Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dCdr6IBojN.exe

Overview

General Information

Sample name:dCdr6IBojN.exe
renamed because original name is a hash value
Original sample name:6b2f7dfaa5274d0e0addf60021df87d3.exe
Analysis ID:1579690
MD5:6b2f7dfaa5274d0e0addf60021df87d3
SHA1:5ca3cc38f4a5eead6fedd0984dd8b45f1e4c6e30
SHA256:9ef7338b3451303b3c85261d963edd712570c9bb6693f6abae81f28887680482
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • dCdr6IBojN.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\dCdr6IBojN.exe" MD5: 6B2F7DFAA5274D0E0ADDF60021DF87D3)
    • WerFault.exe (PID: 6608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 1124 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: dCdr6IBojN.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: dCdr6IBojN.exeReversingLabs: Detection: 65%
Source: dCdr6IBojN.exeVirustotal: Detection: 70%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: dCdr6IBojN.exeJoe Sandbox ML: detected
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9a52ad23-c
Source: dCdr6IBojN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Binary string: 6.pDB source: dCdr6IBojN.exe
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: dCdr6IBojN.exe, 00000000.00000002.2043119074.00000000019FE000.00000004.00000020.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2043119074.0000000001A5B000.00000004.00000020.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: dCdr6IBojN.exe, 00000000.00000002.2043119074.00000000019FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

System Summary

barindex
PE file contains section with special chars
Source: dCdr6IBojN.exeStatic PE information: section name:
Source: dCdr6IBojN.exeStatic PE information: section name: .idata
Source: dCdr6IBojN.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 1124
Source: dCdr6IBojN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: dCdr6IBojN.exeStatic PE information: Section: ykxkmfnv ZLIB complexity 0.994632684866724
Source: classification engineClassification label: mal100.evad.winEXE@2/5@14/1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6628
Source: C:\Users\user\Desktop\dCdr6IBojN.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a8490d0d-3b78-4068-8c9d-5c9016c52037Jump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: dCdr6IBojN.exeReversingLabs: Detection: 65%
Source: dCdr6IBojN.exeVirustotal: Detection: 70%
Source: dCdr6IBojN.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\dCdr6IBojN.exe "C:\Users\user\Desktop\dCdr6IBojN.exe"
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 1124
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSection loaded: winrnr.dllJump to behavior
Source: dCdr6IBojN.exeStatic file information: File size 4442624 > 1048576
Source: dCdr6IBojN.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: dCdr6IBojN.exeStatic PE information: Raw size of ykxkmfnv is bigger than: 0x100000 < 0x1b4200
Source: Binary string: 6.pDB source: dCdr6IBojN.exe

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\dCdr6IBojN.exeUnpacked PE file: 0.2.dCdr6IBojN.exe.6c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ykxkmfnv:EW;tftxjewg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ykxkmfnv:EW;tftxjewg:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: dCdr6IBojN.exeStatic PE information: real checksum: 0x43d696 should be: 0x4488dc
Source: dCdr6IBojN.exeStatic PE information: section name:
Source: dCdr6IBojN.exeStatic PE information: section name: .idata
Source: dCdr6IBojN.exeStatic PE information: section name:
Source: dCdr6IBojN.exeStatic PE information: section name: ykxkmfnv
Source: dCdr6IBojN.exeStatic PE information: section name: tftxjewg
Source: dCdr6IBojN.exeStatic PE information: section name: .taggant
Source: dCdr6IBojN.exeStatic PE information: section name: ykxkmfnv entropy: 7.955847768802401

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F887E2 second address: F88802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5D4055F5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F88802 second address: F88806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F88FC1 second address: F88FD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCF5D4055EFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F88FD5 second address: F88FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FCF5CF1719Ch 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B470 second address: F8B474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B474 second address: F8B487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B487 second address: F8B4EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 45312149h 0x00000010 sub dword ptr [ebp+122D305Eh], edx 0x00000016 push 00000003h 0x00000018 jnp 00007FCF5D4055ECh 0x0000001e push 00000000h 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007FCF5D4055E8h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov edi, dword ptr [ebp+122D26F8h] 0x00000042 push 91BECD72h 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B4EE second address: F8B4F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B4F2 second address: F8B4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B4F6 second address: F8B4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B4FC second address: F8B502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B502 second address: F8B506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B648 second address: F8B6B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0520F2D5h 0x00000010 mov ecx, dword ptr [ebp+122D35B7h] 0x00000016 lea ebx, dword ptr [ebp+12453292h] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007FCF5D4055E8h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 xchg eax, ebx 0x00000037 jmp 00007FCF5D4055F8h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8B6B0 second address: F8B6BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCF5CF17196h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAC080 second address: FAC086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAC086 second address: FAC08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAC08B second address: FAC0A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5D4055F8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAC0A9 second address: FAC0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAC0AD second address: FAC0F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FCF5D4055F7h 0x00000011 jns 00007FCF5D4055ECh 0x00000017 jmp 00007FCF5D4055EDh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 ja 00007FCF5D4055E6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA3AE second address: FAA3BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007FCF5CF17196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA3BA second address: FAA3BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA3BF second address: FAA3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA66E second address: FAA674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA8D8 second address: FAA8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA8DE second address: FAA932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007FCF5D4055E6h 0x0000000c popad 0x0000000d pushad 0x0000000e jg 00007FCF5D4055E6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jnp 00007FCF5D4055F7h 0x0000001d push edx 0x0000001e jmp 00007FCF5D4055F8h 0x00000023 jnp 00007FCF5D4055E6h 0x00000029 pop edx 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push edi 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA932 second address: FAA939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA939 