295422B64EFBA76EE1D6730732A826FC07D590AE3980B4D11B1
                                                        Function 06E508B0 Relevance: .3, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53f50aa8f9e8f4072c436e83eff6973393879a872df103286a16ffa48e9d795e
                                                        • Instruction ID: c4f4aa0c98770371aa1bdd555e2ca2553733fad0a5052c2ebd22f4dbad9c16c9
                                                        • Opcode Fuzzy Hash: 53f50aa8f9e8f4072c436e83eff6973393879a872df103286a16ffa48e9d795e
                                                        • Instruction Fuzzy Hash: D15158EB14D215BC73D2D5422B64AFBA76DE1C6730732A427FC07D590AE3880B4E11B1
                                                        Function 06E50934 Relevance: .3, Instructions: 279COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1d0070ed69b69eb25f531ff08519bf3c1a0ecef2df601606ab432cc03d0e3d1
                                                        • Instruction ID: 6f74965223853b194e16e185d9a9e8495bf101b44b3061a10eb1f3e9a17d3bc7
                                                        • Opcode Fuzzy Hash: c1d0070ed69b69eb25f531ff08519bf3c1a0ecef2df601606ab432cc03d0e3d1
                                                        • Instruction Fuzzy Hash: C05179EB14D215BCB3C2D1422B64AFB676DE1D6730732A427FC07D450AE3880A4E11B1
                                                        Function 06E508B9 Relevance: .3, Instructions: 277COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f5c4fcf6c8d1ac88c1eca2e13d44cce2079a9537ddd1837e1c04f99d50b92ed9
                                                        • Instruction ID: 04df0bb65a3a7351a44619d3e2d42c0f03e7dec836aa2710edccb5640b9693e5
                                                        • Opcode Fuzzy Hash: f5c4fcf6c8d1ac88c1eca2e13d44cce2079a9537ddd1837e1c04f99d50b92ed9
                                                        • Instruction Fuzzy Hash: 795158EB14D215BCB3D2D5426B64AFBA76DE1D6730732A827FC07D590AE3880B4E11B1
                                                        Function 06E508D9 Relevance: .3, Instructions: 272COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b047a7f0c84b3f51987ab09b5c288aeabaeeabbae470fbfcbc8ac2be0e8f4c80
                                                        • Instruction ID: 0806c497fbe86e95470da6b1d7841a6504becbf20dae35270ea57cf027c1dce6
                                                        • Opcode Fuzzy Hash: b047a7f0c84b3f51987ab09b5c288aeabaeeabbae470fbfcbc8ac2be0e8f4c80
                                                        • Instruction Fuzzy Hash: 375168EB14D215BC73D2C1426B65AFB676DE2D6730732A427FC07D490AE3880B4E10B1
                                                        Function 06E50969 Relevance: .3, Instructions: 269COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c6b11668b89bfc2033e57cca71dc6661cff9e24a31e78eaaa71716d18a38dcd
                                                        • Instruction ID: 74fa006f67a13b87ec5474b5c46393519a32e29466149b66eb0320953e763c43
                                                        • Opcode Fuzzy Hash: 1c6b11668b89bfc2033e57cca71dc6661cff9e24a31e78eaaa71716d18a38dcd
                                                        • Instruction Fuzzy Hash: BD518AEB00D255BDB7C295422B65AFB6B6DE5C7730732A427FC07D850AE3880E4E51B1
                                                        Function 06E508F7 Relevance: .3, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 970224d3d820bae40f4d6b53df623b2ee9e6f1dd1c89e6a34e53ecf3d328d2fd
                                                        • Instruction ID: b2de0d99162acf8646066eebac944cd4a66ccdd912a6dcdc9d123dbd9f24af76
                                                        • Opcode Fuzzy Hash: 970224d3d820bae40f4d6b53df623b2ee9e6f1dd1c89e6a34e53ecf3d328d2fd
                                                        • Instruction Fuzzy Hash: 784158EB14D215BCB3D2D5426B64AFBA76DE2D6730732A827FC07D450AE3880A4D11B1
                                                        Function 06E5091C Relevance: .2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 409740c3a3dfd588e70aa8e0c8c417ed12a8b350608a62e4f39a134e181b0a4f
                                                        • Instruction ID: a84ffa600b2bee627a549c6cb261c7455a046ea559a7497dece80ced2d7fe804
                                                        • Opcode Fuzzy Hash: 409740c3a3dfd588e70aa8e0c8c417ed12a8b350608a62e4f39a134e181b0a4f
