Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7eDrKI88k8.exe

Overview

General Information

Sample name:7eDrKI88k8.exe
renamed because original name is a hash value
Original sample name:de977c9c79ceebdf86d4cb38408d7ce4.exe
Analysis ID:1579681
MD5:de977c9c79ceebdf86d4cb38408d7ce4
SHA1:2ffb19e7bc8109bb8033c1d6e25f4ae2fe49b3c6
SHA256:ad3fb64aaa0680e21de914b77e3502a6c82860f333fa3d2415cb9a7a93b9b893
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

  • System is w10x64
  • 7eDrKI88k8.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\7eDrKI88k8.exe" MD5: DE977C9C79CEEBDF86D4CB38408D7CE4)
    • WerFault.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1128 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 7eDrKI88k8.exeAvira: detected
Source: 7eDrKI88k8.exeVirustotal: Detection: 50%Perma Link
Source: 7eDrKI88k8.exeReversingLabs: Detection: 65%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: 7eDrKI88k8.exeJoe Sandbox ML: detected
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ed16da56-f
Source: 7eDrKI88k8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000002.2441395812.0000000001F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: 7eDrKI88k8.exe, 00000000.00000002.2441395812.0000000001F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798514fd4
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
Source: 7eDrKI88k8.exeStatic PE information: section name:
Source: 7eDrKI88k8.exeStatic PE information: section name: .idata
Source: 7eDrKI88k8.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1128
Source: 7eDrKI88k8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 7eDrKI88k8.exeStatic PE information: Section: urwcuhgx ZLIB complexity 0.9946540782540587
Source: classification engineClassification label: mal100.evad.winEXE@2/5@14/1
Source: C:\Users\user\Desktop\7eDrKI88k8.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6412
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\451d30d5-545b-4b97-98ac-37e60048c818Jump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 7eDrKI88k8.exeVirustotal: Detection: 50%
Source: 7eDrKI88k8.exeReversingLabs: Detection: 65%
Source: 7eDrKI88k8.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\7eDrKI88k8.exe "C:\Users\user\Desktop\7eDrKI88k8.exe"
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1128
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSection loaded: winrnr.dllJump to behavior
Source: 7eDrKI88k8.exeStatic file information: File size 4453888 > 1048576
Source: 7eDrKI88k8.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: 7eDrKI88k8.exeStatic PE information: Raw size of urwcuhgx is bigger than: 0x100000 < 0x1b6e00

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\7eDrKI88k8.exeUnpacked PE file: 0.2.7eDrKI88k8.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;urwcuhgx:EW;hijjtfti:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;urwcuhgx:EW;hijjtfti:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 7eDrKI88k8.exeStatic PE information: real checksum: 0x445c88 should be: 0x4459bc
Source: 7eDrKI88k8.exeStatic PE information: section name:
Source: 7eDrKI88k8.exeStatic PE information: section name: .idata
Source: 7eDrKI88k8.exeStatic PE information: section name:
Source: 7eDrKI88k8.exeStatic PE information: section name: urwcuhgx
Source: 7eDrKI88k8.exeStatic PE information: section name: hijjtfti
Source: 7eDrKI88k8.exeStatic PE information: section name: .taggant
Source: 7eDrKI88k8.exeStatic PE information: section name: urwcuhgx entropy: 7.956495964615325