second address: FAA947 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCF5D4055E8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAA947 second address: FAA94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAADA2 second address: FAADA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAADA6 second address: FAADAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAADAC second address: FAADB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAADB0 second address: FAADC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAB03C second address: FAB043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FAB164 second address: FAB186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Ah 0x00000007 jmp 00007FCF5CF1719Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FCF5CF17196h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FABB80 second address: FABB84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FABB84 second address: FABB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FABEE9 second address: FABEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FABEED second address: FABF2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A6h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FCF5CF171A6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FABF2B second address: FABF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F82B58 second address: F82B6A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCF5CF17196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F82B6A second address: F82B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB0E64 second address: FB0E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB0E68 second address: FB0E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB1306 second address: FB130B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB14BC second address: FB14C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB14C2 second address: FB14C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB14C6 second address: FB14DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB14DC second address: FB14EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB169E second address: FB16A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB16A4 second address: FB16A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F7DBB7 second address: F7DBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F7DBC2 second address: F7DBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F7DBC8 second address: F7DBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F7DBCC second address: F7DBD6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF5CF17196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F7723A second address: F77259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FCF5D4055EEh 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F77259 second address: F77273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCF5CF171A2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB85AF second address: FB85D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FCF5D4055F9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB85D5 second address: FB85EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FCF5CF17196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCF5CF1719Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB85EF second address: FB85F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB8761 second address: FB8765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB8765 second address: FB87AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FCF5D4055E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007FCF5D4055E6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007FCF5D4055F4h 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007FCF5D4055F8h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB8904 second address: FB890A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB890A second address: FB8933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FCF5D4055E6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FCF5D4055F9h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB8D1F second address: FB8D33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Fh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB8D33 second address: FB8D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FCF5D4055F2h 0x0000000d ja 00007FCF5D4055E8h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB9F8A second address: FB9F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FB9F8E second address: FB9F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBA072 second address: FBA085 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBA72E second address: FBA738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBAF6B second address: FBAF71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBAF71 second address: FBAF75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBB234 second address: FBB23A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBB7CF second address: FBB85D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCF5D4055E8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007FCF5D4055F3h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FCF5D4055E8h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007FCF5D4055E8h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 mov edi, dword ptr [ebp+122D2FCFh] 0x0000006a xchg eax, ebx 0x0000006b push eax 0x0000006c push edx 0x0000006d jl 00007FCF5D4055E8h 0x00000073 push eax 0x00000074 pop eax 0x00000075 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBB85D second address: FBB876 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F8114F second address: F8115C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FCF5D4055ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBDEB8 second address: FBDEBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBF229 second address: FBF233 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBEFC8 second address: FBEFD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FCF5CF17196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FBFDBE second address: FBFDC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCF5D4055E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC090F second address: FC0998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCF5CF1719Ch 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2C47h], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FCF5CF17198h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007FCF5CF17198h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e and esi, dword ptr [ebp+1244E8B0h] 0x00000054 pushad 0x00000055 mov si, 0FD7h 0x00000059 mov ecx, dword ptr [ebp+122D2F60h] 0x0000005f popad 0x00000060 xchg eax, ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push edi 0x00000065 pop edi 0x00000066 jmp 00007FCF5CF1719Dh 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC05CB second address: FC05CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC05CF second address: FC05D9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF5CF17196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC1410 second address: FC1432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCF5D4055E6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCF5D4055F3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC05D9 second address: FC05EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCF5CF1719Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC1432 second address: FC143C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCF5D4055E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC05EE