                                                        • Instruction Fuzzy Hash: EF4168EB10D215BCB3D2D5822B65AFB676EE2D6730732A427FC07D550AE3880B4E11B1
                                                        Function 06E50958 Relevance: .2, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9b3e39f3aa87d6f5b89fc6117a11a31667b0b5181cde9612cd5cbf4caaa16bd5
                                                        • Instruction ID: 8b8fa36f66b71f41dd303e7c776ec853a85015a7e623a08014df64ea38d55cbb
                                                        • Opcode Fuzzy Hash: 9b3e39f3aa87d6f5b89fc6117a11a31667b0b5181cde9612cd5cbf4caaa16bd5
                                                        • Instruction Fuzzy Hash: 434159EB14D215BC72D2D4422B65AFB676EE2D6730732A427FC07D490AE3980F4E11B1
                                                        Function 06E5099D Relevance: .2, Instructions: 215COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c7bd6590c90d69f1d8ba3a9b641385b61816aa6ce33368f1f9ea219c3918b804
                                                        • Instruction ID: 7d797777d29acbfdb99eb1a91a921f8bb7d93ce3403e4d9de8a07c9f1720c6f6
                                                        • Opcode Fuzzy Hash: c7bd6590c90d69f1d8ba3a9b641385b61816aa6ce33368f1f9ea219c3918b804
                                                        • Instruction Fuzzy Hash: 164136FB14D215BC73C2D5422B65AFA676EE1D6730732A427FC07D550AE3880B5E10B1
                                                        Function 06E509D7 Relevance: .2, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c9cbd8cd133bae5d062ef1cc3b51bc4b7ad8ad577613f3d773e8f71e58d6118
                                                        • Instruction ID: 02826090e94150e7d50d3cf62e51f5b8302430e9c329f254a4eb019ae94fe57d
                                                        • Opcode Fuzzy Hash: 6c9cbd8cd133bae5d062ef1cc3b51bc4b7ad8ad577613f3d773e8f71e58d6118
                                                        • Instruction Fuzzy Hash: C63165EB10D214BCB3D291422B65AFB676EE1D6730332A42BFC0BD590AE3980F4D11B1
                                                        Function 06E50A36 Relevance: .2, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fffa889c7483322ca4bc7a92a08eacfb988e128c27086e3f6865956bdb07286
                                                        • Instruction ID: 47d2616c21ddcb447c054ed78aa3adce062118869ae5c7d1771c79de7c0751b6
                                                        • Opcode Fuzzy Hash: 7fffa889c7483322ca4bc7a92a08eacfb988e128c27086e3f6865956bdb07286
                                                        • Instruction Fuzzy Hash: E541ADFA10D240BDB3D2D5416F65AFA6B6DD6C6730332A857FC47CA506E3890E4A42B1
                                                        Function 06E509E0 Relevance: .2, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d6be0cdee0dd1f55251edb19a0738a3531405149bf90da46a5e9fa19ad734726
                                                        • Instruction ID: b1f4baf6e6a8c8ee1f30de0bc08feac6f202176869cee96f700e998b8956afdd
                                                        • Opcode Fuzzy Hash: d6be0cdee0dd1f55251edb19a0738a3531405149bf90da46a5e9fa19ad734726
                                                        • Instruction Fuzzy Hash: B13186EB10D215BCB3D2D5422B64AFB672EE1D6730332A827FC07D490AE3880F4911B1
                                                        Function 06E50A97 Relevance: .2, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3a8746557bf013945f26bcc44d6d5eca10c6835b72342b204778a3de24bb55f
                                                        • Instruction ID: 78efdf9590e2fcd84568a613a2d3854ba8ecf51881197e8f41de061eed772ce5
                                                        • Opcode Fuzzy Hash: b3a8746557bf013945f26bcc44d6d5eca10c6835b72342b204778a3de24bb55f
                                                        • Instruction Fuzzy Hash: CD319CEB10D215BDB3C2D5426B65AFB6B6DD5D6730332A817FC07C540AE3880E4A41B1
                                                        Function 06E50A16 Relevance: .2, Instructions: 181COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d37e4129a9bc7accda19911b1d26845f042eaf635b4ac82028713275cf0529a
                                                        • Instruction ID: 392ae2716bc45a7ed42ad503626cc647eda6c0582f26a228193aa4dbe5943912