Boot Survival

barindex
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EC515 second address: 14EC53C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD4D8B99496h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FD4D8B9949Eh 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 jno 00007FD4D8B99496h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EC53C second address: 14EC571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EE5C56h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FD4D8EE5C59h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF580 second address: 14EF58A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FD4D8B99496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF65E second address: 14EF668 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF668 second address: 14EF66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF6C6 second address: 14EF736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FD4D8EE5C48h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D387Fh] 0x0000002d push 00000000h 0x0000002f jmp 00007FD4D8EE5C57h 0x00000034 push 431A7673h 0x00000039 pushad 0x0000003a push ecx 0x0000003b jmp 00007FD4D8EE5C56h 0x00000040 pop ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF736 second address: 14EF73A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF73A second address: 14EF7C2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD4D8EE5C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 431A76F3h 0x00000012 adc esi, 65587EEEh 0x00000018 push 00000003h 0x0000001a jl 00007FD4D8EE5C4Ch 0x00000020 mov ecx, dword ptr [ebp+122D19D7h] 0x00000026 push 00000000h 0x00000028 sub dword ptr [ebp+122D34C2h], eax 0x0000002e push 00000003h 0x00000030 jmp 00007FD4D8EE5C50h 0x00000035 call 00007FD4D8EE5C49h 0x0000003a push ebx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e jnl 00007FD4D8EE5C46h 0x00000044 popad 0x00000045 pop ebx 0x00000046 push eax 0x00000047 jmp 00007FD4D8EE5C4Fh 0x0000004c mov eax, dword ptr [esp+04h] 0x00000050 push esi 0x00000051 jmp 00007FD4D8EE5C51h 0x00000056 pop esi 0x00000057 mov eax, dword ptr [eax] 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c jg 00007FD4D8EE5C46h 0x00000062 pop ecx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF7C2 second address: 14EF7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8B994A8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF8B3 second address: 14EF8F6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8EE5C4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FD4D8EE5C4Ah 0x00000012 push 00000000h 0x00000014 sub si, 558Ch 0x00000019 call 00007FD4D8EE5C49h 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007FD4D8EE5C54h 0x00000026 jmp 00007FD4D8EE5C4Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF8F6 second address: 14EF8FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EF8FB second address: 14EF958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FD4D8EE5C55h 0x0000000f jmp 00007FD4D8EE5C58h 0x00000014 popad 0x00000015 jnc 00007FD4D8EE5C4Ch 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD4D8EE5C52h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EFA40 second address: 14EFA46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EFA46 second address: 14EFA9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EE5C57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e push ecx 0x0000000f jnp 00007FD4D8EE5C46h 0x00000015 pop ecx 0x00000016 pop esi 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jns 00007FD4D8EE5C48h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FD4D8EE5C59h 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push edx 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EFA9E second address: 14EFAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EFAA4 second address: 14EFAB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8EE5C4Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EFAB7 second address: 14EFABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14EFABB second address: 14EFAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov ecx, edi 0x0000000b lea ebx, dword ptr [ebp+1244744Bh] 0x00000011 xor dword ptr [ebp+122D2719h], edx 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FD4D8EEB833h 0x00000020 jmp 00007FD4D8EEB82Eh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150F6B2 second address: 150F6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150F88B second address: 150F8A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD4D8EEB838h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150F8A8 second address: 150F8B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150FF79 second address: 150FF7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150FF7D second address: 150FF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150FF83 second address: 150FF8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FD4D8EEB826h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15100DF second address: 15100E9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15103B5 second address: 15103F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007FD4D8EEB845h 0x0000000b jc 00007FD4D8EEB826h 0x00000011 jmp 00007FD4D8EEB839h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD4D8EEB82Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15103F0 second address: 15103F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15106D9 second address: 1510722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD4D8EEB837h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD4D8EEB830h 0x00000011 jo 00007FD4D8EEB83Bh 0x00000017 jmp 00007FD4D8EEB82Fh 0x0000001c js 00007FD4D8EEB826h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14DD599 second address: 14DD5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14DD5A1 second address: 14DD5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FD4D8EEB826h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151088B second address: 151088F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151088F second address: 151089B instructions: 0x00000000 rdtsc 0x00000002 je 00007FD4D8EEB826h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1511594 second address: 151159A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151159A second address: 151159E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151159E second address: 15115E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD4D8D06B95h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD4D8D06B92h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15115E5 second address: 15115E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1513492 second address: 1513498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1513498 second address: 151349C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151349C second address: 15134AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FD4D8D06B86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15134AB second address: 15134B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15134B3 second address: 15134C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FD4D8D06B86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15134C2 second address: 15134E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD4D8EEB837h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007FD4D8EEB826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15134E8 second address: 1513516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B97h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD4D8D06B90h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1514901 second address: 151491A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB835h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151491A second address: 151491E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151491E second address: 151493A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB833h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151493A second address: 1514940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1514940 second address: 151494E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnp 00007FD4D8EEB826h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151494E second address: 1514954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E5C7C second address: 14E5C87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007FD4D8EEB826h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E40D6 second address: 14E40DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E40DD second address: 14E4146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007FD4D8EEB84Bh 0x0000000b jmp 00007FD4D8EEB837h 0x00000010 jmp 00007FD4D8EEB82Eh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jg 00007FD4D8EEB843h 0x0000001e jmp 00007FD4D8EEB82Ch 0x00000023 pushad 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E4146 second address: 14E414F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E414F second address: 14E4153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E4153 second address: 14E4157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151A517 second address: 151A51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E9B4 second address: 151E9C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD4D8D06B86h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E050 second address: 151E056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E056 second address: 151E061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD4D8D06B86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E061 second address: 151E066 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E066 second address: 151E074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD4D8D06B86h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E7EB second address: 151E7F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E7F0 second address: 151E820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B97h 0x00000009 pop ebx 0x0000000a push edi 0x0000000b jmp 00007FD4D8D06B8Ch 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E820 second address: 151E826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 151E826 second address: 151E84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD4D8D06B86h 0x0000000a jmp 00007FD4D8D06B8Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD4D8D06B8Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521E91 second address: 1521E97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521F00 second address: 1521F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521F04 second address: 1521F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a ja 00007FD4D8EEB83Fh 0x00000010 push edx 0x00000011 jmp 00007FD4D8EEB837h 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jns 00007FD4D8EEB83Ah 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD4D8EEB82Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1522255 second address: 152225B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15225DC second address: 15225E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15225E5 second address: 15225E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15225E9 second address: 15225FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FD4D8EEB82Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1522F7E second address: 1522F92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1522F92 second address: 1522F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15235C2 second address: 15235C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1523F28 second address: 1523F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1523F2C second address: 1523F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1523F32 second address: 1523F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1523F38 second address: 1523F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1523F3C second address: 1523F40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1523FD8 second address: 1523FDE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15259BC second address: 15259F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD4D8EEB837h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D29E0h], edx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D3214h], esi 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15257C5 second address: 15257CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15259F3 second address: 15259F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152786B second address: 152786F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152786F second address: 1527891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD4D8EEB836h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152765F second address: 1527663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1527891 second address: 152789B instructions: 0x00000000 rdtsc 0x00000002 je 00007FD4D8EEB826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152789B second address: 1527913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007FD4D8D06B86h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jmp 00007FD4D8D06B99h 0x00000014 push 00000000h 0x00000016 xor dword ptr [ebp+122D1A5Bh], esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FD4D8D06B88h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push edi 0x00000039 call 00007FD4D8D06B94h 0x0000003e mov si, cx 0x00000041 pop esi 0x00000042 pop esi 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 jg 00007FD4D8D06B86h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15283E1 second address: 15283E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1528118 second address: 152811C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152811C second address: 1528126 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152A32D second address: 152A3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FD4D8D06B88h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 jne 00007FD4D8D06B8Ch 0x00000029 jmp 00007FD4D8D06B8Ah 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+12478083h], eax 0x00000036 push 00000000h 0x00000038 je 00007FD4D8D06B9Bh 0x0000003e jmp 00007FD4D8D06B95h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FD4D8D06B8Fh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1528126 second address: 152812A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152A3A3 second address: 152A3A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152CA8F second address: 152CAF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB833h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c jg 00007FD4D8EEB826h 0x00000012 pop eax 0x00000013 pop eax 0x00000014 nop 0x00000015 xor dword ptr [ebp+122D320Fh], edi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FD4D8EEB828h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 push 00000000h 0x00000039 mov edi, esi 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FD4D8EEB830h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152FA18 second address: 152FA2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152EC8B second address: 152ED09 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD4D8EEB836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FD4D8EEB82Ch 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 jno 00007FD4D8EEB82Ch 0x0000001e mov edi, dword ptr [ebp+122D3687h] 0x00000024 push dword ptr fs:[00000000h] 0x0000002b xor bx, 4F0Fh 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 and bl, FFFFFFE1h 0x0000003a mov eax, dword ptr [ebp+122D08F1h] 0x00000040 mov ebx, dword ptr [ebp+122D36B7h] 0x00000046 push FFFFFFFFh 0x00000048 or dword ptr [ebp+122D2827h], esi 0x0000004e nop 0x0000004f jnc 00007FD4D8EEB832h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152ED09 second address: 152ED13 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152ED13 second address: 152ED19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1533136 second address: 153313A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153313A second address: 1533140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1533140 second address: 15331AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d cmc 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FD4D8D06B88h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007FD4D8D06B88h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 pushad 0x00000047 adc edi, 42326500h 0x0000004d or ecx, 29548085h 0x00000053 popad 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jo 00007FD4D8D06B88h 0x0000005d push ecx 0x0000005e pop ecx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15331AF second address: 15331CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB830h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FD4D8EEB82Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15331CE second address: 15331D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1533364 second address: 153340D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+124474B8h], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 xor dword ptr [ebp+122D3363h], edi 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007FD4D8EEB828h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 mov ebx, dword ptr [ebp+12458AA0h] 0x00000046 mov eax, dword ptr [ebp+122D0EB5h] 0x0000004c mov dword ptr [ebp+122D3472h], eax 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push edx 0x00000057 call 00007FD4D8EEB828h 0x0000005c pop edx 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 add dword ptr [esp+04h], 0000001Ch 0x00000069 inc edx 0x0000006a push edx 0x0000006b ret 0x0000006c pop edx 0x0000006d ret 0x0000006e call 00007FD4D8EEB82Ah 0x00000073 mov bx, E4B3h 0x00000077 pop edi 0x00000078 mov edi, dword ptr [ebp+122D37EFh] 0x0000007e nop 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 push edi 0x00000083 pop edi 0x00000084 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15342E7 second address: 15342EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15360B2 second address: 15360B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15360B6 second address: 15360BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15342EB second address: 153435C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bl, 85h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 pushad 0x00000014 sub esi, dword ptr [ebp+122D3653h] 0x0000001a call 00007FD4D8EEB82Ch 0x0000001f cld 0x00000020 pop ebx 0x00000021 popad 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push edi 0x0000002a jnl 00007FD4D8EEB829h 0x00000030 pop ebx 0x00000031 mov eax, dword ptr [ebp+122D0805h] 0x00000037 jbe 00007FD4D8EEB82Ch 0x0000003d mov edi, dword ptr [ebp+122D385Fh] 0x00000043 push FFFFFFFFh 0x00000045 pushad 0x00000046 jnl 00007FD4D8EEB828h 0x0000004c sub dword ptr [ebp+122D2831h], edx 0x00000052 popad 0x00000053 push eax 0x00000054 pushad 0x00000055 jns 00007FD4D8EEB828h 0x0000005b js 00007FD4D8EEB82Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15360BC second address: 153615A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FD4D8D06B90h 0x0000000f nop 0x00000010 add dword ptr [ebp+122D350Ch], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FD4D8D06B88h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FD4D8D06B88h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e jmp 00007FD4D8D06B98h 0x00000053 add dword ptr [ebp+122D31B4h], ecx 0x00000059 xchg eax, esi 0x0000005a push eax 0x0000005b push edx 0x0000005c jnp 00007FD4D8D06B98h 0x00000062 jmp 00007FD4D8D06B92h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153615A second address: 153615F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15371BA second address: 15371BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15371BE second address: 15371C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15371C2 second address: 1537242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD4D8D06B8Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jne 00007FD4D8D06B86h 0x00000016 jc 00007FD4D8D06B86h 0x0000001c popad 0x0000001d push ecx 0x0000001e jmp 00007FD4D8D06B99h 0x00000023 pop ecx 0x00000024 popad 0x00000025 nop 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D1782h], ecx 0x0000002e push ecx 0x0000002f mov ebx, edi 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FD4D8D06B88h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov bl, D4h 0x00000050 pushad 0x00000051 stc 0x00000052 mov ah, 50h 0x00000054 popad 0x00000055 xchg eax, esi 0x00000056 push edi 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1537242 second address: 153724F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153724F second address: 1537253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153630A second address: 1536310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1536310 second address: 1536314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1538203 second address: 1538275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FD4D8EEB828h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D17F1h], edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FD4D8EEB828h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D3237h] 0x0000004b push 00000000h 0x0000004d sbb edi, 3514FFD5h 0x00000053 xor bx, B721h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c pushad 0x0000005d popad 0x0000005e pop edi 0x0000005f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1535241 second address: 1535245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1535245 second address: 153524B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153524B second address: 1535251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1535251 second address: 1535255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153A45A second address: 153A460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153A460 second address: 153A46F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153A46F second address: 153A48D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FD4D8D06B8Eh 0x0000000c push edi 0x0000000d pop edi 0x0000000e jbe 00007FD4D8D06B86h 0x00000014 jbe 00007FD4D8D06B8Eh 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153AB37 second address: 153AB3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153BC7F second address: 153BC8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD4D8D06B86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153AD85 second address: 153AD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153BC8A second address: 153BCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 ja 00007FD4D8D06B90h 0x0000000e nop 0x0000000f or dword ptr [ebp+1244F26Dh], eax 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D1782h], eax 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122DB69Dh], ebx 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD4D8D06B96h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153E412 second address: 153E416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153E416 second address: 153E41A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153BE91 second address: 153BEA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153E41A second address: 153E427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153E427 second address: 153E42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153BF39 second address: 153BF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D06B98h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153F5DC second address: 153F5E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153F5E0 second address: 153F5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 js 00007FD4D8D06B98h 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FD4D8D06B86h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 153F5F5 second address: 153F5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15484D7 second address: 15484DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15484DB second address: 15484E8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD4D8EEB826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15484E8 second address: 154851E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B96h 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD4D8D06B91h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 154851E second address: 1548522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1548522 second address: 1548526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1547C0C second address: 1547C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1547C11 second address: 1547C20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007FD4D8D06B86h 0x0000000b pop ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1547C20 second address: 1547C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1547D70 second address: 1547D74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1547D74 second address: 1547D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 154803F second address: 1548045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1548045 second address: 154804F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 154804F second address: 1548055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1548055 second address: 154805A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 154BBDE second address: 154BC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD4D8D06B86h 0x0000000a jmp 00007FD4D8D06B8Bh 0x0000000f jmp 00007FD4D8D06B8Fh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 154BC03 second address: 154BC09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1552055 second address: 155205E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 155205E second address: 155207D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD4D8EEB826h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f jnc 00007FD4D8EEB82Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 155889D second address: 15588BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B98h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FD4D8D06B86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15588BF second address: 15588C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15588C3 second address: 1558909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B94h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FD4D8D06B8Ah 0x00000015 ja 00007FD4D8D06B86h 0x0000001b popad 0x0000001c jmp 00007FD4D8D06B96h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1558909 second address: 155890E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 155890E second address: 1558918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1557B4F second address: 1557B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FD4D8EEB826h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1557B5E second address: 1557B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1557B62 second address: 1557B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1557B68 second address: 1557B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E2652 second address: 14E265E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD4D8EEB826h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E265E second address: 14E2667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E2667 second address: 14E266D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15580B3 