second address: FC05F8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF5CF1719Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC1ED3 second address: FC1F1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d adc edi, 16816422h 0x00000013 push 00000000h 0x00000015 jmp 00007FCF5D4055ECh 0x0000001a push 00000000h 0x0000001c mov di, 2856h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCF5D4055EEh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC1F1D second address: FC1F24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC7242 second address: FC7247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC7247 second address: FC724D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC724D second address: FC7251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC641F second address: FC6432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF1719Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC73A6 second address: FC7451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FCF5D4055E8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 jnc 00007FCF5D4055ECh 0x0000002d push dword ptr fs:[00000000h] 0x00000034 call 00007FCF5D4055F4h 0x00000039 mov edi, 1A3366C9h 0x0000003e pop edi 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov edi, ebx 0x00000048 mov eax, dword ptr [ebp+122D0A95h] 0x0000004e mov edi, dword ptr [ebp+122D3677h] 0x00000054 or dword ptr [ebp+122D2662h], eax 0x0000005a push FFFFFFFFh 0x0000005c jmp 00007FCF5D4055F3h 0x00000061 pushad 0x00000062 mov esi, 3E56C9F4h 0x00000067 mov ecx, dword ptr [ebp+122D3567h] 0x0000006d popad 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 jo 00007FCF5D4055F1h 0x00000077 jmp 00007FCF5D4055EBh 0x0000007c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC6432 second address: FC6436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC7451 second address: FC7457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FCA9EB second address: FCAA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCF5CF171A7h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FCB776 second address: FCB781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCF5D4055E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC7457 second address: FC745B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FCAA0E second address: FCAA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FCB781 second address: FCB794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FCAA12 second address: FCAA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FCB794 second address: FCB82C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCF5CF171A7h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov edi, 160D8E3Bh 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FCF5CF17198h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f pushad 0x00000030 xor eax, dword ptr [ebp+122D3007h] 0x00000036 mov dx, si 0x00000039 popad 0x0000003a push edi 0x0000003b mov edi, 078426CFh 0x00000040 pop ebx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007FCF5CF17198h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 00000019h 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d jmp 00007FCF5CF1719Eh 0x00000062 push eax 0x00000063 jo 00007FCF5CF1719Eh 0x00000069 push ecx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD01C2 second address: FD01CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD1FFD second address: FD2015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FCF5CF171A1h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD3192 second address: FD319B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD52E3 second address: FD52E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD641E second address: FD6422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD83E7 second address: FD83EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD748F second address: FD7494 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F6ECFF second address: F6ED15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FCF5CF171A0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F6ED15 second address: F6ED19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F6ED19 second address: F6ED32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FCF5CF171A0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FD7537 second address: FD756C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FCF5D4055F6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FCF5D4055F0h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE0EDD second address: FE0EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 js 00007FCF5CF1719Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE08B4 second address: FE08BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE08BA second address: FE090A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCF5CF171A9h 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FCF5CF171A2h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007FCF5CF171A8h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE633F second address: FE6352 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE6352 second address: FE6393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF171A4h 0x00000009 popad 0x0000000a push edx 0x0000000b jmp 00007FCF5CF1719Ch 0x00000010 pop edx 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 je 00007FCF5CF1719Eh 0x0000001a jo 00007FCF5CF17198h 0x00000020 pushad 0x00000021 popad 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE6393 second address: FE6397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FE64F4 second address: FE64F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FED1E4 second address: FED1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCF5D4055E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FED1EE second address: FED1FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCF5CF17196h 0x0000000a ja 00007FCF5CF17196h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEC532 second address: FEC536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEC536 second address: FEC540 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF5CF17196h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEC540 second address: FEC553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCF5D4055EAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEC67D second address: FEC695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007FCF5CF17196h 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 push esi 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEC81C second address: FEC826 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEC826 second address: FEC838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF1719Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FECDA8 second address: FECDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCF5D4055E6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FECDB6 second address: FECDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF1719Fh 0x00000009 jg 00007FCF5CF17196h 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FECDD6 second address: FECDE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FED080 second address: FED0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCF5CF17196h 0x0000000a popad 0x0000000b jmp 00007FCF5CF171A3h 0x00000010 jnc 00007FCF5CF17198h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007FCF5CF1719Eh 0x0000001f push edx 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FEE958 second address: FEE983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCF5D4055EAh 0x0000000f jbe 