                                                        • Opcode Fuzzy Hash: 2d37e4129a9bc7accda19911b1d26845f042eaf635b4ac82028713275cf0529a
                                                        • Instruction Fuzzy Hash: D03159FB10C215BD73D2D1422B65AFB676EE1DA730732A827FC07D950AE3880E4910B1
                                                        Function 06E50A07 Relevance: .2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8387ea384558b0796ce4cc4f069ce21978547ab9063e6d1e1375b4ded0edf537
                                                        • Instruction ID: d7337e522fc87c4503d06b7f6ae3e03545179bfd75726c7a1ed934d9a97109b1
                                                        • Opcode Fuzzy Hash: 8387ea384558b0796ce4cc4f069ce21978547ab9063e6d1e1375b4ded0edf537
                                                        • Instruction Fuzzy Hash: EE3135EB10D215BD73D2D5422B65AFA636EE1D6730732A827FC07D450AE3980A4A10B1
                                                        Function 06E50A86 Relevance: .2, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3d59f71ac258e8275f25887cdfc6cebe51ce8bfd8d749a25c0d3b17f17d23f9d
                                                        • Instruction ID: afbbb7607946efa567b438ff538f3f607aa7578dd9099505809db966c5a55ccb
                                                        • Opcode Fuzzy Hash: 3d59f71ac258e8275f25887cdfc6cebe51ce8bfd8d749a25c0d3b17f17d23f9d
                                                        • Instruction Fuzzy Hash: 653122EB10D215BCB3D2D5426B65EFB636DD2D6730732A82BFC07D8509E3980A8A10B5
                                                        Function 06E50AC5 Relevance: .2, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfc2b2fb73d0ae3635013f060990c6b3a2dd96f80d4f748f5ad897393ddd010a
                                                        • Instruction ID: fbd7b9b4f07947211ed29345d20f6812591b0c520fd3d8d86c7506e0da4821c9
                                                        • Opcode Fuzzy Hash: dfc2b2fb73d0ae3635013f060990c6b3a2dd96f80d4f748f5ad897393ddd010a
                                                        • Instruction Fuzzy Hash: 8D319AEB10C215BDB392D4426F61EFB676DD1C6730732A82AFC07C990AE3880E4E11B1
                                                        Function 06EF0007 Relevance: .1, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25fd2c00c39e2038d332d4e265bc8f0d93c3fb7654b31b1735337da513c4695d
                                                        • Instruction ID: 86db5c94bd23b94c9a646d03fb68abc40f09f54e037e9fa8e1eb000e62fc8cf9
                                                        • Opcode Fuzzy Hash: 25fd2c00c39e2038d332d4e265bc8f0d93c3fb7654b31b1735337da513c4695d
                                                        • Instruction Fuzzy Hash: 6C2110EB29C2107EB282C6452F24FF7676EE2D6B30B309827F507D5547E2D50A4D1071
                                                        Function 06EF001F Relevance: .1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8061c219c3aef9d6ab1275b63c5e6691202f0606bae6b3960d0073e03bdc9e35
                                                        • Instruction ID: 467e52dd189007adcae1ab20971dbaa5f1564e781956e869152653226b2087b7
                                                        • Opcode Fuzzy Hash: 8061c219c3aef9d6ab1275b63c5e6691202f0606bae6b3960d0073e03bdc9e35
                                                        • Instruction Fuzzy Hash: 1121FCEB19C1107EB282C6862F24FF7662EE2D2B34B30D827F907D5543E2D50A4D10B1
                                                        Function 06EF002F Relevance: .1, Instructions: 140COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e026ad013e343686ba51e456693ccc1a782245d1b329483edc76c2a9e162496e
                                                        • Instruction ID: 095c188c5caf61ee80d4f6e1d9763ca3f15062e890793d30ed4be720ac9609e0
                                                        • Opcode Fuzzy Hash: e026ad013e343686ba51e456693ccc1a782245d1b329483edc76c2a9e162496e
                                                        • Instruction Fuzzy Hash: 5F212CFB19C2507EB282C6862F24FF67B2EE6C2B34B309827F906D6447E2D50A5D5171
                                                        Function 06EF0000 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 622e582296439e6cd2cff60278c77789ab23b503eed73f5895124b943d275edc
                                                        • Instruction ID: cf9844ff26fcb5792add29798345742779438a77c05252e58653812edff9c33a