second address: 15580CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD4D8D06B8Ah 0x00000008 pop edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e jno 00007FD4D8D06B86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15585BA second address: 15585C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15585C0 second address: 15585CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15585CB second address: 1558605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD4D8EEB836h 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 155EBB6 second address: 155EBCE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD4D8D06B86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 155EBCE second address: 155EBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 155EBD4 second address: 155EBD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 156337B second address: 1563395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB836h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520694 second address: 152069E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 152069E second address: 15206A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520D32 second address: 1520D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520D36 second address: 1520D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520D3A second address: 1520D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520E25 second address: 1520E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520E29 second address: 1520E42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520EA9 second address: 1520EB2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520FB2 second address: 1520FF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FD4D8D06B99h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push esi 0x00000015 jbe 00007FD4D8D06B88h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop esi 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 js 00007FD4D8D06B86h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1520FF6 second address: 1521011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FD4D8EEB826h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521011 second address: 152102F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD4D8D06B97h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521122 second address: 1521128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521128 second address: 152112C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15216B7 second address: 15216BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521A54 second address: 1521A5E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521A5E second address: 1521ABE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, 13F50905h 0x0000000e mov ecx, dword ptr [ebp+122D3777h] 0x00000014 lea eax, dword ptr [ebp+1247846Bh] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FD4D8EEB828h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 xor edi, 4974F253h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jmp 00007FD4D8EEB838h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521ABE second address: 1521AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521AC3 second address: 1507FFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD4D8EEB83Bh 0x00000008 jmp 00007FD4D8EEB835h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 movzx edi, si 0x00000015 lea eax, dword ptr [ebp+12478427h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FD4D8EEB828h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 xor dword ptr [ebp+122D2863h], ebx 0x0000003b push eax 0x0000003c jmp 00007FD4D8EEB830h 0x00000041 mov dword ptr [esp], eax 0x00000044 push 00000000h 0x00000046 push edx 0x00000047 call 00007FD4D8EEB828h 0x0000004c pop edx 0x0000004d mov dword ptr [esp+04h], edx 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc edx 0x0000005a push edx 0x0000005b ret 0x0000005c pop edx 0x0000005d ret 0x0000005e or edi, 007856D6h 0x00000064 pushad 0x00000065 mov dx, si 0x00000068 mov dword ptr [ebp+122D1856h], ecx 0x0000006e popad 0x0000006f call dword ptr [ebp+122D3221h] 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007FD4D8EEB835h 0x0000007c push eax 0x0000007d push edx 0x0000007e push edi 0x0000007f pop edi 0x00000080 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1507FFD second address: 1508009 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FD4D8D06B86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1508009 second address: 150801A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD4D8EEB82Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150801A second address: 150804B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FD4D8D06B86h 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 pushad 0x00000017 jp 00007FD4D8D06B86h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD4D8D06B8Dh 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 150804B second address: 1508056 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 156264E second address: 1562663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD4D8D06B8Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15627B9 second address: 15627C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 jnp 00007FD4D8EEB826h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15627C8 second address: 15627E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007FD4D8D06B86h 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007FD4D8D06B86h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15627E0 second address: 15627F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB82Bh 0x00000009 pop esi 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 156294B second address: 1562954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1562954 second address: 1562966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB82Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1562966 second address: 156296E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E0B56 second address: 14E0B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E0B5A second address: 14E0B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E0B6C second address: 14E0B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FD4D8EEB826h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1562FD8 second address: 1562FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15679BC second address: 15679C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15679C6 second address: 15679D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD4D8D06B86h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1567B43 second address: 1567B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568783 second address: 1568787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568787 second address: 15687A2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD4D8EEB826h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d jg 00007FD4D8EEB840h 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007FD4D8EEB826h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568D6C second address: 1568D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568D70 second address: 1568D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568D76 second address: 1568D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a js 00007FD4D8D06B98h 0x00000010 jmp 00007FD4D8D06B8Ch 0x00000015 jne 00007FD4D8D06B86h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568D9C second address: 1568DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568DA2 second address: 1568DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1568DA6 second address: 1568DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1570A2F second address: 1570A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1570A35 second address: 1570A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157157A second address: 157157E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157157E second address: 157158E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jne 00007FD4D8EEB826h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157158E second address: 15715D0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD4D8D06B88h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FD4D8D06B92h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007FD4D8D06B97h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b js 00007FD4D8D06B9Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15715D0 second address: 1571600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB833h 0x00000009 jmp 00007FD4D8EEB833h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1571A2A second address: 1571A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1574674 second address: 1574692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD4D8EEB835h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15747F9 second address: 157480A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FD4D8D06B86h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157480A second address: 157482E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD4D8EEB837h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157482E second address: 1574834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1574834 second address: 157483A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157483A second address: 1574840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15773BF second address: 15773CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FD4D8EEB82Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15770A7 second address: 15770B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD4D8D06B86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15770B1 second address: 15770BB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8EEB826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15770BB second address: 15770E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D06B99h 0x00000009 jmp 00007FD4D8D06B8Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157C155 second address: 157C160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157EECB second address: 157EED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157EED1 second address: 157EED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157EED7 second address: 157EF0F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8D06B9Eh 0x00000008 jmp 00007FD4D8D06B98h 0x0000000d jmp 00007FD4D8D06B8Dh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jne 00007FD4D8D06BA4h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157EF0F second address: 157EF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB838h 0x00000009 jg 00007FD4D8EEB82Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157F4CD second address: 157F4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157F4D1 second address: 157F4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157F4DA second address: 157F4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157F4E4 second address: 157F4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 157F4EA second address: 157F512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B92h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD4D8D06B8Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1585310 second address: 158531B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD4D8EEB826h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158531B second address: 158533C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD4D8D06B92h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1583C83 second address: 1583C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1583C87 second address: 1583CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD4D8D06B99h 0x0000000c popad 0x0000000d jng 00007FD4D8D06B94h 0x00000013 pushad 0x00000014 jnp 00007FD4D8D06B86h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1583DEA second address: 1583E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007FD4D8EEB82Ah 0x00000010 pushad 0x00000011 jp 00007FD4D8EEB826h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1583E16 second address: 1583E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1583F8D second address: 1583F9C instructions: 0x00000000 rdtsc 0x00000002 js 00007FD4D8EEB826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15840F0 second address: 15840FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1584250 second address: 1584256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1584256 second address: 158425C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15843F7 second address: 1584427 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD4D8EEB82Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 jmp 00007FD4D8EEB82Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007FD4D8EEB826h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15213FC second address: 1521491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jmp 00007FD4D8D06B96h 0x00000010 nop 0x00000011 pushad 0x00000012 call 00007FD4D8D06B8Dh 0x00000017 sub cx, 2C80h 0x0000001c pop edx 0x0000001d pushad 0x0000001e mov ax, bx 0x00000021 mov eax, dword ptr [ebp+122D38BFh] 0x00000027 popad 0x00000028 popad 0x00000029 mov ebx, dword ptr [ebp+12478466h] 0x0000002f mov ecx, dword ptr [ebp+122D28D8h] 0x00000035 add eax, ebx 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007FD4D8D06B88h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov edx, 769CD496h 0x00000056 nop 0x00000057 jc 00007FD4D8D06B98h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521491 second address: 1521495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1521495 second address: 15214BE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FD4D8D06B95h 0x00000011 js 00007FD4D8D06B8Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158501A second address: 158501E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158501E second address: 1585050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B94h 0x00000007 jmp 00007FD4D8D06B94h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1585050 second address: 1585056 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1585056 second address: 158505D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158FCC1 second address: 158FCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 je 00007FD4D8EEB826h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD4D8EEB839h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158FCE9 second address: 158FD02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158FD02 second address: 158FD06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158DF66 second address: 158DF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158E0CE second address: 158E100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB835h 0x00000007 jmp 00007FD4D8EEB839h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158E638 second address: 158E64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD4D8D06B86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158E64B second address: 158E64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158E64F second address: 158E655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EED2 second address: 158EEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD4D8EEB832h 0x0000000a jo 00007FD4D8EEB826h 0x00000010 js 00007FD4D8EEB826h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD4D8EEB831h 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EEFD second address: 158EF01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EF01 second address: 158EF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EF0F second address: 158EF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007FD4D8D06B8Fh 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD4D8D06B99h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EF42 second address: 158EF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EF48 second address: 158EF4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158EF4C second address: 158EF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F462 second address: 158F466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F466 second address: 158F48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB839h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F48C second address: 158F49C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FD4D8D06B92h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F49C second address: 158F4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD4D8EEB826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F71C second address: 158F720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F720 second address: 158F733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jl 00007FD4D8EEB844h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158F733 second address: 158F737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 158FA2F second address: 158FA39 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD4D8EEB82Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593E18 second address: 1593E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593E1C second address: 1593E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593E20 second address: 1593E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007FD4D8D06B86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593E30 second address: 1593E3A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD4D8EEB826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593E3A second address: 1593E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jnc 00007FD4D8D06B86h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FD4D8D06B98h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jne 00007FD4D8D06B86h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593E72 second address: 1593E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1592F97 second address: 1592FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FD4D8D06B86h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD4D8D06B8Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1592FB3 second address: 1592FDA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD4D8EEB826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD4D8EEB82Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007FD4D8EEB826h 0x0000001b jp 00007FD4D8EEB826h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1592FDA second address: 1592FE4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1592FE4 second address: 1592FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1592FE9 second address: 1592FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15935B7 second address: 15935BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15935BB second address: 15935BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593707 second address: 159370B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159370B second address: 1593711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593829 second address: 159382D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159382D second address: 1593831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1593831 second address: 1593841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jbe 00007FD4D8EEB826h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15939DE second address: 15939E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159EC6A second address: 159EC70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159EC70 second address: 159EC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159EC74 second address: 159EC84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FD4D8EEB826h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159F7B6 second address: 159F7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B8Eh 0x00000009 ja 00007FD4D8D06B86h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159F7D3 second address: 159F7DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159F928 second address: 159F92C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159F92C second address: 159F949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 159F949 second address: 159F950 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 14E412F second address: 14E4146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB82Ch 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15A7EB9 second address: 15A7EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15A7EBD second address: 15A7ED7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15A7ED7 second address: 15A7EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD4D8D06B86h 0x0000000a jnc 00007FD4D8D06B86h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A6B second address: 15B6A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A71 second address: 15B6A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A7C second address: 15B6A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A80 second address: 15B6A8A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A8A second address: 15B6A91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A91 second address: 15B6A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B6A9D second address: 15B6AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD4D8EEB826h 0x0000000a popad 0x0000000b jmp 00007FD4D8EEB82Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B652A second address: 15B652E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15B669D second address: 15B66A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15BB5ED second address: 15BB61E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD4D8D06B96h 0x00000014 jmp 00007FD4D8D06B8Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15C66D9 second address: 15C66E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD4D8EEB826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15C66E3 second address: 15C6705 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B95h 0x00000007 js 00007FD4D8D06B86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15C6705 second address: 15C670A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15CCA71 second address: 15CCA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD4D8D06B8Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007FD4D8D06B86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15CCA8C second address: 15CCA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D3126 second address: 15D313C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD4D8D06B90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D313C second address: 15D3164 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD4D8EEB83Eh 0x00000008 jmp 00007FD4D8EEB838h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D32C1 second address: 15D32C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D345F second address: 15D3466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D3733 second address: 15D373B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D373B second address: 15D3755 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD4D8EEB826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007FD4D8EEB82Ah 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D8929 second address: 15D892F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15D892F second address: 15D8935 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15DD0E3 second address: 15DD111 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD4D8D06B90h 0x00000012 jmp 00007FD4D8D06B91h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 15DCF8C second address: 15DCF90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1612F3A second address: 1612F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B8Dh 0x00000009 popad 0x0000000a jnl 00007FD4D8D06B92h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1612F5E second address: 1612F72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnp 00007FD4D8EEB826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1612F72 second address: 1612F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 162433F second address: 162434E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB82Ah 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 162434E second address: 162435E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jng 00007FD4D8D06BB7h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 162435E second address: 1624387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8EEB832h 0x00000009 jmp 00007FD4D8EEB82Bh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1626DEF second address: 1626DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1626F19 second address: 1626F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1626F1D second address: 1626F27 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 162988C second address: 1629892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1629892 second address: 162989B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 162989B second address: 162989F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 162971E second address: 1629724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 1629724 second address: 162972F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD4D8EEB826h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16ED9C0 second address: 16ED9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D06B90h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDB61 second address: 16EDB65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDB65 second address: 16EDB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDB71 second address: 16EDB86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB831h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDEA0 second address: 16EDEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDEAB second address: 16EDEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD4D8EEB826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDEB5 second address: 16EDEC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDEC1 second address: 16EDECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD4D8EEB826h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDECD second address: 16EDED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDED1 second address: 16EDED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EDED5 second address: 16EDEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EE00C second address: 16EE016 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD4D8EEB82Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16EE735 second address: 16EE751 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c js 00007FD4D8D06B88h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FD4D8D06B86h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F173E second address: 16F1742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F1928 second address: 16F192E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F1B76 second address: 16F1B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F1B7A second address: 16F1BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 and edx, 16D0A9BEh 0x0000000e mov edx, dword ptr [ebp+122D1A62h] 0x00000014 push dword ptr [ebp+122D3011h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FD4D8D06B88h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D2AE0h], eax 0x0000003a push 