00007FCF5D4055E6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF152E second address: FF1532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF6B02 second address: FF6B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF6B06 second address: FF6B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF6B0E second address: FF6B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF6B14 second address: FF6B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF57F0 second address: FF581B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FCF5D4055F2h 0x00000010 pushad 0x00000011 jmp 00007FCF5D4055ECh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF581B second address: FF5820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF597B second address: FF598D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jg 00007FCF5D4055E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF5F00 second address: FF5F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCF5CF17196h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF6275 second address: FF627A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FF63E0 second address: FF63E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFAC1B second address: FFAC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFAD5E second address: FFAD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB000 second address: FFB004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB004 second address: FFB015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCF5CF17196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB015 second address: FFB020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB7C8 second address: FFB7CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB7CD second address: FFB7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5D4055EEh 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB7E8 second address: FFB7F2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF5CF17196h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFB7F2 second address: FFB7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFA90C second address: FFA912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFA912 second address: FFA917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FFA917 second address: FFA931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF171A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003707 second address: 100370D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 100370D second address: 1003714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003714 second address: 1003736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCF5D4055E6h 0x0000000a popad 0x0000000b push edi 0x0000000c jnl 00007FCF5D4055E6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c jnp 00007FCF5D4055E6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC32E2 second address: FC32FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3686 second address: FC368A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC368A second address: FC3690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3690 second address: FC36A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5D4055F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3751 second address: FC3755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3755 second address: FC377D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 4627D33Bh 0x0000000d jns 00007FCF5D4055ECh 0x00000013 push D05B5B9Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007FCF5D4055E8h 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC385A second address: FC385E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC38DD second address: FC390C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], esi 0x0000000e and ecx, dword ptr [ebp+1247EE5Ch] 0x00000014 nop 0x00000015 jmp 00007FCF5D4055F4h 0x0000001a push eax 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC390C second address: FC3910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3ABA second address: FC3AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3AC0 second address: FC3AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3C2C second address: FC3C36 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3FEC second address: FC405D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCF5CF1719Bh 0x00000008 jns 00007FCF5CF17196h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jnp 00007FCF5CF1719Ch 0x00000018 or edx, dword ptr [ebp+122D26F8h] 0x0000001e push 0000001Eh 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FCF5CF17198h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a pushad 0x0000003b jno 00007FCF5CF17198h 0x00000041 mov dword ptr [ebp+1247B552h], esi 0x00000047 popad 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c jmp 00007FCF5CF171A6h 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC405D second address: FC4062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC4062 second address: FC4068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003A36 second address: 1003A52 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FCF5D4055E6h 0x00000010 jmp 00007FCF5D4055ECh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003A52 second address: 1003A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003BBF second address: 1003BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003BC3 second address: 1003BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 je 00007FCF5CF1719Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCF5CF1719Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003BE6 second address: 1003BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003D45 second address: 1003D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FCF5CF17196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003D51 second address: 1003D5B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCF5D4055F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003D5B second address: 1003D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003D61 second address: 1003D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FCF5D4055E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003D71 second address: 1003D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003F11 second address: 1003F30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCF5D4055F8h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1003F30 second address: 1003F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10042E0 second address: 10042EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 je 00007FCF5D4055ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10042EF second address: 10042FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FCF5CF17196h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1007E50 second address: 1007E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007FCF5D4055E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1007E6F second address: 1007EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FCF5CF17196h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FCF5CF171A6h 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007FCF5CF17196h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 jmp 00007FCF5CF1719Ah 0x00000025 jo 00007FCF5CF17196h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1007EB2 second address: 1007EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 100A50D second address: 100A523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF171A0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101053B second address: 1010542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010542 second