                                                        • Opcode Fuzzy Hash: 622e582296439e6cd2cff60278c77789ab23b503eed73f5895124b943d275edc
                                                        • Instruction Fuzzy Hash: D42110EB29C2107EB282C6852F24FF7662EE2C6B30B30D827FA07D5543E2D50A5D10B1
                                                        Function 06E50AFC Relevance: .1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f38855f71fcb5f0b78b9f96f25fddb747ebc0b988aad6bac82be05bc8b5e06c
                                                        • Instruction ID: 1352bc017577d4cd96cdc67061fb1fa8e200398e7dd30cae00ee5330e57a0d59
                                                        • Opcode Fuzzy Hash: 1f38855f71fcb5f0b78b9f96f25fddb747ebc0b988aad6bac82be05bc8b5e06c
                                                        • Instruction Fuzzy Hash: A32123EB10C215BC72C2D5426F65EFB676DD2CA730732A82BFC07D9509E3980E8A11B5
                                                        Function 06E50B13 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4268ad3e3cacaf6d71f54df0457961c09e9043fe5b5d30a40d4673a44f271c7
                                                        • Instruction ID: d047e221da9cc7ce9fcb1f04e8b5759b6ea11236ba3ee46e0bb1dded4bb5967d
                                                        • Opcode Fuzzy Hash: e4268ad3e3cacaf6d71f54df0457961c09e9043fe5b5d30a40d4673a44f271c7
                                                        • Instruction Fuzzy Hash: 1E2144EB10C214BC72D2D5826B65EFB636DD1CA730732A81BFC07D9809E3980E8A11B5
                                                        Function 06E50B1C Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bdb442983f86685fdfc5c622e52a38ea7e3913a466d246f80a5bf9b02217f0e4
                                                        • Instruction ID: 981e68527a9ce8bf09df517b1195a3969b8b6001a8ab423ab9de518f5ce9ab38
                                                        • Opcode Fuzzy Hash: bdb442983f86685fdfc5c622e52a38ea7e3913a466d246f80a5bf9b02217f0e4
                                                        • Instruction Fuzzy Hash: 322124EB10C214BCB2D295426B65AFA636DD1CA730732E81BFC07D9509E3980E8A11B5
                                                        Function 06EF006A Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9b6cd68a2eab2e38a0a74f21fb34848818fa38956433565538085dd6ba60a51a
                                                        • Instruction ID: b2c5aea8e2ded650b64144d601e30590c09076e401b42e9ecf6f6441d16268fb
                                                        • Opcode Fuzzy Hash: 9b6cd68a2eab2e38a0a74f21fb34848818fa38956433565538085dd6ba60a51a
                                                        • Instruction Fuzzy Hash: 60214DEB19C2107EF282C6952F24FF66B2EE3D2B34B309827F906D5547E2D90A4D51B1
                                                        Function 06EF009A Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92f45cf8cfbfc5bd1da98d6cbc0ec2b6215ce0f602780e44d29e5854095f8a19
                                                        • Instruction ID: c86993da349f586df447a7207732d32c016946e48fefffb5e75a5cfedbc0e067
                                                        • Opcode Fuzzy Hash: 92f45cf8cfbfc5bd1da98d6cbc0ec2b6215ce0f602780e44d29e5854095f8a19
                                                        • Instruction Fuzzy Hash: B0112BEB2982107EF28286852F24FF7676EE3D2B30B30D826F906D5446E2D50A4D60B1
                                                        Function 06E50B3C Relevance: .1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4e559d4c43b612ff3a2d6cfa98c632c9d8b024bde51ac4b00dc304be27fa2e27
                                                        • Instruction ID: 98921c27e04224b2a84e40d87fe15335cf5c07725e5a416f866959d67a644c31
                                                        • Opcode Fuzzy Hash: 4e559d4c43b612ff3a2d6cfa98c632c9d8b024bde51ac4b00dc304be27fa2e27
                                                        • Instruction Fuzzy Hash: C21189FB10C204BDB3C1D5426F21AFA636DD2DA730732A816FC07DA105E3A80E8A41B5
                                                        Function 06E50B56 Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2aa0a254b5c32a2198a69abaa533653d4e726c78c0e73b9a8c8ee952695788db
                                                        • Instruction ID: cf55e40c272f5c72edca25eb6d235a4c428e17561e7d994bc1d741077a8f5bec