6BEE8396h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F1BC3 second address: 16F1BC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D2A second address: 16F4D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D35 second address: 16F4D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D39 second address: 16F4D60 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD4D8D06B86h 0x00000008 jmp 00007FD4D8D06B94h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 js 00007FD4D8D06B86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D60 second address: 16F4D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D66 second address: 16F4D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D74 second address: 16F4D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F4D7A second address: 16F4D8A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD4D8D06B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F48D8 second address: 16F48DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F48DE second address: 16F48E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F48E4 second address: 16F48E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F48E8 second address: 16F490D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FD4D8D06B8Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F693F second address: 16F6943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F6943 second address: 16F6949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 16F6949 second address: 16F694F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00008 second address: 7A0000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0000C second address: 7A00029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00029 second address: 7A00086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD4D8D06B8Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bx, 4E14h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FD4D8D06B93h 0x0000001c jmp 00007FD4D8D06B93h 0x00000021 popfd 0x00000022 mov dl, cl 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00086 second address: 7A0008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0008A second address: 7A0013B instructions: 0x00000000 rdtsc 0x00000002 mov ah, 36h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d pushfd 0x0000000e jmp 00007FD4D8D06B8Dh 0x00000013 or ecx, 20F59D96h 0x00000019 jmp 00007FD4D8D06B91h 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FD4D8D06B8Ch 0x0000002d sbb ah, FFFFFFB8h 0x00000030 jmp 00007FD4D8D06B8Bh 0x00000035 popfd 0x00000036 call 00007FD4D8D06B98h 0x0000003b push eax 0x0000003c pop edi 0x0000003d pop esi 0x0000003e popad 0x0000003f sub esp, 18h 0x00000042 jmp 00007FD4D8D06B8Dh 0x00000047 xchg eax, ebx 0x00000048 jmp 00007FD4D8D06B8Eh 0x0000004d push eax 0x0000004e jmp 00007FD4D8D06B8Bh 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 mov al, bl 0x00000059 jmp 00007FD4D8D06B8Ch 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0013B second address: 7A001B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD4D8EEB831h 0x00000009 sbb eax, 65441DC6h 0x0000000f jmp 00007FD4D8EEB831h 0x00000014 popfd 0x00000015 jmp 00007FD4D8EEB830h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebx, dword ptr [eax+10h] 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FD4D8EEB82Eh 0x00000027 adc eax, 3AA30998h 0x0000002d jmp 00007FD4D8EEB82Bh 0x00000032 popfd 0x00000033 pushad 0x00000034 mov eax, 2020A7E5h 0x00000039 mov edx, eax 0x0000003b popad 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001B1 second address: 7A001B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001B5 second address: 7A001B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001B9 second address: 7A001BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001BF second address: 7A001C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001C5 second address: 7A001C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001C9 second address: 7A001E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD4D8EEB834h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001E8 second address: 7A001EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001EE second address: 7A001F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A001F2 second address: 7A00236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FD4D8D06B99h 0x0000000e mov esi, dword ptr [759B06ECh] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD4D8D06B98h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00236 second address: 7A00245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB82Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00245 second address: 7A002B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD4D8D06B8Fh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD4D8D06B99h 0x0000000f sbb ch, 00000066h 0x00000012 jmp 00007FD4D8D06B91h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test esi, esi 0x0000001d jmp 00007FD4D8D06B8Eh 0x00000022 jne 00007FD4D8D07A95h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD4D8D06B97h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A002B9 second address: 7A002F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushfd 0x00000006 jmp 00007FD4D8EEB82Bh 0x0000000b sbb si, AFFEh 0x00000010 jmp 00007FD4D8EEB839h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A002F3 second address: 7A002F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A002F7 second address: 7A002FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A002FB second address: 7A00301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0047D second address: 7A0051C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB82Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c jmp 00007FD4D8EEB82Eh 0x00000011 pushfd 0x00000012 jmp 00007FD4D8EEB832h 0x00000017 sbb esi, 492EE378h 0x0000001d jmp 00007FD4D8EEB82Bh 0x00000022 popfd 0x00000023 popad 0x00000024 test esi, esi 0x00000026 jmp 00007FD4D8EEB836h 0x0000002b je 00007FD546E1A9F4h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 call 00007FD4D8EEB82Dh 0x00000039 pop eax 0x0000003a pushfd 0x0000003b jmp 00007FD4D8EEB831h 0x00000040 and esi, 4D3FE576h 0x00000046 jmp 00007FD4D8EEB831h 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0051C second address: 7A00522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00522 second address: 7A00526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00526 second address: 7A00555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD4D8D06B92h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00555 second address: 7A0058A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB82Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b jmp 00007FD4D8EEB836h 0x00000010 mov dword ptr [esi+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edi, 080F2970h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0058A second address: 7A00599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D06B8Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00599 second address: 7A005BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD4D8EEB837h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A005BF second address: 7A005C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A005C5 second address: 7A0062B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD4D8EEB832h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FD4D8EEB82Bh 0x0000000f add ax, 10DEh 0x00000014 jmp 00007FD4D8EEB839h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esi+0Ch], eax 0x00000020 jmp 00007FD4D8EEB82Eh 0x00000025 mov eax, dword ptr [ebx+4Ch] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD4D8EEB82Ah 0x00000031 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0062B second address: 7A0063A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0063A second address: 7A00669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD4D8EEB82Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00669 second address: 7A00679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D06B8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00679 second address: 7A006BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB82Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+50h] 0x0000000e jmp 00007FD4D8EEB836h 0x00000013 mov dword ptr [esi+14h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD4D8EEB837h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A006BF second address: 7A006D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D06B94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A006D7 second address: 7A007B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+54h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD4D8EEB82Dh 0x00000012 sbb ax, 68A6h 0x00000017 jmp 00007FD4D8EEB831h 0x0000001c popfd 0x0000001d jmp 00007FD4D8EEB830h 0x00000022 popad 0x00000023 mov dword ptr [esi+18h], eax 0x00000026 jmp 00007FD4D8EEB830h 0x0000002b mov eax, dword ptr [ebx+58h] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FD4D8EEB82Eh 0x00000035 jmp 00007FD4D8EEB835h 0x0000003a popfd 0x0000003b mov edi, ecx 0x0000003d popad 0x0000003e mov dword ptr [esi+1Ch], eax 0x00000041 pushad 0x00000042 call 00007FD4D8EEB838h 0x00000047 mov dh, cl 0x00000049 pop edi 0x0000004a movzx esi, di 0x0000004d popad 0x0000004e mov eax, dword ptr [ebx+5Ch] 0x00000051 jmp 00007FD4D8EEB82Fh 0x00000056 mov dword ptr [esi+20h], eax 0x00000059 jmp 00007FD4D8EEB836h 0x0000005e mov eax, dword ptr [ebx+60h] 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 mov edi, 5DBEA7E0h 0x00000069 mov bx, 620Ch 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A007B6 second address: 7A007BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A007BB second address: 7A0081F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+24h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f mov dx, AA28h 0x00000013 jmp 00007FD4D8EEB831h 0x00000018 popad 0x00000019 push ecx 0x0000001a mov bx, DF22h 0x0000001e pop ebx 0x0000001f popad 0x00000020 mov eax, dword ptr [ebx+64h] 0x00000023 jmp 00007FD4D8EEB836h 0x00000028 mov dword ptr [esi+28h], eax 0x0000002b pushad 0x0000002c mov dx, si 0x0000002f mov cx, 09C9h 0x00000033 popad 0x00000034 mov eax, dword ptr [ebx+68h] 0x00000037 pushad 0x00000038 movsx ebx, si 0x0000003b popad 0x0000003c mov dword ptr [esi+2Ch], eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov esi, ebx 0x00000044 mov ecx, edi 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0081F second address: 7A00824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00824 second address: 7A00848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, word ptr [ebx+6Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD4D8EEB837h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00848 second address: 7A008D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD4D8D06B8Fh 0x00000008 movzx esi, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov word ptr [esi+30h], ax 0x00000012 pushad 0x00000013 mov dh, E8h 0x00000015 mov di, cx 0x00000018 popad 0x00000019 mov ax, word ptr [ebx+00000088h] 0x00000020 pushad 0x00000021 mov dl, ah 0x00000023 pushfd 0x00000024 jmp 00007FD4D8D06B97h 0x00000029 add eax, 70DBAE4Eh 0x0000002f jmp 00007FD4D8D06B99h 0x00000034 popfd 0x00000035 popad 0x00000036 mov word ptr [esi+32h], ax 0x0000003a jmp 00007FD4D8D06B8Eh 0x0000003f mov eax, dword ptr [ebx+0000008Ch] 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FD4D8D06B8Ah 0x0000004e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A008D4 second address: 7A008D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A008D8 second address: 7A008DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A008DE second address: 7A008FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+34h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD4D8EEB830h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A008FF second address: 7A0090E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0090E second address: 7A00913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00913 second address: 7A00927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, AF88h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00927 second address: 7A0092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0092B second address: 7A00931 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00931 second address: 7A00975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB82Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007FD4D8EEB836h 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD4D8EEB837h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00975 second address: 7A009C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c jmp 00007FD4D8D06B8Eh 0x00000011 mov eax, dword ptr [ebx+20h] 0x00000014 jmp 00007FD4D8D06B90h 0x00000019 mov dword ptr [esi+40h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop ecx 0x00000021 mov dx, 4F4Ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A009C3 second address: 7A009F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+00000080h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD4D8EEB837h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A009F8 second address: 7A009FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A009FE second address: 7A00A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00A02 second address: 7A00A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD4D8D06B95h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00A2C second address: 7A00A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8EEB82Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00A3C second address: 7A00A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov ecx, 405F7E2Bh 0x00000012 mov ecx, 6B55D207h 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FD4D8D06B8Dh 0x0000001e nop 0x0000001f jmp 00007FD4D8D06B8Eh 0x00000024 lea eax, dword ptr [ebp-10h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00A80 second address: 7A00A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00A84 second address: 7A00A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00B52 second address: 7A00B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00B58 second address: 7A00B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FD4D8D06B8Ah 0x0000000b add eax, 1814A658h 0x00000011 jmp 00007FD4D8D06B8Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD4D8D06B95h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00B97 second address: 7A00BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8EEB82Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00BA7 second address: 7A00BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD4D8D06B90h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00BCF second address: 7A00BD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00BD5 second address: 7A00BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D06B8Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00BE6 second address: 7A00C3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d pushad 0x0000000e mov dx, cx 0x00000011 mov esi, 49CF179Fh 0x00000016 popad 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, ax 0x0000001e pushfd 0x0000001f jmp 00007FD4D8EEB838h 0x00000024 add esi, 55D73A38h 0x0000002a jmp 00007FD4D8EEB82Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00C3C second address: 7A00C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD4D8D06B91h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD4D8D06B8Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00C7B second address: 7A00C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00C81 second address: 7A00C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00C85 second address: 7A00CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB833h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00CA7 second address: 7A00CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00CAB second address: 7A00CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00E09 second address: 7A00E0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00E0F second address: 7A00E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FD4D8EEB836h 0x0000000b adc esi, 022B7048h 0x00000011 jmp 00007FD4D8EEB82Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d jmp 00007FD4D8EEB836h 0x00000022 lea eax, dword ptr [ebx+70h] 0x00000025 jmp 00007FD4D8EEB830h 0x0000002a push 00000001h 0x0000002c jmp 00007FD4D8EEB830h 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FD4D8EEB837h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00E98 second address: 7A00F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD4D8D06B8Fh 0x00000009 add eax, 5F61DDFEh 0x0000000f jmp 00007FD4D8D06B99h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c jmp 00007FD4D8D06B93h 0x00000021 pushfd 0x00000022 jmp 00007FD4D8D06B98h 0x00000027 adc ax, 5F58h 0x0000002c jmp 00007FD4D8D06B8Bh 0x00000031 popfd 0x00000032 popad 0x00000033 nop 0x00000034 jmp 00007FD4D8D06B96h 0x00000039 lea eax, dword ptr [ebp-18h] 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FD4D8D06B8Eh 0x00000043 sub cx, B0E8h 0x00000048 jmp 00007FD4D8D06B8Bh 0x0000004d popfd 0x0000004e pushfd 0x0000004f jmp 00007FD4D8D06B98h 0x00000054 and cx, C348h 0x00000059 jmp 00007FD4D8D06B8Bh 0x0000005e popfd 0x0000005f popad 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00F7D second address: 7A00F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A00F81 second address: 7A00F87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01052 second address: 7A01097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FD546E19E7Eh 0x0000000b jmp 00007FD4D8EEB82Ch 0x00000010 mov eax, dword ptr [ebp-14h] 0x00000013 jmp 00007FD4D8EEB830h 0x00000018 mov ecx, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD4D8EEB837h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01097 second address: 7A010FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD4D8D06B8Bh 0x00000009 add esi, 4696D3DEh 0x0000000f jmp 00007FD4D8D06B99h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esi+0Ch], eax 0x0000001b jmp 00007FD4D8D06B8Eh 0x00000020 mov edx, 759B06ECh 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov ax, bx 0x0000002b jmp 00007FD4D8D06B99h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A010FF second address: 7A01122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD4D8EEB82Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01122 second address: 7A0114C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d pushad 0x0000000e call 00007FD4D8D06B94h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0114C second address: 7A01221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FD4D8EEB831h 0x0000000b jmp 00007FD4D8EEB82Bh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edi 0x00000013 jmp 00007FD4D8EEB836h 0x00000018 test eax, eax 0x0000001a jmp 00007FD4D8EEB830h 0x0000001f jne 00007FD546E19D69h 0x00000025 jmp 00007FD4D8EEB830h 0x0000002a mov edx, dword ptr [ebp+08h] 0x0000002d jmp 00007FD4D8EEB830h 0x00000032 mov eax, dword ptr [esi] 0x00000034 pushad 0x00000035 push eax 0x00000036 pushfd 0x00000037 jmp 00007FD4D8EEB839h 0x0000003c jmp 00007FD4D8EEB82Bh 0x00000041 popfd 0x00000042 pop ecx 0x00000043 popad 0x00000044 mov dword ptr [edx], eax 0x00000046 jmp 00007FD4D8EEB82Fh 0x0000004b mov eax, dword ptr [esi+04h] 0x0000004e jmp 00007FD4D8EEB836h 0x00000053 mov dword ptr [edx+04h], eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01221 second address: 7A0123E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0123E second address: 7A01288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov dl, al 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007FD4D8EEB82Ch 0x00000016 pop ecx 0x00000017 pushfd 0x00000018 jmp 00007FD4D8EEB82Bh 0x0000001d and cx, 745Eh 0x00000022 jmp 00007FD4D8EEB839h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01288 second address: 7A012C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c pushad 0x0000000d call 00007FD4D8D06B98h 0x00000012 mov dx, ax 0x00000015 pop esi 0x00000016 popad 0x00000017 mov eax, dword ptr [esi+0Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A012C7 second address: 7A012CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A012CB second address: 7A012D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A012D1 second address: 7A012D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A012D7 second address: 7A012DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A012DB second address: 7A01320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8EEB833h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+0Ch], eax 0x0000000e pushad 0x0000000f mov ecx, 51E806EBh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007FD4D8EEB82Eh 0x0000001c or ecx, 5E27C778h 0x00000022 jmp 00007FD4D8EEB82Bh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01320 second address: 7A01364 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD4D8D06B98h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esi+10h] 0x0000000e jmp 00007FD4D8D06B91h 0x00000013 mov dword ptr [edx+10h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD4D8D06B8Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01364 second address: 7A01374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8EEB82Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01374 second address: 7A013A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D06B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+14h] 0x0000000e jmp 00007FD4D8D06B96h 0x00000013 mov dword ptr [edx+14h], eax 0x00000016 pushad 0x00000017 movzx ecx, dx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A013A7 second address: 7A01429 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 40h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esi+18h] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD4D8EEB833h 0x00000012 jmp 00007FD4D8EEB833h 0x00000017 popfd 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushfd 0x0000001c jmp 00007FD4D8EEB836h 0x00000021 or eax, 3D71B5B8h 0x00000027 jmp 00007FD4D8EEB82Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [edx+18h], eax 0x00000031 jmp 00007FD4D8EEB836h 0x00000036 mov eax, dword ptr [esi+1Ch] 0x00000039 pushad 0x0000003a mov bl, al 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01429 second address: 7A0144B instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [edx+1Ch], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e call 00007FD4D8D06B93h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0144B second address: 7A01473 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 15BCh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD4D8EEB838h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01473 second address: 7A01477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01477 second address: 7A0147D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0147D second address: 7A01503 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 mov si, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [edx+20h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 mov dl, 22h 0x00000013 mov si, 416Fh 0x00000017 popad 0x00000018 pushfd 0x00000019 jmp 00007FD4D8D06B94h 0x0000001e jmp 00007FD4D8D06B95h 0x00000023 popfd 0x00000024 popad 0x00000025 mov eax, dword ptr [esi+24h] 0x00000028 jmp 00007FD4D8D06B8Eh 0x0000002d mov dword ptr [edx+24h], eax 0x00000030 pushad 0x00000031 jmp 00007FD4D8D06B8Eh 0x00000036 jmp 00007FD4D8D06B92h 0x0000003b popad 0x0000003c mov eax, dword ptr [esi+28h] 0x0000003f pushad 0x00000040 popad 0x00000041 mov dword ptr [edx+28h], eax 0x00000044 pushad 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01503 second address: 7A01519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dx, 5DD2h 0x00000009 popad 0x0000000a mov ecx, dword ptr [esi+2Ch] 0x0000000d pushad 0x0000000e mov edi, 2318D52Ah 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A01519 second address: 7A015B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [edx+2Ch], ecx 0x00000009 pushad 0x0000000a mov dh, AFh 0x0000000c popad 0x0000000d mov ax, word ptr [esi+30h] 0x00000011 pushad 0x00000012 push ebx 0x00000013 mov edi, eax 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov word ptr [edx+30h], ax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FD4D8D06B8Dh 0x00000022 add ecx, 55BAB606h 0x00000028 jmp 00007FD4D8D06B91h 0x0000002d popfd 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FD4D8D06B8Eh 0x00000035 sub ch, FFFFFFA8h 0x00000038 jmp 00007FD4D8D06B8Bh 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007FD4D8D06B98h 0x00000044 or esi, 4E749708h 0x0000004a jmp 00007FD4D8D06B8Bh 0x0000004f popfd 0x00000050 popad 0x00000051 popad 0x00000052 mov ax, word ptr [esi+32h] 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A015B1 second address: 7A015B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A015B5 second address: 7A015BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A015BB second address: 7A015D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov di, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [edx+32h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD4D8EEB82Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A015D9 second address: 7A015F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+34h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD4D8D06B8Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A015F4 second address: 7A0160C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8EEB834h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0160C second address: 7A0161E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+34h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movzx ecx, bx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRDTSC instruction interceptor: First address: 7A0161E second address: 7A01624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSpecial instruction interceptor: First address: 151A433 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSpecial instruction interceptor: First address: 137BA36 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSpecial instruction interceptor: First address: 15AD3AD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeCode function: 0_2_079D0ADB rdtsc 0_2_079D0ADB
Source: C:\Users\user\Desktop\7eDrKI88k8.exeAPI coverage: 4.6 %
Source: C:\Users\user\Desktop\7eDrKI88k8.exe TID: 5064Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exe TID: 5064Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: 7eDrKI88k8.exe, 7eDrKI88k8.exe, 00000000.00000002.2440805498.00000000014F7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 7eDrKI88k8.exe, 00000000.00000003.2112448237.0000000001FD1000.00000004.00000020.00020000.00000000.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2113001663.0000000001FD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: 7eDrKI88k8.exe, 00000000.00000003.2114947049.0000000007261000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlK'
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 7eDrKI88k8.exe, 00000000.00000002.2441395812.0000000001F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 7eDrKI88k8.exe, 00000000.00000002.2440805498.00000000014F7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\7eDrKI88k8.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\7eDrKI88k8.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\7eDrKI88k8.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile opened: NTICE