address: 101054D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCF5CF17196h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101054D second address: 1010578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCF5D4055E6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCF5D4055F0h 0x00000016 jmp 00007FCF5D4055EAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010578 second address: 101057F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10109E0 second address: 1010A00 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCF5D4055E6h 0x00000008 jmp 00007FCF5D4055F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010B40 second address: 1010B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010B44 second address: 1010B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FCF5D4055E6h 0x0000000d jne 00007FCF5D4055E6h 0x00000013 jmp 00007FCF5D4055EEh 0x00000018 popad 0x00000019 jmp 00007FCF5D4055EAh 0x0000001e push eax 0x0000001f push edx 0x00000020 jnc 00007FCF5D4055E6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010B7A second address: 1010B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010B7E second address: 1010B92 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jo 00007FCF5D40560Fh 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010B92 second address: 1010B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010CFD second address: 1010D02 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010D02 second address: 1010D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3E2C second address: FC3E81 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FCF5D4055E8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 call 00007FCF5D4055EAh 0x0000002a mov dword ptr [ebp+122D2662h], edx 0x00000030 pop edx 0x00000031 je 00007FCF5D4055E9h 0x00000037 sub dh, FFFFFFEFh 0x0000003a push 00000004h 0x0000003c movzx edx, bx 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push ecx 0x00000043 pushad 0x00000044 popad 0x00000045 pop ecx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: FC3E81 second address: FC3E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010FB7 second address: 1010FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010FBB second address: 1010FC5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCF5CF17196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1010FC5 second address: 1010FDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FCF5D4055E6h 0x00000009 je 00007FCF5D4055E6h 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10142C4 second address: 10142C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10142C8 second address: 10142D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1014553 second address: 1014576 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1014868 second address: 101486D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101486D second address: 1014878 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007FCF5CF17196h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1014878 second address: 1014881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1014881 second address: 1014885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1017A60 second address: 1017A7A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCF5D4055FCh 0x00000008 jmp 00007FCF5D4055F0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1017CF5 second address: 1017D0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FCF5CF1719Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1017D0C second address: 1017D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5D4055F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1017D20 second address: 1017D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1017D2B second address: 1017D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5D4055EDh 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101F656 second address: 101F65E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101F65E second address: 101F676 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCF5D4055E6h 0x00000008 jbe 00007FCF5D4055E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FCF5D4055E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101F676 second address: 101F67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101DCA9 second address: 101DCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101DCAE second address: 101DD0D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCF5CF1719Ah 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FCF5CF171A5h 0x00000010 jmp 00007FCF5CF171A2h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jnl 00007FCF5CF1719Eh 0x0000001f pushad 0x00000020 jmp 00007FCF5CF171A4h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101DFC4 second address: 101DFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101E48B second address: 101E495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCF5CF17196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101E495 second address: 101E49E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 101E49E second address: 101E4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF171A6h 0x00000009 jmp 00007FCF5CF171A2h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCF5CF171A0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1024AB8 second address: 1024AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F6h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCF5D4055F5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1024AE9 second address: 1024AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCF5CF17196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1027C47 second address: 1027C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCF5D4055E6h 0x0000000a jmp 00007FCF5D4055F0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1027C63 second address: 1027C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FCF5CF1719Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102EDA5 second address: 102EDAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102EDAB second address: 102EDDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCF5CF1719Dh 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007FCF5CF17196h 0x00000010 jg 00007FCF5CF17196h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007FCF5CF17196h 0x00000022 jmp 00007FCF5CF1719Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102EDDF second address: 102EDE9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCF5D4055E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102F20D second address: 102F213 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102F8DF second address: 102F8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCF5D4055ECh 0x0000000a jbe 00007FCF5D4055E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102F8EF second address: 102F925 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FCF5CF171A0h 0x00000015 popad 0x00000016 jmp 00007FCF5CF1719Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FA75 second address: 102FA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FA7B second address: 102FA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FCF5CF171A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FA88 second address: 102FA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCF5D4055E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FA92 second address: 102FAA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FAA2 second address: 102FAC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCF5D4055F0h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FAC2 second address: 