                                                        • Opcode Fuzzy Hash: 2aa0a254b5c32a2198a69abaa533653d4e726c78c0e73b9a8c8ee952695788db
                                                        • Instruction Fuzzy Hash: 8121FAFB00C219BCB3C2D5816F11AFA672DD2CB330732A82BFC06DA445E3940E4A42B1
                                                        Function 06EF00BB Relevance: .1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2420aad2e4dd947ff4b1e61845f560806b44cc14e3393017f22c4d0a4f4312d
                                                        • Instruction ID: bba9f0ace5ff67e6f1ddb99275203d6b501572487444b0a2281577b9ab071161
                                                        • Opcode Fuzzy Hash: e2420aad2e4dd947ff4b1e61845f560806b44cc14e3393017f22c4d0a4f4312d
                                                        • Instruction Fuzzy Hash: 31113CEB25C1207EB282C7852F24FF7676EE6D2B30B30D82BF906D5447D2990A5E6071
                                                        Function 06E50B7D Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11e9b661039404727c30a3ee3958162971c5f51f232575a1cda8a6114db549f0
                                                        • Instruction ID: 0c825fd75e92895310da449f1f4370c60c638317d6978cad6aa652c86e14bb6c
                                                        • Opcode Fuzzy Hash: 11e9b661039404727c30a3ee3958162971c5f51f232575a1cda8a6114db549f0
                                                        • Instruction Fuzzy Hash: 9811ACFB10D204BDB3C2D5826F55AFA276DD6CB330732945BFC06DA445E3950E8A41B6
                                                        Function 06E50BE3 Relevance: .1, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 720eab5f17af511a86c4e8605883847207cdc581f7a534e1fd9899ec0ed13537
                                                        • Instruction ID: 6c199c6629407600316d7caa4b14df6d0b6c82c34e2320bbb4a7233f4b8230ce
                                                        • Opcode Fuzzy Hash: 720eab5f17af511a86c4e8605883847207cdc581f7a534e1fd9899ec0ed13537
                                                        • Instruction Fuzzy Hash: AD118EFB108215BDB7C1D582AB65BFA136DD2CB330732A817FC0AD9505E3984E8A41B5
                                                        Function 06E50BA1 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b525063f1b56f84c3a0dd7f28d076207101f9600a96ebd0669ea1f3674a3c4b6
                                                        • Instruction ID: 59b2b379bfc70ea60cdb5d32408a4fac97e299eb7d561845b258bb72fda5d8a0
                                                        • Opcode Fuzzy Hash: b525063f1b56f84c3a0dd7f28d076207101f9600a96ebd0669ea1f3674a3c4b6
                                                        • Instruction Fuzzy Hash: 1F0157FB10D209BDB381D582AF15BFA676DD2CA730732A817FC06D9404E3984E9A01B5
                                                        Function 06EF0100 Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c0a6b364658286e70546a22bf065362d4dc6d2a2958672992f847a68e67459a2
                                                        • Instruction ID: cced2087d2419abe5b5873e8f22043b98fa68ac4196911e3cc5c16cf70a1a25a
                                                        • Opcode Fuzzy Hash: c0a6b364658286e70546a22bf065362d4dc6d2a2958672992f847a68e67459a2
                                                        • Instruction Fuzzy Hash: 4A01D6EB25C1107EB64286952F28EFB673EE2C2734B30D82BF906C0406D2950A9E6171
                                                        Function 06EF0118 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c86836e67041f8bd41863599d0378bae674b116f840a4b1817c54afc99a6a9af
                                                        • Instruction ID: b06b3139091b8fed915af5e7ced097cf68eff5dc83cdf7a84e53e2980451c52f
                                                        • Opcode Fuzzy Hash: c86836e67041f8bd41863599d0378bae674b116f840a4b1817c54afc99a6a9af
                                                        • Instruction Fuzzy Hash: C2F0A4EB25D2547EB242C2813F24EFB672DD2C5734B71982BF906D1806D2890A8D6072
                                                        Function 06EF012D Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 162645ce80b85338e6badc4761218d0aa9ac65058e01bd63d02e9682163cf6c0
                                                        • Instruction ID: 06ffde2ea991f29865eea87368224fab16f6b861359e29b90eb9bbba7aa75111