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile opened: SICE
Source: C:\Users\user\Desktop\7eDrKI88k8.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeCode function: 0_2_079D0ADB rdtsc 0_2_079D0ADB
Source: 7eDrKI88k8.exe, 7eDrKI88k8.exe, 00000000.00000002.2440805498.00000000014F7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &Program Manager
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\7eDrKI88k8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: 7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
2
Process Injection
24
Virtualization/Sandbox Evasion
OS Credential Dumping751
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
2
Process Injection
LSASS Memory24
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing
NTDS1
Remote System Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets214
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
7eDrKI88k8.exe50%VirustotalBrowse
7eDrKI88k8.exe66%ReversingLabsWin32.Trojan.Amadey
7eDrKI88k8.exe100%AviraTR/Crypt.TPM.Gen
7eDrKI88k8.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
httpbin.org
98.85.100.80
truefalse
    high
    home.fivetk5ht.top
    unknown
    unknownfalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://httpbin.org/ipfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.html7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
          high
          http://html4/loose.dtd7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
            high
            http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmpfalse
              high
              https://httpbin.org/ipbefore7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
                high
                https://curl.se/docs/http-cookies.html7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798517eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000002.2441395812.0000000001F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv177eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      http://upx.sf.netAmcache.hve.4.drfalse
                        high
                        https://curl.se/docs/alt-svc.html7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
                          high
                          http://.css7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            http://.jpg7eDrKI88k8.exe, 00000000.00000002.2440292828.000000000120D000.00000040.00000001.01000000.00000003.sdmp, 7eDrKI88k8.exe, 00000000.00000003.2081400495.0000000007CD6000.00000004.00001000.00020000.00000000.sdmpfalse
                              high
                              http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798514fd47eDrKI88k8.exe, 00000000.00000002.2441395812.0000000001F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                98.85.100.80
                                httpbin.orgUnited States
                                11351TWC-11351-NORTHEASTUSfalse
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1579681
                                Start date and time:2024-12-23 07:29:04 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 14s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:7eDrKI88k8.exe
                                renamed because original name is a hash value
                                Original Sample Name:de977c9c79ceebdf86d4cb38408d7ce4.exe
                                Detection:MAL
                                Classification:mal100.evad.winEXE@2/5@14/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.53.21, 13.107.246.63, 4.245.163.56
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                TimeTypeDescription
                                01:30:04API Interceptor6x Sleep call for process: 7eDrKI88k8.exe modified
                                01:30:33API Interceptor1x Sleep call for process: WerFault.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                98.85.100.80t9iCli9iWK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  uwa78qqv0x.exeGet hashmaliciousUnknownBrowse
                                    fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
                                      p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                        3mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                          QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                            GO33c8HVWG.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.orgGy53Tq6BdK.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    HRpFufG1LJ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    t9iCli9iWK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    uwa78qqv0x.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    3mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TWC-11351-NORTHEASTUSt9iCli9iWK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    uwa78qqv0x.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    3mwHWIPiSo.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    QeM0UAj5PK.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    GO33c8HVWG.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    5JfTgoNUcB.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    7XioudDqb8.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    gVMKOpATpQ.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    No context
                                                    No context
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.9420486053026765
                                                    Encrypted:false
                                                    SSDEEP:96:hVF0vs4hIGhpJfZQXIDcQvc6QcEVcw3cE/H+HbHg/8BRTf3Oy1oVazW0dPtZrcFo:Tuv00BU/Aju0ZrPMtwzuiFAZ24IO87
                                                    MD5:2BBDC5A6E5F41E91D2EB8D88C4437E5C
                                                    SHA1:B7CD02458B1F895F44F7EB1B7594086E05CB4F91
                                                    SHA-256:01D50AE0396E1BD5B42B7789F3B54EEE6F5FF1E4DF3791FE19CA85C79C9BF905
                                                    SHA-512:F3FE2E8D6378046CE2934C72423127539B8C3E84082FA384061D414039E3F20ABAC8D9CCE3913EB8B70434CA85C459550B0DA6B14EDE36059910E4B40BD8FDD2
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.0.9.0.0.6.9.9.2.4.4.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.0.9.0.0.7.5.0.8.0.7.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.0.c.2.5.d.5.-.2.4.7.e.-.4.c.f.d.-.8.2.c.6.-.c.6.1.5.a.b.0.2.2.7.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.8.0.a.6.d.1.-.e.1.5.f.-.4.5.6.5.-.a.9.3.d.-.b.f.5.1.a.b.d.d.b.3.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.e.D.r.K.I.8.8.k.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.c.-.0.0.0.1.-.0.0.1.4.-.1.8.3.a.-.4.d.1.6.0.4.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.0.0.9.f.f.4.6.f.6.3.0.7.1.0.0.b.a.a.a.2.8.2.1.d.1.e.9.a.3.0.0.0.0.f.f.f.f.!.0.0.0.0.2.f.f.b.1.9.e.7.b.c.8.1.0.9.b.b.8.0.3.3.c.1.d.6.e.2.5.f.4.a.e.2.f.e.4.9.b.3.c.6.!.7.e.D.r.K.I.8.8.k.8...e.x.e.....T.a.r.g.e.t.A.p.p.
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 06:30:07 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):208510
                                                    Entropy (8bit):1.4416278691911804
                                                    Encrypted:false
                                                    SSDEEP:768:CY+ITjEqvEYVFSvlhg6v6Qo5+b2msqU3bdNL:D+IT1gXg6v6F51HqU3bT
                                                    MD5:56088966CFFCD32FB6240FE32E3E7D2B
                                                    SHA1:2CDA723D74A541EC35F9C4C46269509DAEA67BF0
                                                    SHA-256:A37703E59C159B6BA24160229496BFF4EF74D9D17621D3D1A836937DB5B57074
                                                    SHA-512:887A566C74739EDEBDCBA90A30DF9FA2FE7E557290F16825DD787F6651EB8605663CAEE30AF99EBE8544ACA877F7AE59E469449261FEA623C028A380D2AE4BD5
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... .......o.ig............D...........D...X............ ......4....z..........`.......8...........T...........H,..6........... !...........#..............................................................................eJ.......#......GenuineIntel............T...........e.ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8348
                                                    Entropy (8bit):3.699150715485504
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJlh6ZA6YEIYSUSogmfIbAprh89bobPsfiujm:R6lXJD6u6YE3SUSogmfIbzob0fr6
                                                    MD5:8F4592518C7EACD74CF85B8D2A8AA901
                                                    SHA1:4D9BFE724B5CCB3A9419365758E32CB8DEA71351
                                                    SHA-256:E1681FCAEE334A9404FC3860ED78F449B61C7D80175AEEC33BEC0A763D4D2794
                                                    SHA-512:153BD481A3987D4497307F9FE3240AB6CEF7B5229942E3F55F9F1CDF5334C56A25E0D1FCE8C0E579F75883D1CD094CB70B5C6681BD35EC792700107B5DE3CF22
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.1.2.<./.P.i.
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4594
                                                    Entropy (8bit):4.463590446195277
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsnJJg77aI9xuWpW8VYEwYm8M4Jz5FDko+q8CZ29+TziId:uIjfnbI7TP7VVJYoe9MziId
                                                    MD5:2D410F5923537F14880FA9038082822F
                                                    SHA1:207474FF14DF4C749E295582C77C9F815957414E
                                                    SHA-256:BDF42B8A25D05573D6456E5442FD8CD8CAB4FF0BD70A8A3CFB6B538EFC64AF70
                                                    SHA-512:0B36271BF921157BF1C0426A350FAF3669E3085AF0D9E5B6D2423CB06E421A1FB3EFD399ACE101EF1F602DB2E7653A717AD07A7390C98288F3D215F085BE8F22
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643532" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.421540909842255
                                                    Encrypted:false
                                                    SSDEEP:6144:iSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:xvloTMW+EZMM6DFy803w
                                                    MD5:948FD486689C8D4974F47BB459D0E603
                                                    SHA1:F7D0954C2E0F4C66E0763E7E7E5C36DB1D6813AC
                                                    SHA-256:C8C06AA153972D67E32A578F774BAFD628E6C8A0F7CAA6B761136FABC54E7E43
                                                    SHA-512:9390F17B228BC1B88AD0C33895E7425C1BFE2090C33900810F28B8F76361C956D11D7749CC31B377A8BD9CF62DE2F8115972FC62663CE631B78B22ABBFA7E37E
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.b...U................................................................................................................................................................................................................................................................................................................................................./........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):7.982246601071513
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:7eDrKI88k8.exe
                                                    File size:4'453'888 bytes
                                                    MD5:de977c9c79ceebdf86d4cb38408d7ce4
                                                    SHA1:2ffb19e7bc8109bb8033c1d6e25f4ae2fe49b3c6
                                                    SHA256:ad3fb64aaa0680e21de914b77e3502a6c82860f333fa3d2415cb9a7a93b9b893
                                                    SHA512:19067b298995a405ac3768b6586cd456598af7a9703551eccb1caf8c30c1e126abf9d4f80001f1fcd1c201dd0cf30f99cdd77ef5b5e2feffbcdd7887e29932b0
                                                    SSDEEP:98304:Kaua74mStU3HGwZEUy8d8NfvTSaVU/86jAZKBK8NYBixzRIZp:Kau8JbZEJFhvTrWjA8Bl1xs
                                                    TLSH:BA263347629FC3BCCA2981B61A127DA8B23DC12D1221AF39277EF4E5B09579C7C8D117
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...........pH...@..................................\D...@... ............................
                                                    Icon Hash:00928e8e8686b000
                                                    Entrypoint:0x1088000
                                                    Entrypoint Section:.taggant
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE
                                                    Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                    Instruction
                                                    jmp 00007FD4D887726Ah
                                                    paddq mm0, qword ptr [ebx+00h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    jmp 00007FD4D8879265h
                                                    add byte ptr [esi], al
                                                    or al, byte ptr [eax]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], dh
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+00000000h], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [edx], ah
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [ecx], cl
                                                    add byte ptr [eax], 00000000h
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    adc byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add eax, 0000000Ah
                                                    add byte ptr [eax], al
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc86b2c0x10urwcuhgx
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc86adc0x18urwcuhgx
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    0x10000x7450000x284c0081956a4ef4eb4a90c6bf105927120e9cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x7460000x1ac0x200bfe8f8d5e36144a9b4c430c0ae657e50False0.583984375data4.538256320421013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    0x7480000x3880000x200d8fe7d2cc697b1b89c64d18f238cef88unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    urwcuhgx0xad00000x1b70000x1b6e00886543571b09b768704b21b244c21bcdFalse0.9946540782540587data7.956495964615325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    hijjtfti0xc870000x10000x40040e17c7fc844853a4fa06e44f5ae5f38False0.7919921875data6.124861385136671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .taggant0xc880000x30000x220083d7b5cab19abf51404803c7cc94d3c4False0.057904411764705885DOS executable (COM)0.7398305233189073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0xc86b3c0x152ASCII text, with CRLF line terminators0.6479289940828402
                                                    DLLImport
                                                    kernel32.dlllstrcpy
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 23, 2024 07:30:01.135518074 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:01.135569096 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:01.135660887 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:01.229820967 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:01.229850054 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:02.968022108 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:02.968765974 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:02.968787909 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:02.970791101 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:02.970870972 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:02.972306013 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:02.972429991 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:02.979074001 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:02.979106903 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:03.031496048 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:03.299662113 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:03.299774885 CET4434970498.85.100.80192.168.2.5
                                                    Dec 23, 2024 07:30:03.299841881 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:03.310534000 CET49704443192.168.2.598.85.100.80
                                                    Dec 23, 2024 07:30:03.310561895 CET4434970498.85.100.80192.168.2.5
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 23, 2024 07:30:00.791964054 CET6285153192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:00.792085886 CET6285153192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:01.079926968 CET53628511.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:01.100142002 CET53628511.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:04.739967108 CET6285453192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:04.740098953 CET6285453192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:05.375122070 CET53628541.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:05.549916029 CET53628541.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:05.762770891 CET6285553192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:05.762830973 CET6285553192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:05.901261091 CET53628551.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:05.901278019 CET53628551.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:06.129865885 CET6285653192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:06.129951954 CET6285653192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:06.267560959 CET53628561.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:06.267579079 CET53628561.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:06.480345964 CET6285753192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:06.480482101 CET6285753192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:06.618287086 CET53628571.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:06.618304968 CET53628571.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:06.830359936 CET6285853192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:06.830425978 CET6285853192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:06.970232964 CET53628581.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:06.970251083 CET53628581.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:07.349426031 CET6285953192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:07.349520922 CET6285953192.168.2.51.1.1.1
                                                    Dec 23, 2024 07:30:07.486109018 CET53628591.1.1.1192.168.2.5
                                                    Dec 23, 2024 07:30:07.486138105 CET53628591.1.1.1192.168.2.5
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 23, 2024 07:30:00.791964054 CET192.168.2.51.1.1.10x5431Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:00.792085886 CET192.168.2.51.1.1.10xff55Standard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 23, 2024 07:30:04.739967108 CET192.168.2.51.1.1.10x3ebeStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:04.740098953 CET192.168.2.51.1.1.10x4055Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:30:05.762770891 CET192.168.2.51.1.1.10xd02dStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:05.762830973 CET192.168.2.51.1.1.10x5b28Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.129865885 CET192.168.2.51.1.1.10x2ff0Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.129951954 CET192.168.2.51.1.1.10xeafStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.480345964 CET192.168.2.51.1.1.10x53f9Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.480482101 CET192.168.2.51.1.1.10xcffbStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.830359936 CET192.168.2.51.1.1.10xc38bStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.830425978 CET192.168.2.51.1.1.10x2026Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:30:07.349426031 CET192.168.2.51.1.1.10x91adStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:07.349520922 CET192.168.2.51.1.1.10xe0fStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 23, 2024 07:30:01.100142002 CET1.1.1.1192.168.2.50x5431No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:01.100142002 CET1.1.1.1192.168.2.50x5431No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:05.375122070 CET1.1.1.1192.168.2.50x3ebeName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:05.549916029 CET1.1.1.1192.168.2.50x4055Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:30:05.901261091 CET1.1.1.1192.168.2.50xd02dName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:05.901278019 CET1.1.1.1192.168.2.50x5b28Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.267560959 CET1.1.1.1192.168.2.50x2ff0Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.267579079 CET1.1.1.1192.168.2.50xeafName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.618287086 CET1.1.1.1192.168.2.50xcffbName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.618304968 CET1.1.1.1192.168.2.50x53f9Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.970232964 CET1.1.1.1192.168.2.50x2026Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:30:06.970251083 CET1.1.1.1192.168.2.50xc38bName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:07.486109018 CET1.1.1.1192.168.2.50x91adName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:30:07.486138105 CET1.1.1.1192.168.2.50xe0fName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    • httpbin.org
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.54970498.85.100.804436412C:\Users\user\Desktop\7eDrKI88k8.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-23 06:30:02 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-23 06:30:03 UTC224INHTTP/1.1 200 OK
                                                    Date: Mon, 23 Dec 2024 06:30:03 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-23 06:30:03 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:01:29:58
                                                    Start date:23/12/2024
                                                    Path:C:\Users\user\Desktop\7eDrKI88k8.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\7eDrKI88k8.exe"
                                                    Imagebase:0xc30000
                                                    File size:4'453'888 bytes
                                                    MD5 hash:DE977C9C79CEEBDF86D4CB38408D7CE4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:4
                                                    Start time:01:30:06
                                                    Start date:23/12/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1128
                                                    Imagebase:0x970000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:0.2%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:118
                                                      Total number of Limit Nodes:13
                                                      execution_graph 11907 7a40432 11908 7a40441 11907->11908 11909 7a4044d Process32NextW 11907->11909 11909->11908 11750 7a3013b 11751 7a30164 11750->11751 11758 7a30189 11751->11758 11759 7a30195 11758->11759 11761 7a301fc Process32FirstW 11759->11761 11764 7a301ac 11759->11764 11763 7a303c0 11761->11763 11765 7a301dc Process32FirstW 11764->11765 11767 7a303c0 11765->11767 11910 79f0007 11911 79f0018 11910->11911 11914 79f0028 11911->11914 11915 79f0043 GetLogicalDrives 11914->11915 11917 79f036e 11915->11917 11606 7a404b9 11607 7a40482 11606->11607 11608 7a404bf Process32NextW 11606->11608 11607->11608 11609 7a404e3 11608->11609 11822 7a300be 11823 7a3005e 11822->11823 11825 7a30073 11823->11825 11826 7a300c1 11823->11826 11833 7a30074 11823->11833 11827 7a30189 2 API calls 11826->11827 11829 7a30182 11827->11829 11828 7a301ac Process32FirstW 11828->11829 11829->11828 11830 7a301fc Process32FirstW 11829->11830 11832 7a303c0 11830->11832 11834 7a30084 11833->11834 11835 7a30189 2 API calls 11834->11835 11836 7a30182 11835->11836 11837 7a301ac Process32FirstW 11836->11837 11838 7a301fc Process32FirstW 11836->11838 11837->11836 11840 7a303c0 11838->11840 11918 79f0000 11919 79f0018 11918->11919 11920 79f0028 GetLogicalDrives 11919->11920 11921 79f001f 11920->11921 11610 7a40387 11612 7a403a7 11610->11612 11613 7a403f5 11612->11613 11614 7a403f9 11612->11614 11615 7a40416 11614->11615 11618 7a4044d 11615->11618 11619 7a4045f Process32NextW 11618->11619 11621 7a404e3 11619->11621 11922 7a30000 11923 7a30011 11922->11923 11924 7a30074 3 API calls 11923->11924 11925 7a30073 11923->11925 11926 7a300c1 11923->11926 11924->11923 11927 7a30189 2 API calls 11926->11927 11929 7a30182 11927->11929 11928 7a301ac Process32FirstW 11928->11929 11929->11928 11930 7a301fc Process32FirstW 11929->11930 11932 7a303c0 11930->11932 11933 7a40000 11934 7a40012 11933->11934 11936 7a40361 11934->11936 11938 7a40362 11936->11938 11937 7a403f9 Process32NextW 11937->11938 11938->11937 11939 7a403f5 11938->11939 11940 79f003a 11941 79f004f GetLogicalDrives 11940->11941 11943 79f036e 11941->11943 11944 7a4040d 11945 7a40437 11944->11945 11946 7a4044d Process32NextW 11945->11946 11947 7a40441 11946->11947 11857 7a4049a 11858 7a40437 11857->11858 11859 7a4049e Process32NextW 11857->11859 11861 7a4044d Process32NextW 11858->11861 11863 7a404e3 11859->11863 11862 7a40441 11861->11862 11682 7a402f0 11683 7a402f2 11682->11683 11684 7a403f9 Process32NextW 11683->11684 11685 7a403f5 11683->11685 11684->11683 11963 7a3007d 11964 7a30084 11963->11964 11965 7a30189 2 API calls 11964->11965 11967 7a30182 11965->11967 11966 7a301ac Process32FirstW 11966->11967 11967->11966 11968 7a301fc Process32FirstW 11967->11968 11970 7a303c0 11968->11970 11658 7a40348 11659 7a402f2 11658->11659 11659->11658 11660 7a403f9 Process32NextW 11659->11660 11661 7a403f5 11659->11661 11660->11659 11738 7a301cd 11739 7a30202 Process32FirstW 11738->11739 11741 7a303c0 11739->11741 11792 7a30153 11793 7a30195 11792->11793 11794 7a301ac Process32FirstW 11793->11794 11795 7a301fc Process32FirstW 11793->11795 11794->11793 11797 7a303c0 11795->11797 11982 7a40453 11983 7a4045f Process32NextW 11982->11983 11985 7a404e3 11983->11985 11986 7a30059 11987 7a3005e 11986->11987 11988 7a30074 3 API calls 11986->11988 11989 7a30073 11987->11989 11990 7a30074 3 API calls 11987->11990 11991 7a300c1 11987->11991 11988->11987 11990->11987 11992 7a30189 2 API calls 11991->11992 11994 7a30182 11992->11994 11993 7a301ac Process32FirstW 11993->11994 11994->11993 11995 7a301fc Process32FirstW 11994->11995 11997 7a303c0 11995->11997 11603 79f0364 11604 79f0369 GetLogicalDrives 11603->11604 11605 79f036e 11603->11605 11604->11605
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ff2720488996d7949f1061ffc88fd0eec86c2dca952e6245cc637c6072d0860b
                                                      • Instruction ID: b03a912f08bd98f8d8a56b8600e09501f7c7c30e933c8a3fa77b8c008b5e369b
                                                      • Opcode Fuzzy Hash: ff2720488996d7949f1061ffc88fd0eec86c2dca952e6245cc637c6072d0860b
                                                      • Instruction Fuzzy Hash: 0A01D2F653C108FDAA1285899B50BFA766EE69723CF30CC62F40B6A601E3D81E155172