102FACA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FACA second address: 102FACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FACF second address: 102FADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jg 00007FCF5CF17196h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102FC24 second address: 102FC28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10303E7 second address: 10303EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102E93B second address: 102E963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5D4055F1h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCF5D4055EFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 102E963 second address: 102E967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1036F72 second address: 1036F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1044007 second address: 1044011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCF5CF17196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1044011 second address: 1044042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FCF5D4055F6h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jp 00007FCF5D4055E6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1043A25 second address: 1043A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1043A29 second address: 1043A61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jno 00007FCF5D4055E8h 0x00000014 jmp 00007FCF5D4055F2h 0x00000019 pushad 0x0000001a jnl 00007FCF5D4055E6h 0x00000020 push eax 0x00000021 pop eax 0x00000022 push esi 0x00000023 pop esi 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1043A61 second address: 1043A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045B11 second address: 1045B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007FCF5D4055E6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045B23 second address: 1045B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045B2E second address: 1045B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FCF5D4055E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045B3D second address: 1045B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A5h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045B58 second address: 1045B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045CC5 second address: 1045CF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCF5CF171A4h 0x00000008 js 00007FCF5CF17196h 0x0000000e pop esi 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 jg 00007FCF5CF17196h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045CF5 second address: 1045CFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1045CFA second address: 1045D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FCF5CF17196h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 104D778 second address: 104D77E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1055B15 second address: 1055B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jl 00007FCF5CF17196h 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1055B21 second address: 1055B3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push edx 0x00000009 jmp 00007FCF5D4055F0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F6D2CE second address: F6D2D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: F6D2D5 second address: F6D2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105EAB0 second address: 105EACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007FCF5CF1719Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCF5CF1719Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105EACF second address: 105EAD9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCF5D4055E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D330 second address: 105D334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D334 second address: 105D33A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D33A second address: 105D340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D340 second address: 105D346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D346 second address: 105D354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF1719Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D354 second address: 105D358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105D358 second address: 105D35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105DA8C second address: 105DA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105DA90 second address: 105DAA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 105DAA2 second address: 105DAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1063209 second address: 106322A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF171A8h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1062D29 second address: 1062D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1062D2F second address: 1062D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF171A2h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1062D49 second address: 1062D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 pushad 0x00000009 push ecx 0x0000000a jmp 00007FCF5D4055F2h 0x0000000f pop ecx 0x00000010 jmp 00007FCF5D4055EBh 0x00000015 jc 00007FCF5D4055F0h 0x0000001b jmp 00007FCF5D4055EAh 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FCF5D4055EAh 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1062EE1 second address: 1062EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10647CE second address: 10647D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10647D4 second address: 10647E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10647E8 second address: 1064813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FCF5D4055E6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FCF5D4055F2h 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 109B381 second address: 109B38B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCF5CF17196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 109B38B second address: 109B391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 109B231 second address: 109B243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jno 00007FCF5CF17196h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B0D91 second address: 10B0D96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3D0A second address: 10B3D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5CF171A6h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f jmp 00007FCF5CF171A9h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3D47 second address: 10B3D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3D4D second address: 10B3D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3D51 second address: 10B3D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3D55 second address: 10B3D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B383E second address: 10B384F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007FCF5D4055E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B384F second address: 10B3872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCF5CF171A8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3A0E second address: 10B3A1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FCF5D4055E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3A1D second address: 10B3A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCF5CF17196h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c je 00007FCF5CF17196h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FCF5CF1719Bh 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 10B3A42 second address: 10B3A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177A81 second address: 