                                                        • Opcode Fuzzy Hash: 162645ce80b85338e6badc4761218d0aa9ac65058e01bd63d02e9682163cf6c0
                                                        • Instruction Fuzzy Hash: 6101B2FF25C2107EB246C6813F24EFBA76DE6D5B34730D82BF906D1406D2990A9E6076
                                                        Function 06EF0121 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4832713589b930e0040f2568a1bf187cf7463327d6ee7b05a4f2b9ae886edc96
                                                        • Instruction ID: 7a1541d28205157126a43039816d8d816b441f83a9e322868c8085ad9104ae88
                                                        • Opcode Fuzzy Hash: 4832713589b930e0040f2568a1bf187cf7463327d6ee7b05a4f2b9ae886edc96
                                                        • Instruction Fuzzy Hash: EBF074EB25C2207DB242C2813F28EFB672DE2D5B34771D82BF906D0406E2890A4E6072
                                                        Function 06EF015A Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76735a9366c30ca62617129fcee940a828ffdc7720f773cd09063f94783af9c5
                                                        • Instruction ID: 2c24a754077bb7fc67fff6de05d74b266a81a301665b528f29e4bddeaaf7a0d5
                                                        • Opcode Fuzzy Hash: 76735a9366c30ca62617129fcee940a828ffdc7720f773cd09063f94783af9c5
                                                        • Instruction Fuzzy Hash: 9CF012EF5996143E729293913F39AF7A72DD2C2B34730D42BF942E5447E2C50A4E5071
                                                        Function 06E50BCE Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355578470.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e50000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1657ffd168d180eab68eb1ee70d998a06bd3178ed93e0285c3d68138b87f6418
                                                        • Instruction ID: 94132c70c4240c02ef0f9e0e39a7cd4178ded8dcb08a7ec2dd9fbef9332261ac
                                                        • Opcode Fuzzy Hash: 1657ffd168d180eab68eb1ee70d998a06bd3178ed93e0285c3d68138b87f6418
                                                        • Instruction Fuzzy Hash: 8AF08CFA10C209ADB381D5826B11BFA236DD2CA320B72A807FC07DD504D3980E9A41B9
                                                        Function 06EF0193 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c526a58ea6be2e766456249002718d13423232350affcf55fdd84651e6aeb1ab
                                                        • Instruction ID: 71fabad78f45d86e1df042bae50fad73fd45cc411144a3431ba5cee65655699f
                                                        • Opcode Fuzzy Hash: c526a58ea6be2e766456249002718d13423232350affcf55fdd84651e6aeb1ab
                                                        • Instruction Fuzzy Hash: A6E04FAB14D2046DF292D7913F28AFAA73CE2C63387349437F551D5442E2C50B5F5172

                                                        Non-executed Functions

                                                        Function 06EF078A Relevance: .2, Instructions: 244COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ba5711c68817552249e2cdd5a7cbe07481e7fe3ddcd6bd123197dad2984592f
                                                        • Instruction ID: 68c040a175c5ed26548f2aa6415d2d0ebe60772001b8e247c13babe44783d8b2
                                                        • Opcode Fuzzy Hash: 0ba5711c68817552249e2cdd5a7cbe07481e7fe3ddcd6bd123197dad2984592f
                                                        • Instruction Fuzzy Hash: 655176F7528350BFB3C297915B34AF67B6EE7C6730730942AF603DA143EA950A4940E0
                                                        Function 06EF0468 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2355938891.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6ef0000_p3a0oZ4U7X.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e43d7fe07a5c23934f5c496cf36e508d1fab28f567e1b48af11b3a23f41692b8
                                                        • Instruction ID: ed841fd8f7969edb92e316bb5cf226e727d3c6048c509e5c7e11c3fef90920d3
                                                        • Opcode Fuzzy Hash: e43d7fe07a5c23934f5c496cf36e508d1fab28f567e1b48af11b3a23f41692b8
                                                        • Instruction Fuzzy Hash: ECE065E711C2917E7241C5823B64AF62B2EE4D3671336D8BAF602C4443E28A0E8E8032