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 79f00c0-79f0358 28 79f035f-79f0369 GetLogicalDrives 0->28 30 79f036e-79f0662 28->30
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\$ZXZX
                                                      • API String ID: 999431828-590421744
                                                      • Opcode ID: 1516a2f5c2b1f632c940d0e4f6e6e3a803039ebc962da47dc3abeb85a4cdf54e
                                                      • Instruction ID: b597071a30f3793ebf2697049fc63b2b27e21878a631b1dde5c25c6bec0de5da
                                                      • Opcode Fuzzy Hash: 1516a2f5c2b1f632c940d0e4f6e6e3a803039ebc962da47dc3abeb85a4cdf54e
                                                      • Instruction Fuzzy Hash: 3671E6EB26C121BD7142914E1F54AFB6A6FF1C7778B308926F607C2A43F2D40B495232

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 64 79f003a-79f004d 65 79f004f-79f0074 64->65 66 79f007a-79f007c 64->66 68 79f007f-79f0358 65->68 66->68 99 79f035f-79f0369 GetLogicalDrives 68->99 101 79f036e-79f0662 99->101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 3305e1dd13ce4df1089029b58bc5325e4703c6c5e874ee4df5aca8fe8fd6d1f5
                                                      • Instruction ID: 9d6582b0fab49c224850d23d265efd924ec5193525e14b452c250868687ef02d
                                                      • Opcode Fuzzy Hash: 3305e1dd13ce4df1089029b58bc5325e4703c6c5e874ee4df5aca8fe8fd6d1f5
                                                      • Instruction Fuzzy Hash: 8481D5EB26C121BD6142914E2F54AFB6B6EE1C3778B308827F607D6A43F2D44B495332