1177A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCF5CF1719Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177A97 second address: 1177A9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177A9B second address: 1177AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FCF5CF1719Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177AAF second address: 1177AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177AB3 second address: 1177AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177AB7 second address: 1177ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177BEE second address: 1177BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FCF5CF17196h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177BFB second address: 1177BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177BFF second address: 1177C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1177C05 second address: 1177C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c jng 00007FCF5D4055EAh 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117829F second address: 11782B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edi 0x0000000a jns 00007FCF5CF17196h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 11782B0 second address: 11782CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5D4055F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 11782CC second address: 11782D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 11782D0 second address: 11782E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007FCF5D4055F2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 11782E1 second address: 11782E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 11782E7 second address: 1178303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jno 00007FCF5D4055E6h 0x0000000d jne 00007FCF5D4055E6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007FCF5D4055E6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117891C second address: 1178932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jng 00007FCF5CF17196h 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007FCF5CF17196h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117BAFA second address: 117BB15 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCF5D4055E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FCF5D4055EEh 0x00000010 js 00007FCF5D4055E6h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117BB15 second address: 117BB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCF5CF17196h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117E42E second address: 117E434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117E434 second address: 117E438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117E66A second address: 117E66E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117E66E second address: 117E6C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FCF5CF17198h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 sub edx, dword ptr [ebp+122D38BFh] 0x00000028 push 00000004h 0x0000002a jmp 00007FCF5CF1719Fh 0x0000002f push 5D6C6717h 0x00000034 push ebx 0x00000035 pushad 0x00000036 jmp 00007FCF5CF1719Dh 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 118028C second address: 11802A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117FDE1 second address: 117FDEB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117FDEB second address: 117FDFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117FDFD second address: 117FE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117FE03 second address: 117FE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117FE07 second address: 117FE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 117FE0B second address: 117FE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 1181CCF second address: 1181CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCF5CF171A3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470007 second address: 74700A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FCF5D4055F0h 0x00000010 add si, 3598h 0x00000015 jmp 00007FCF5D4055EBh 0x0000001a popfd 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 mov ecx, 21959961h 0x00000026 mov esi, 0EB16A9Dh 0x0000002b popad 0x0000002c push eax 0x0000002d jmp 00007FCF5D4055F3h 0x00000032 xchg eax, ebp 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FCF5D4055F4h 0x0000003a sub cl, 00000058h 0x0000003d jmp 00007FCF5D4055EBh 0x00000042 popfd 0x00000043 mov cx, E30Fh 0x00000047 popad 0x00000048 mov ebp, esp 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FCF5D4055F1h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74700A3 second address: 74700B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF1719Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74700B3 second address: 74700FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000030h] 0x00000011 jmp 00007FCF5D4055F6h 0x00000016 sub esp, 18h 0x00000019 jmp 00007FCF5D4055F0h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 mov bx, 788Eh 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74700FE second address: 7470104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470104 second address: 7470108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470108 second address: 747010C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747010C second address: 747012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCF5D4055EDh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx edx, cx 0x00000015 mov si, 00ABh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747012E second address: 74701A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, D752h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebx, dword ptr [eax+10h] 0x0000000f pushad 0x00000010 mov bx, CE38h 0x00000014 mov eax, edx 0x00000016 popad 0x00000017 push ecx 0x00000018 pushad 0x00000019 mov cl, A6h 0x0000001b mov edx, 4B798E26h 0x00000020 popad 0x00000021 mov dword ptr [esp], esi 0x00000024 pushad 0x00000025 push edi 0x00000026 pushfd 0x00000027 jmp 00007FCF5CF171A6h 0x0000002c sbb ch, FFFFFFC8h 0x0000002f jmp 00007FCF5CF1719Bh 0x00000034 popfd 0x00000035 pop esi 0x00000036 pushad 0x00000037 mov di, 656Ah 0x0000003b mov esi, ebx 0x0000003d popad 0x0000003e popad 0x0000003f mov esi, dword ptr [74E806ECh] 0x00000045 jmp 00007FCF5CF1719Dh 0x0000004a test esi, esi 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FCF5CF1719Dh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74701A8 second address: 7470254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCF5D4055F7h 0x00000008 push eax 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007FCF5D4063EFh 0x00000013 pushad 0x00000014 mov edi, eax 0x00000016 mov edi, eax 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a jmp 00007FCF5D4055F6h 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 mov bx, 8C30h 0x00000028 popad 0x00000029 jmp 00007FCF5D4055F9h 0x0000002e popad 0x0000002f xchg eax, edi 0x00000030 jmp 00007FCF5D4055EEh 0x00000035 call dword ptr [74E50B60h] 0x0000003b mov eax, 750BE5E0h 0x00000040 ret 0x00000041 pushad 0x00000042 mov bh, al 0x00000044 mov dh, 0Ch 0x00000046 popad 0x00000047 push 00000044h 0x00000049 pushad 0x0000004a mov ebx, eax 0x0000004c pushfd 0x0000004d jmp 00007FCF5D4055ECh 0x00000052 and ax, E608h 0x00000057 jmp 00007FCF5D4055EBh 0x0000005c popfd 0x0000005d popad 0x0000005e pop edi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 movzx esi, bx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470254 second address: 7470269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCF5CF1719Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470269 second address: 