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 135 79f0028-79f0358 170 79f035f-79f0369 GetLogicalDrives 135->170 172 79f036e-79f0662 170->172
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 5202eaab4cc67dbed43cbb254edd3b6548aa0e126b15f3e457e505fb13452b70
                                                      • Instruction ID: c2825c06b38b231ea6ff6231124c5c4c6a1b2087cbe17725301b005227d6229a
                                                      • Opcode Fuzzy Hash: 5202eaab4cc67dbed43cbb254edd3b6548aa0e126b15f3e457e505fb13452b70
                                                      • Instruction Fuzzy Hash: B681B3EB26C121BD7142914E2F54AFB6A6FE1D7738B308827FA07C5A43F2D44B495232

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 206 79f0096-79f0358 236 79f035f-79f0369 GetLogicalDrives 206->236 238 79f036e-79f0662 236->238
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 89dc60064773f03c507e5e604467469d4f3f1a3f226a487acc6c3ab62fe12f65
                                                      • Instruction ID: 22c2e157c5054e0a3d28df2233509fe8f98030140f8098376bb99ffaf5395d10
                                                      • Opcode Fuzzy Hash: 89dc60064773f03c507e5e604467469d4f3f1a3f226a487acc6c3ab62fe12f65
                                                      • Instruction Fuzzy Hash: 3871B6EB26C125BD7142914E2F54AFB6A6EE1C7778B308827F607D1A43F2D44B4D5232

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 272 79f00e6-79f00ff 273 79f0178-79f017e 272->273 274 79f0101-79f0175 272->274 276 79f0180-79f0358 273->276 274->276 301 79f035f-79f0369 GetLogicalDrives 276->301 303 79f036e-79f0662 301->303
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 96a4dec1a6e85b60bb9f5d323fd75aea2cbd837a9f6351db65f56d3e766413c4
                                                      • Instruction ID: d127c2f02c9c7fd191eef652799c3150c8fdbcdbcb1f6e0e181ad76ca3ebacc6
                                                      • Opcode Fuzzy Hash: 96a4dec1a6e85b60bb9f5d323fd75aea2cbd837a9f6351db65f56d3e766413c4
                                                      • Instruction Fuzzy Hash: C371D6EB26D125BD6242918E1F549FA6B6EE5C7738B308827F607C6A43F2D40B495332

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 337 79f00b3-79f0358 367 79f035f-79f0369 GetLogicalDrives 337->367 369 79f036e-79f0662 367->369
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 493d23eb06a6d8e38d843f37856582ae6acf2e44286dc115d9717344502b5e20
                                                      • Instruction ID: aae66518879153d59650898148c401163a148610029e817a8d8f0e99ac467833
                                                      • Opcode Fuzzy Hash: 493d23eb06a6d8e38d843f37856582ae6acf2e44286dc115d9717344502b5e20
                                                      • Instruction Fuzzy Hash: B171B5EB26C125BD7142914E2F54AFB6A6FF1D7738B308826F607D5A43F2D40B495231

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 403 79f010c-79f010d 404 79f010f-79f0113 403->404 405 79f0114-79f0358 403->405 404->405 429 79f035f-79f0369 GetLogicalDrives 405->429 431 79f036e-79f0662 429->431
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 2799bda9b08f728c4ed1a2b26d8a3b7fd33ce8dcec84b31aacba33dfbc1b4fb3
                                                      • Instruction ID: de144f86675f302db50af04c36a9ad95f679c46cdc0d314d40ddb2f38f03c4b0
                                                      • Opcode Fuzzy Hash: 2799bda9b08f728c4ed1a2b26d8a3b7fd33ce8dcec84b31aacba33dfbc1b4fb3
                                                      • Instruction Fuzzy Hash: 1C71C2EB26C121BD6142818E1F54AFA6B6EF1C7738B308926F607C6A43F2D54A495372

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 465 79f0169-79f016a 466 79f016c-79f016e 465->466 467 79f012a-79f0163 465->467 469 79f016f-79f0358 466->469 467->469 491 79f035f-79f0369 GetLogicalDrives 469->491 493 79f036e-79f0662 491->493
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: f34c270926f5c9f30d77c27cb780501a06dcfa75af49eeb703f4f5c7d9201ed9
                                                      • Instruction ID: 6fffe6a8390894ee8e2bbb2c99fb715d42c7bab8a3e02ed65753b6ab2caf1a69
                                                      • Opcode Fuzzy Hash: f34c270926f5c9f30d77c27cb780501a06dcfa75af49eeb703f4f5c7d9201ed9
                                                      • Instruction Fuzzy Hash: A571D3EB26C121BD6142818E2F54AFB6B6EF1C7778B308D26F607C6A43F2D44B495271

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 527 79f0145-79f0358 551 79f035f-79f0369 GetLogicalDrives 527->551 553 79f036e-79f0662 551->553
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: fe6996cbbb548002ce7672edcfe4f973b5d83c953d4435480cd06bc2c7134680
                                                      • Instruction ID: 4f4d3e0360572264d5a2186a026eb3c50ec53b97edf299964512388e7fb31c17
                                                      • Opcode Fuzzy Hash: fe6996cbbb548002ce7672edcfe4f973b5d83c953d4435480cd06bc2c7134680
                                                      • Instruction Fuzzy Hash: 7F61D4EB26C121BD7142918E2F54AFB6A6FF1C3738B308926F607C2A43F2D44B495231

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 587 79f0155-79f0358 610 79f035f-79f0369 GetLogicalDrives 587->610 612 79f036e-79f0662 610->612
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 056f1b6dd9b23236984ed188e691d31d64b34848e42c5409d6582b46fe1f56b3
                                                      • Instruction ID: f44c071370fc88cd092f1cfd768a8feb6c0514cdf6fb15c04b49d1ad90d9949b
                                                      • Opcode Fuzzy Hash: 056f1b6dd9b23236984ed188e691d31d64b34848e42c5409d6582b46fe1f56b3
                                                      • Instruction Fuzzy Hash: 2961D4EB26C125BD6142918E1F54AFB6A6FF1C7738B308926F507D2A43F2D44B495231

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 646 79f018e-79f0358 665 79f035f-79f0369 GetLogicalDrives 646->665 667 79f036e-79f0662 665->667
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 58d6d59bf489528b78bb03726eaea793d53253dd85f5114762765f3fed6587ed
                                                      • Instruction ID: 8573d753da8b15cb1a6a2da411257cd4042f275321af57654c51e3e757e9bb91
                                                      • Opcode Fuzzy Hash: 58d6d59bf489528b78bb03726eaea793d53253dd85f5114762765f3fed6587ed
                                                      • Instruction Fuzzy Hash: E461F8EB26C121BD6142818E2F549FA6B6EF5C3778B308927F507C2A43F2D44B495331

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 701 79f01b3-79f01be 702 79f019f-79f01ae 701->702 703 79f01c0 701->703 705 79f01c2-79f0358 702->705 703->705 722 79f035f-79f0369 GetLogicalDrives 705->722 724 79f036e-79f0662 722->724
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 9b7d1f2ee9c2600667ee02e53967a35cf66744b7b62b337d99d90400838650c8
                                                      • Instruction ID: f5a857e376c2a654d91525edde71be10585f70a9cc6419513f77a6d4da6d3b91
                                                      • Opcode Fuzzy Hash: 9b7d1f2ee9c2600667ee02e53967a35cf66744b7b62b337d99d90400838650c8
                                                      • Instruction Fuzzy Hash: 1D61D5EB26C121BE6142818E1F549FA6B6EF5C3778B308827F507C2A43F2D44B495332

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 758 79f0248-79f0249 759 79f024b 758->759 760 79f0255-79f026d 758->760 761 79f024d-79f0251 759->761 762 79f01e5-79f026d 759->762 765 79f026e-79f0358 760->765 761->760 762->765 778 79f035f-79f0369 GetLogicalDrives 765->778 780 79f036e-79f0662 778->780
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: e0092e5ca0bfe8f87fce10b080f3b785d450f5a16ca5079f389108f9409e4062
                                                      • Instruction ID: f6fdee06f0fb1c7da416f0e2f7a3aeef98f8aa6c8c2bada7e2d4d050841dfeb2
                                                      • Opcode Fuzzy Hash: e0092e5ca0bfe8f87fce10b080f3b785d450f5a16ca5079f389108f9409e4062
                                                      • Instruction Fuzzy Hash: F451F4EB26C125BD6142918E1F54AFA6B6EE5C7778B308826F907C2A43F2D44F495332

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 814 79f01cd-79f0358 830 79f035f-79f0369 GetLogicalDrives 814->830 832 79f036e-79f0662 830->832
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: bb1808d052d37b4a705f9514cf7b87e98b34ccd84d370ab2f722e1e358b51673
                                                      • Instruction ID: fc4cb1a2fabc1386156e53dcbd31e94720825c863f0cfa9b6e4d759c54511823
                                                      • Opcode Fuzzy Hash: bb1808d052d37b4a705f9514cf7b87e98b34ccd84d370ab2f722e1e358b51673
                                                      • Instruction Fuzzy Hash: 2551D5EB26C125BD6142958E1F54AFB6B6EF5C7778B308826F507C2A43F2D40B495332

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 866 79f01e0-79f0358 881 79f035f-79f0369 GetLogicalDrives 866->881 883 79f036e-79f0662 881->883
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 3df7cfbe88ae47969f2ca02b7cf92b9d6c116c79fb44dbd546143816ee87c578
                                                      • Instruction ID: 30dbc9938fc8f797251990844b77aee98741f4549fc058e670de6f9661b81798
                                                      • Opcode Fuzzy Hash: 3df7cfbe88ae47969f2ca02b7cf92b9d6c116c79fb44dbd546143816ee87c578
                                                      • Instruction Fuzzy Hash: A951D4EB26C125BD6142818E1F54AFB6A6EE1C7778B308926F507D2A43E2D44F495332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 24c41b4aaeb4eeaf45f4a4c9e1682110e4c29368fa42af24222adefd6947ec93
                                                      • Instruction ID: 1040d1f41559ca67e2ff0df2164c91fc7070e626b8f83cfd00879a6c4e1d09aa
                                                      • Opcode Fuzzy Hash: 24c41b4aaeb4eeaf45f4a4c9e1682110e4c29368fa42af24222adefd6947ec93
                                                      • Instruction Fuzzy Hash: AA51C4EB26C125BD7142918E2F54AFA6A6EF5C7738B308927F507D2A43E2D40F495232
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$A:\
                                                      • API String ID: 0-1047444362
                                                      • Opcode ID: 84b608b6f35bf8c5300a814fae0a89023d26db854317cb2727ad923061a6ca75
                                                      • Instruction ID: e1013e6c1b2df5d997cacbbc0065db4c9147d4f30ef4595fab1080f35f8d06e1
                                                      • Opcode Fuzzy Hash: 84b608b6f35bf8c5300a814fae0a89023d26db854317cb2727ad923061a6ca75
                                                      • Instruction Fuzzy Hash: 8751E6EB16C110BD6142919E1B54AFA6B6EF5C7738B308827F507D2A43E2D40F495332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: 8435e191cf59b38748464e0e537afe6c766dcc5f70a4b4235177e803837765a6
                                                      • Instruction ID: 4cc0c38263b2e6e12ed265a4c55e60b5ac31dbe2a09b0c1f810d951a7b1434dd
                                                      • Opcode Fuzzy Hash: 8435e191cf59b38748464e0e537afe6c766dcc5f70a4b4235177e803837765a6
                                                      • Instruction Fuzzy Hash: 265119EB16C125BD6242859E1B549FA6B6EF5C3738B308827F507D6A03F2D80F495332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: ac896bbade9723bb7f003c343a49f9aaa2caa94c84ac200086e660c2a1bfff68
                                                      • Instruction ID: 23b3bde87a1b375973a95d664b2b3d89f986e7d2368e6fda38f38feac6a26774
                                                      • Opcode Fuzzy Hash: ac896bbade9723bb7f003c343a49f9aaa2caa94c84ac200086e660c2a1bfff68
                                                      • Instruction Fuzzy Hash: C151D5EB26C125BD6142918E1F54AFA6B6EE5C7778B308827F507D2A43E2D40F495332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: fe8c4c1a64b1cf4026714cb1d9a66dee52c381ff44f5ec6b0a069f3f0b7a157f
                                                      • Instruction ID: 0a50d469a6a0afafeb6a2d358cb20e09048804b02e7408fc4a45ac23b41f17b0
                                                      • Opcode Fuzzy Hash: fe8c4c1a64b1cf4026714cb1d9a66dee52c381ff44f5ec6b0a069f3f0b7a157f
                                                      • Instruction Fuzzy Hash: C451D6EB26C125BD7142918E1F54AFA6A6EF5C7738B308827F507D2A43F2D40F495232
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\$A:\
                                                      • API String ID: 999431828-1047444362
                                                      • Opcode ID: ee7c7b9fca3da0426cbc33138a3f86702e6bc264803a8659c798f9e976736a6e
                                                      • Instruction ID: 55304888d43cfd20df94b6b2e47b122918ea56356ba0cc638546b8f81d4e500b
                                                      • Opcode Fuzzy Hash: ee7c7b9fca3da0426cbc33138a3f86702e6bc264803a8659c798f9e976736a6e
                                                      • Instruction Fuzzy Hash: 1C413BE726C120BEA242915E1B546FA6AAEF5D3778F308C26F507C2A43F2D44F495332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 1d650083ac8028e2143522724bff878a6ec58ae8152166aaa5712c26ec1df41c
                                                      • Instruction ID: 5afb072e9f746b4e1ac1f59cce80d2fc88516e9b37d90293442a91339b66b5c2
                                                      • Opcode Fuzzy Hash: 1d650083ac8028e2143522724bff878a6ec58ae8152166aaa5712c26ec1df41c
                                                      • Instruction Fuzzy Hash: C5412BEB26C120BE6142919E1B546F66A6FF5C7738B308827F507C2A43F2D80F495332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: f0e4b88b9959fca88d5d7ad09dabe36dc158a51eb9a1fff2dfe9e00da8810fa4
                                                      • Instruction ID: 7c8a89f776e8b9c0a273329100a7f81b3a54625e13889834acf4c5989542ec8d
                                                      • Opcode Fuzzy Hash: f0e4b88b9959fca88d5d7ad09dabe36dc158a51eb9a1fff2dfe9e00da8810fa4
                                                      • Instruction Fuzzy Hash: 6E4107E726D114FD6282919E5B446F66A6EF5C7738B308827F607C6643F2D40F895332
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE(?,?,0D768C41,?,0D768C41), ref: 079F0369
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442690263.00000000079F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79f0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: f049110bbd98d3290d1a5399b2e29694b9bd3ff9e3723deb1c39119573a3961a
                                                      • Instruction ID: e5a297d51cecfbf4b0dafc38fe2a8fa5e65b6ec09b9de1c5841a2e3ccc4fd9ca
                                                      • Opcode Fuzzy Hash: f049110bbd98d3290d1a5399b2e29694b9bd3ff9e3723deb1c39119573a3961a
                                                      • Instruction Fuzzy Hash: 1A3128E726C124BD6182919E1B546F66A6EF1D7378F308927B607C1A43F2C80F895332
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: mPR
                                                      • API String ID: 2623510744-1418605705
                                                      • Opcode ID: c2a0101ee3145b7de243b8181dd96e2700f51262722785a0986657b82d007a0f
                                                      • Instruction ID: 1139f801b0ad27aad81e2f2ce1fe552fdfee76d99008c22528e2655291eb0fb1
                                                      • Opcode Fuzzy Hash: c2a0101ee3145b7de243b8181dd96e2700f51262722785a0986657b82d007a0f
                                                      • Instruction Fuzzy Hash: 96314BF60AD112BEB2469E811B54AF76B3FE6D7730F304022F537C6542E388474A5172
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: dfa2f97cb948536dbe7398f0a0ca38cf434e043502b652041801d003561851f3
                                                      • Instruction ID: f6ab1091e6580dd073ea12d295fb6eaa466cd528dd324fc522af931cdee2bc8a
                                                      • Opcode Fuzzy Hash: dfa2f97cb948536dbe7398f0a0ca38cf434e043502b652041801d003561851f3
                                                      • Instruction Fuzzy Hash: B83106FB1AD122BEB2468A812B14AF75B3FE6C7770F308026F527C5542E3880B4A5172
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63be4cba8f3aa11b15d94e85660d34c06eb2772eb909eac4b2acd81a42b62aaf
                                                      • Instruction ID: d0964def80836c6f3a7369047344fc5e8d636b12a9da30534e2c30fc2a1a0143
                                                      • Opcode Fuzzy Hash: 63be4cba8f3aa11b15d94e85660d34c06eb2772eb909eac4b2acd81a42b62aaf
                                                      • Instruction Fuzzy Hash: E7312CFB1AD121BEB2469E812B14AF76B3FE6C7730F308026F527C9542E798474A51B1
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 930d7d29a5c2c83f3f1823cf03f19c714ae7ccfeb2d97d247b7a6e2f05f07a92
                                                      • Instruction ID: 887ad33144e6071276112b1e78918ccf9c336f0efcc020fc22023ded0ad6858a
                                                      • Opcode Fuzzy Hash: 930d7d29a5c2c83f3f1823cf03f19c714ae7ccfeb2d97d247b7a6e2f05f07a92
                                                      • Instruction Fuzzy Hash: 1E3138F61BD122BEB2464E816B54AFB6A3FE2D7730F308022F537C5542E3884B4A9171
                                                      APIs
                                                      • Process32NextW.KERNEL32(2FA2C9CD,2FA2C9CD,?,?), ref: 07A404C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442771712.0000000007A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a40000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 33117bcb9fd354c29145e959c98846a4f3373b9c7c3a19e5edb6714db5dd6832
                                                      • Instruction ID: cecd10d25f4350b2dd45bd0647da8260699b73025d02ed30d47d0e9f3a87a80f
                                                      • Opcode Fuzzy Hash: 33117bcb9fd354c29145e959c98846a4f3373b9c7c3a19e5edb6714db5dd6832
                                                      • Instruction Fuzzy Hash: C12138FB16C110BCB152C1452B24AFB677ED2D7730F31C8A6FA27C1542E28A0A4A3132
                                                      APIs
                                                      • Process32NextW.KERNEL32(2FA2C9CD,2FA2C9CD,?,?), ref: 07A404C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442771712.0000000007A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a40000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: e3cae1f580fc59f55b94fae5712725968ab19a13c9892e8c553b704356d37a79
                                                      • Instruction ID: 040117f5b581dd2a1548cde6d1d16912088e14b412b18f915dad29c2a2046a52
                                                      • Opcode Fuzzy Hash: e3cae1f580fc59f55b94fae5712725968ab19a13c9892e8c553b704356d37a79
                                                      • Instruction Fuzzy Hash: DD2138FB16C120BCB152D1452B68AFB577ED2D7730F31C8A7FA17C5542E28A0A4A3132
                                                      APIs
                                                      • Process32NextW.KERNEL32(2FA2C9CD,2FA2C9CD,?,?), ref: 07A404C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442771712.0000000007A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a40000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 3fc6890841922889b64bcc893ae3123132d86af5032aa3fb53f97ca294515db3
                                                      • Instruction ID: c358185a7d74fb3798a956d870e03be803590183dae461c86ec92e6ceac18755
                                                      • Opcode Fuzzy Hash: 3fc6890841922889b64bcc893ae3123132d86af5032aa3fb53f97ca294515db3
                                                      • Instruction Fuzzy Hash: 7021D8FB16C121BCB152D1452B64AFB577ED2D7730F31C8A7FA27C5542E28A4A4A3132
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 5a597de71968b5836f4da7beb51456ec94e2328f6041d1f1cece22b7583e4cd7
                                                      • Instruction ID: 53cb9a8f4f67a761eb17f1da5552f7e641c2d72f7fd10973398a71814200322a
                                                      • Opcode Fuzzy Hash: 5a597de71968b5836f4da7beb51456ec94e2328f6041d1f1cece22b7583e4cd7
                                                      • Instruction Fuzzy Hash: BB218CF617D221AFE30B9EA41B54AF72B3FE693630F208056F537CA942D748074A9271
                                                      APIs
                                                      • Process32NextW.KERNEL32(2FA2C9CD,2FA2C9CD,?,?), ref: 07A404C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442771712.0000000007A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a40000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: ad84903f9ad0309e8203a7bed10821827d3b87594f5aca91fa043574404f6488
                                                      • Instruction ID: 80b1bb36d7694a060534757a68221f9699e2a5d8e2784ab2ed635c105ab48247
                                                      • Opcode Fuzzy Hash: ad84903f9ad0309e8203a7bed10821827d3b87594f5aca91fa043574404f6488
                                                      • Instruction Fuzzy Hash: C82179F726C120BCB14291812B14BFB5B6ED2D7730F31C8A7FA23D5542E28A0A4A2173
                                                      APIs
                                                      • Process32NextW.KERNEL32(2FA2C9CD,2FA2C9CD,?,?), ref: 07A404C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442771712.0000000007A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a40000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: 046707034dc4db76fcce3c5eff2c32ddd4eb5ca6309fb2f7f6920494796c4ced
                                                      • Instruction ID: 3d4643141a4c6625be4027ea42d65b15b7472a7d4f3d2c8f6d82bab70033dc6f
                                                      • Opcode Fuzzy Hash: 046707034dc4db76fcce3c5eff2c32ddd4eb5ca6309fb2f7f6920494796c4ced
                                                      • Instruction Fuzzy Hash: EB214AFB26C121BCB141C0866B58AFB577ED2D7730F31C8A7F517C1502E28A4A4A2173
                                                      APIs
                                                      • Process32NextW.KERNEL32(2FA2C9CD,2FA2C9CD,?,?), ref: 07A404C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442771712.0000000007A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a40000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: NextProcess32
                                                      • String ID:
                                                      • API String ID: 1850201408-0
                                                      • Opcode ID: d15d1c699fdec02659ee1307083251d972710dd43ee7db11c79e05801f82964f
                                                      • Instruction ID: 2ddda36b6c0083437adb2e649783a280263a6ab456d561758a97ea2477a33f29
                                                      • Opcode Fuzzy Hash: d15d1c699fdec02659ee1307083251d972710dd43ee7db11c79e05801f82964f
                                                      • Instruction Fuzzy Hash: 131129FB26C111BCB141C1856B68AFB577ED2D7730F31C8A7F917C1546E28A4A4A2173
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: fa3c8c82b309e940b32eba6359f339add8669736bd745d6f3c2f0ed2c48667f7
                                                      • Instruction ID: e02223f73035fc05c70b979fca9dc6132c5b10e7494b3b22650e2901029ac133
                                                      • Opcode Fuzzy Hash: fa3c8c82b309e940b32eba6359f339add8669736bd745d6f3c2f0ed2c48667f7
                                                      • Instruction Fuzzy Hash: 701103F61BD222EFA20A9E541B54AF7263FE697730F208016F537C9942D748074A91B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 48060371382a42d0cf7604a64d0b10e92cac095817396c7d7e3b577195a3c1c4
                                                      • Instruction ID: 6163ec7d773cb7e6935c77fbc14a007fe1d5c3285e0200847d1cc826e111947c
                                                      • Opcode Fuzzy Hash: 48060371382a42d0cf7604a64d0b10e92cac095817396c7d7e3b577195a3c1c4
                                                      • Instruction Fuzzy Hash: A41104F61BD222FFB20A9D541B54AF72A3FE697730F208116F437C9842D7484B0691B1
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 9bdb11e25a2212573e1d43bcbe648163e03a6745f2e3e77adf3e97e63445f096
                                                      • Instruction ID: 84c79b17fa451bb23c24cd27a67c3303b046f66be503197ceab2746243e31476
                                                      • Opcode Fuzzy Hash: 9bdb11e25a2212573e1d43bcbe648163e03a6745f2e3e77adf3e97e63445f096
                                                      • Instruction Fuzzy Hash: FE1127F51BD112EFB20A9E505B54AF7273FE697630F208156F437C5842EB58470691B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: f180a558145121b3fb14b3ef35c796a61f15c99cfd6288f1eb39053c3e353a6d
                                                      • Instruction ID: b7a7963188676b3713251aacaeffcbde2bc92fb81c2b5bed43a6d86260a5b18e
                                                      • Opcode Fuzzy Hash: f180a558145121b3fb14b3ef35c796a61f15c99cfd6288f1eb39053c3e353a6d
                                                      • Instruction Fuzzy Hash: B71136F517D552EFA30A9E101B586F32B3FEA97630B20815AF473CA442D75C471690B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 01ece33b297c9773fd6546fa93b089a98526539b3fb40a851f9e6c9c40defa5c
                                                      • Instruction ID: 63f4d9beba396c0efd9427d382b9dd5b912c56b11ebc9f208db0394e71eb06b8
                                                      • Opcode Fuzzy Hash: 01ece33b297c9773fd6546fa93b089a98526539b3fb40a851f9e6c9c40defa5c
                                                      • Instruction Fuzzy Hash: C01102F10BD212FFA20A9E541B54AF72A3FE797630F208116F437C9942E75C4B4A90B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 090abb558f17ebf250a58c58825cea2082a13ae6d001b9c1abcebc443c6996ac
                                                      • Instruction ID: 4fa565e5d700f34c9aa568c597e31c16f504dac4b70652ddb8fb03e191054f23
                                                      • Opcode Fuzzy Hash: 090abb558f17ebf250a58c58825cea2082a13ae6d001b9c1abcebc443c6996ac
                                                      • Instruction Fuzzy Hash: CF1121F50BD122EFA20E9E501B54AF72A3FE797630F208116F437C9842E75C470690B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 42fad8cae98bd87ecb39a767d6c0e24c7aeb2339e8d323fca2f138ccb6b1b571
                                                      • Instruction ID: 7ab07ea509eb2915c67f82b052ba4ef80e6450005b5126b1f503a48c9c45e56b
                                                      • Opcode Fuzzy Hash: 42fad8cae98bd87ecb39a767d6c0e24c7aeb2339e8d323fca2f138ccb6b1b571
                                                      • Instruction Fuzzy Hash: C3017BF51BD515BFB1096D101F54AF32B3FE6D7630B708216F437C9842D288470A90B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 66f9e356a5103008ae0f904d93b757954c6e6aec030c2226e39dcd2845243eb8
                                                      • Instruction ID: ff79fee2d68ad5d0b0c9c6beb6006efde368e05dc487626f1e8a58018e7653be
                                                      • Opcode Fuzzy Hash: 66f9e356a5103008ae0f904d93b757954c6e6aec030c2226e39dcd2845243eb8
                                                      • Instruction Fuzzy Hash: C901DFF61BD512AF720A9D641B58AF71A3FE5D7A70B208516F837C9802E6488A1690F2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: f5571ca530c894b1aecc2b25d01c22f2cefdd934f187ff87017d8ffd622c0ecf
                                                      • Instruction ID: 4510733e067a9815b0a14d514210615ab1f8f8219e01162099564e9027cfbd56
                                                      • Opcode Fuzzy Hash: f5571ca530c894b1aecc2b25d01c22f2cefdd934f187ff87017d8ffd622c0ecf
                                                      • Instruction Fuzzy Hash: F9012FF60BD512AFB20E9D201B44AF31B3FE4D7630B208226F437C9842E248470A90B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: b40c803173e98d6633ff08b14cc9a0b6345622fcf8e6126350082d7cf7dd190f
                                                      • Instruction ID: 06c1bb34390545d69d9c58ed3493313c1f17cab1710b451e6b688cdce5bf5b29
                                                      • Opcode Fuzzy Hash: b40c803173e98d6633ff08b14cc9a0b6345622fcf8e6126350082d7cf7dd190f
                                                      • Instruction Fuzzy Hash: 820147F60BD551AFA20B5E6017942F72F3FE9931317248552F427CA802D64C874AD1B2
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 8bf27543733bcd5488283c487793a4619c93df58dc35d82a75bf6b36f0c155d0
                                                      • Instruction ID: 6706bd97e66c89cd10f44574af2a2c95c12f0f1c667d63d1dace42bdc300ef2e
                                                      • Opcode Fuzzy Hash: 8bf27543733bcd5488283c487793a4619c93df58dc35d82a75bf6b36f0c155d0
                                                      • Instruction Fuzzy Hash: 4CF028F11AD561DFA30AAB7807985F72B7BFAD3170B54812AF4238AD42E6449315E092
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000D26F,0000D26F,00000044), ref: 07A303AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442755164.0000000007A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a30000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 44418d14cc6f30c68bc104fa5dbd925513a73feaf058f3dfb0c35da5fa24ac6e
                                                      • Instruction ID: a4a5b0c9f2f1ae2793746335799772d8ab8a78274ec415a374b74f086c8ca2d6
                                                      • Opcode Fuzzy Hash: 44418d14cc6f30c68bc104fa5dbd925513a73feaf058f3dfb0c35da5fa24ac6e
                                                      • Instruction Fuzzy Hash: 3BF08BF10BD511EFA20E6E640B485F32F3FF9535317184222F43749D03E6484315D0A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: kZX]
                                                      • API String ID: 0-3421568621
                                                      • Opcode ID: 17db46ec943819433efad25301388b11dfcf46665848b9a7348be3c0fe21e9c4
                                                      • Instruction ID: 8aea2b28bd98026649c56858340be41726ae99caded4c68d9698a683e70d1e7b
                                                      • Opcode Fuzzy Hash: 17db46ec943819433efad25301388b11dfcf46665848b9a7348be3c0fe21e9c4
                                                      • Instruction Fuzzy Hash: FEE020FE91D315AD9284F290825157B3E25D6D3F30731C426D85186115F1D19D0E01E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd04c4e2340dca584ca557d8e798adc02cd0b7155f62c84022614605ddfdc906
                                                      • Instruction ID: f6de3b917a831cb34865a1c3e336a053ee4512628b8d1e24a958b59d18b37950
                                                      • Opcode Fuzzy Hash: cd04c4e2340dca584ca557d8e798adc02cd0b7155f62c84022614605ddfdc906
                                                      • Instruction Fuzzy Hash: 7E2143F752C115BCAA02D59D5714BFA7B6EEAC763CF30C827F40B9A501E2D84E0641B2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f7eafb04913a3a15da6e710dfb948a0b3d23ac78c1a981198b42583dc93a842a
                                                      • Instruction ID: fc2f5d553795290796d585ef929f0ff923a2872eb18ae483a331509944d298e9
                                                      • Opcode Fuzzy Hash: f7eafb04913a3a15da6e710dfb948a0b3d23ac78c1a981198b42583dc93a842a
                                                      • Instruction Fuzzy Hash: 621105E652C105FDAA02D59D9754BFA7A6EE69723CF30CC56F40B99101E2D84E014172
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: efc597c980b56d53dbc8e1698f06cf79d550e77e7a23035dc6e0b29e109bcd3a
                                                      • Instruction ID: 847d793bc2a9905fb45d371f634f951d64b7d109425bfc3065c4846d23ce7a5d
                                                      • Opcode Fuzzy Hash: efc597c980b56d53dbc8e1698f06cf79d550e77e7a23035dc6e0b29e109bcd3a
                                                      • Instruction Fuzzy Hash: 711127FB56C211BCE6C272451B51BB72F3AA7A7730F318016F56399646F2C14B8E4071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ee5fa4c59b7de6fbf1efbff34238134121e063cbe7e3ad22d71472e57770178
                                                      • Instruction ID: dcd92c845c69deb0875021d30bce7e7a3b8394209d1b0837d649883d1a27be5f
                                                      • Opcode Fuzzy Hash: 9ee5fa4c59b7de6fbf1efbff34238134121e063cbe7e3ad22d71472e57770178
                                                      • Instruction Fuzzy Hash: 1511EFE581D2C8AEDF03467C4B197E93F169B2753DF248CE5D0461B143E1C90E428152
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ab3ddfec287562c576247b3a1d0d4d837f6cbd4c59046272f33d80ef9e2ebe6
                                                      • Instruction ID: a80217c9a919f9bea38779928993dfc750a9a14f212457b253ec1b647c26ad4b
                                                      • Opcode Fuzzy Hash: 2ab3ddfec287562c576247b3a1d0d4d837f6cbd4c59046272f33d80ef9e2ebe6
                                                      • Instruction Fuzzy Hash: 58112BFB1AC210BCE6C2B2555711BB73E3AE7D7730F318126F5A39A545F2D18A4D4061
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8dd8c20f9a2292e1d2e81e1de9998e966bb70c25eb9594c25315243a4c16039c
                                                      • Instruction ID: a8e71b068b3940ae5ece4184c43a88eef6569bee7f8ac3db897d72351ff0aaee
                                                      • Opcode Fuzzy Hash: 8dd8c20f9a2292e1d2e81e1de9998e966bb70c25eb9594c25315243a4c16039c
                                                      • Instruction Fuzzy Hash: C9117DF692C105FDAE02C59C8754BFE3B2EE65B23DF30CC52E00B5A101E2D84E014161
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e28646dfa02b87eb30b2e65641bcbf3abd40ec2a5643e3e00c7507cb0859d044
                                                      • Instruction ID: ff8400476625e6513b1eb2ab4063129767b689f8bd2fc618aaff02d15b6e6f26
                                                      • Opcode Fuzzy Hash: e28646dfa02b87eb30b2e65641bcbf3abd40ec2a5643e3e00c7507cb0859d044
                                                      • Instruction Fuzzy Hash: F301F1FB16C214ADE6C6B7515B50BB72A76A7A7330F328122F6639A945F2E04A8D4120
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43f035ee5a4cad5216743c8279ea56d5a2468c91c8573458cb2727ee2d4190ee
                                                      • Instruction ID: 0e362dc92c152e99200720410afa3e6ce384ce7b22a599bbcc367a7f977d1852
                                                      • Opcode Fuzzy Hash: 43f035ee5a4cad5216743c8279ea56d5a2468c91c8573458cb2727ee2d4190ee
                                                      • Instruction Fuzzy Hash: 490126F652C209EEEE52869D47507FE776AF75B23CF30C862E00B56201D3DC5E019161
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3bd5d3a18995002fd9c377965e73ebcecc1987b72a24cc6dd9b6a278191bde21
                                                      • Instruction ID: 4ee5845fdd4c16dbb91cf7fd9e7a06507247f6d11f9dc63afbe6aeef2d663e08
                                                      • Opcode Fuzzy Hash: 3bd5d3a18995002fd9c377965e73ebcecc1987b72a24cc6dd9b6a278191bde21
                                                      • Instruction Fuzzy Hash: 0B012BF652D108EDDB02D65C8B50BF97B2AEB5B23CF31C852E40B5B102D2EC1E154561
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd08e19249739994c4e303d7f2670c7ab310169d639e2c2655ad3d7bdd5753cd
                                                      • Instruction ID: a857c63e726bc7ed2b00834d07f5c73e57dc7f4fcf0bc8612f34313c9f078dc0
                                                      • Opcode Fuzzy Hash: dd08e19249739994c4e303d7f2670c7ab310169d639e2c2655ad3d7bdd5753cd
                                                      • Instruction Fuzzy Hash: 850149F756C220BCD6C263850691BB73A36A7A7730F328012F6639A505F2D04A4D4171
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 416eea090a9eefee74f059eec664614721efab9ffa7e69178ab9d7267b4af926
                                                      • Instruction ID: 9aeb7aeb32221c87d46b37b23962098f2d4e2c5f08873699434f140b439641b2
                                                      • Opcode Fuzzy Hash: 416eea090a9eefee74f059eec664614721efab9ffa7e69178ab9d7267b4af926
                                                      • Instruction Fuzzy Hash: 5601FEF142D34CEEDA02975D8B157EABFA9BB1722DF208CA6D0572721293E81D419522
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 793266607ec6cb0c4965b8d35140a089e74d5e8f214d3079f375f6773e9420dc
                                                      • Instruction ID: 143ac4896983c3bb8df6deadca706b19fdb24ffdb854c23f1d86d0a4ceebef2b
                                                      • Opcode Fuzzy Hash: 793266607ec6cb0c4965b8d35140a089e74d5e8f214d3079f375f6773e9420dc
                                                      • Instruction Fuzzy Hash: C3F0F4F682C20CFAEE029A4D8750BFE762AAB1B27CF30CC56E41B2660193E81E054561
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a8c3247094c87b102b801bbcc4f1370ef8fadd37ecfcb654125b9dc4056ba96
                                                      • Instruction ID: c29c88a2cc0400772f1f1bffab6d7804fcff7ba47ce661e2d83a27b6acc91a43
                                                      • Opcode Fuzzy Hash: 5a8c3247094c87b102b801bbcc4f1370ef8fadd37ecfcb654125b9dc4056ba96
                                                      • Instruction Fuzzy Hash: 71F028F682C108FA9E16864D8351BFD7A6BA71B23CF70C855E41F27A0193EC1F119551
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba4d8fa118983094bfd5108f54ae0944a27742a007ef248a3568d3b6fd2625f2
                                                      • Instruction ID: 62d76624aa22c21397ecc1801330840e85c095187c54b81ba7ebb84774d92a34
                                                      • Opcode Fuzzy Hash: ba4d8fa118983094bfd5108f54ae0944a27742a007ef248a3568d3b6fd2625f2
                                                      • Instruction Fuzzy Hash: 64F028F582C108F9DE068A5D83407E9762AA72B23CF30CC51E00B2660193E81E114661
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b58484a1eb99394ad5bb1779142076c3f389ecd503e0b727a437a6df7c983dcb
                                                      • Instruction ID: dcd1d6ed19258b86142f8d08b64d6bbb04944364fb44d7997bc099d3ff0faba3
                                                      • Opcode Fuzzy Hash: b58484a1eb99394ad5bb1779142076c3f389ecd503e0b727a437a6df7c983dcb
                                                      • Instruction Fuzzy Hash: C2F0E9FB16C125FCD6C6B3551B10B7B2936A7D3330F328021F62396549F2E15A4C5071
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f87e88327b95620df768b048343888cc601cc693accb3b58f8cb0cced28724d1
                                                      • Instruction ID: 1885f938217d4327e23d7b4d8b83a2cc4fc2b7396919a241a14cc22118ea1202
                                                      • Opcode Fuzzy Hash: f87e88327b95620df768b048343888cc601cc693accb3b58f8cb0cced28724d1
                                                      • Instruction Fuzzy Hash: F4F02EF682C149F8AD03569D47017E9BA6AFB2763DF30CD62D01735602A3DC1F165471
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e16d8ee186c14e038335061da021f9b4a2b366fda7e054638dee1643a8c786e
                                                      • Instruction ID: 9cb96a485c4657c082355b3e0425f16b5a37d3fde08cb06c80f53f64e2ec6ba9
                                                      • Opcode Fuzzy Hash: 1e16d8ee186c14e038335061da021f9b4a2b366fda7e054638dee1643a8c786e
                                                      • Instruction Fuzzy Hash: 2CF0A0FB12C125EC9AC6B76517548BB2D36E5A7330B32C021FA2396909F2E09E4C5160
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d86f4d313b59ca2df6974de1da71fc4d88c7b00afd95e8bbe24a8562920370a
                                                      • Instruction ID: 6440e8c64fb7fa5eaf6df1792ad395d396492167bd9f9bfc88a2007908bfb9a2
                                                      • Opcode Fuzzy Hash: 6d86f4d313b59ca2df6974de1da71fc4d88c7b00afd95e8bbe24a8562920370a
                                                      • Instruction Fuzzy Hash: 77F050F6C1C24CEDDF07169507017D9F66AAF1763CF314462D40736102A3D90D115562
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a41406634eee91282c70c47c5f0472e7e5ffacf21b675fb43c9685fe2cd6712
                                                      • Instruction ID: 657fea2e73e634415b879a59513f3c2aed2e7495973c8e49ce46444076749e03
                                                      • Opcode Fuzzy Hash: 3a41406634eee91282c70c47c5f0472e7e5ffacf21b675fb43c9685fe2cd6712
                                                      • Instruction Fuzzy Hash: 04E0E5FA00C701DFD746E7119A615FB2BB4DB97730B218422E956D7243F2A06A4D8165
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2d7524f874ed92ed034b7cf659d3c4770f663d770972d890e92b54b47199654
                                                      • Instruction ID: 06b700dfd466229603d8482b1009082b63b5348581794120b873083b894696ee
                                                      • Opcode Fuzzy Hash: b2d7524f874ed92ed034b7cf659d3c4770f663d770972d890e92b54b47199654
                                                      • Instruction Fuzzy Hash: B8E022FB12C115EC5AC6B35007209BB2A36E6E3330B72C026FA2386909F2E05E4C4570
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6940dfc2a00a327a4edadf7225ddb9ced5dbaafd7993b172d5a2ad44db1c23d
                                                      • Instruction ID: d78f9d49cba71e3bfb5974e1a1edd75731c01b977e29ec7c092b671e0a640139
                                                      • Opcode Fuzzy Hash: a6940dfc2a00a327a4edadf7225ddb9ced5dbaafd7993b172d5a2ad44db1c23d
                                                      • Instruction Fuzzy Hash: 40E092FB12C115FCAACAAB5547148BB6A36E6A3330B35C421F523C590AF2E29F1C5670
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442657547.00000000079D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79d0000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a512cf0f54700a6582fcf9a66373f362149a84ce06cc432aa16c92bd0fcb2de
                                                      • Instruction ID: 077b67f842b2a3cdc33bab0c04d31d0d3a6916b33c93588db1289c7ce705a4ec
                                                      • Opcode Fuzzy Hash: 4a512cf0f54700a6582fcf9a66373f362149a84ce06cc432aa16c92bd0fcb2de
                                                      • Instruction Fuzzy Hash: F2E068F241C008E9DA03469947003DDFA2BA72B23CF308852E00736202E3C51F016536
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 211845df6bb7214b055b1714a418878b622e3abb1c2a1997226686d8bd1f04ea
                                                      • Instruction ID: daa2c858d6e0a1bc5cdcda2aab32b1c8fe4d22b07f4f42005b517da414414704
                                                      • Opcode Fuzzy Hash: 211845df6bb7214b055b1714a418878b622e3abb1c2a1997226686d8bd1f04ea
                                                      • Instruction Fuzzy Hash: 9EE020F61BD126FD56C2750148459F32D3AF1477B1B350131F43799E82F384C44E4261
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2442837713.0000000007A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7a80000_7eDrKI88k8.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac3e4fdd41cb6345079dd6e0a6f50a7be6e73c25fbf13f1d629a3ad448c4fd56
                                                      • Instruction ID: 9e3a2eca381a7824a5032921db45880986053e68368d0539fb58721f61f0819d
                                                      • Opcode Fuzzy Hash: ac3e4fdd41cb6345079dd6e0a6f50a7be6e73c25fbf13f1d629a3ad448c4fd56
                                                      • Instruction Fuzzy Hash: DAC08CF761C352EEE2C2B24012519BB1B66CAAB73027180A2E5428850EF1C72D0E8166