747028D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747028D second address: 7470291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470291 second address: 7470295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470295 second address: 747029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747029B second address: 74702CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 jmp 00007FCF5D4055ECh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dl, A9h 0x00000014 jmp 00007FCF5D4055F6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74702CD second address: 74702E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74702E4 second address: 74702EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74702EA second address: 74702EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74702EE second address: 74702F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74702F2 second address: 7470313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007FCF5CF1719Ch 0x00000016 pop eax 0x00000017 mov dh, BDh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747033F second address: 7470356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov esi, eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCF5D4055EDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470356 second address: 747038B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e movzx eax, bx 0x00000011 popad 0x00000012 je 00007FCFCA8A64CAh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCF5CF1719Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747038B second address: 747038F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747038F second address: 7470395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470395 second address: 74703D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007FCF5D4055F1h 0x00000010 mov dword ptr [esi], edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FCF5D4055F8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74703D6 second address: 74703DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74703DC second address: 747041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0DA54BC3h 0x00000008 jmp 00007FCF5D4055F8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esi+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCF5D4055F7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747041B second address: 7470477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCF5CF1719Ch 0x00000013 add ah, 00000048h 0x00000016 jmp 00007FCF5CF1719Bh 0x0000001b popfd 0x0000001c popad 0x0000001d mov dword ptr [esi+0Ch], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FCF5CF171A7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470477 second address: 747047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747047D second address: 7470513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c jmp 00007FCF5CF171A0h 0x00000011 mov dword ptr [esi+10h], eax 0x00000014 jmp 00007FCF5CF171A0h 0x00000019 mov eax, dword ptr [ebx+50h] 0x0000001c jmp 00007FCF5CF171A0h 0x00000021 mov dword ptr [esi+14h], eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FCF5CF1719Ah 0x0000002b jmp 00007FCF5CF171A5h 0x00000030 popfd 0x00000031 popad 0x00000032 mov eax, dword ptr [ebx+54h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FCF5CF171A8h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470513 second address: 7470522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470522 second address: 7470527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470527 second address: 7470596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCF5D4055F5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi+18h], eax 0x0000000f jmp 00007FCF5D4055EEh 0x00000014 mov eax, dword ptr [ebx+58h] 0x00000017 jmp 00007FCF5D4055F0h 0x0000001c mov dword ptr [esi+1Ch], eax 0x0000001f jmp 00007FCF5D4055F0h 0x00000024 mov eax, dword ptr [ebx+5Ch] 0x00000027 jmp 00007FCF5D4055F0h 0x0000002c mov dword ptr [esi+20h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470596 second address: 747059A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747059A second address: 74705B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74705B7 second address: 74705FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+60h] 0x0000000c jmp 00007FCF5CF1719Eh 0x00000011 mov dword ptr [esi+24h], eax 0x00000014 jmp 00007FCF5CF171A0h 0x00000019 mov eax, dword ptr [ebx+64h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov edi, 218E1580h 0x00000024 mov bh, 09h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74705FE second address: 747065E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCF5D4055F1h 0x00000009 jmp 00007FCF5D4055EBh 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov dword ptr [esi+28h], eax 0x00000017 jmp 00007FCF5D4055F4h 0x0000001c mov eax, dword ptr [ebx+68h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FCF5D4055EDh 0x00000028 jmp 00007FCF5D4055EBh 0x0000002d popfd 0x0000002e push esi 0x0000002f pop ebx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747065E second address: 74706DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, E6h 0x00000005 mov dh, cl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+2Ch], eax 0x0000000d jmp 00007FCF5CF1719Fh 0x00000012 mov ax, word ptr [ebx+6Ch] 0x00000016 pushad 0x00000017 push esi 0x00000018 call 00007FCF5CF1719Bh 0x0000001d pop esi 0x0000001e pop edx 0x0000001f popad 0x00000020 mov word ptr [esi+30h], ax 0x00000024 pushad 0x00000025 mov bx, C3C4h 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FCF5CF171A3h 0x00000030 and ecx, 7FD072DEh 0x00000036 jmp 00007FCF5CF171A9h 0x0000003b popfd 0x0000003c pushad 0x0000003d popad 0x0000003e popad 0x0000003f popad 0x00000040 mov ax, word ptr [ebx+00000088h] 0x00000047 pushad 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74706DB second address: 747073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FCF5D4055F5h 0x00000009 pop eax 0x0000000a popad 0x0000000b popad 0x0000000c mov word ptr [esi+32h], ax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FCF5D4055F8h 0x00000018 pushfd 0x00000019 jmp 00007FCF5D4055F2h 0x0000001e adc esi, 7DF9A798h 0x00000024 jmp 00007FCF5D4055EBh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747073C second address: 74707AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov ch, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+0000008Ch] 0x00000010 pushad 0x00000011 mov dh, cl 0x00000013 mov ebx, 0560D1F8h 0x00000018 popad 0x00000019 mov dword ptr [esi+34h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FCF5CF171A8h 0x00000025 jmp 00007FCF5CF171A5h 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FCF5CF171A0h 0x00000031 add ax, 36B8h 0x00000036 jmp 00007FCF5CF1719Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74707AD second address: 74707B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74707B3 second address: 74707B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74707B7 second address: 74707FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FCF5D4055EBh 0x00000017 or ah, 0000002Eh 0x0000001a jmp 00007FCF5D4055F9h 0x0000001f popfd 0x00000020 push esi 0x00000021 pop ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74707FA second address: 7470852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCF5CF171A3h 0x00000009 xor ax, A33Eh 0x0000000e jmp 00007FCF5CF171A9h 0x00000013 popfd 0x00000014 movzx esi, bx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+38h], eax 0x0000001d pushad 0x0000001e mov dx, BB4Ch 0x00000022 mov eax, edx 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+1Ch] 0x00000028 pushad 0x00000029 mov ax, 166Fh 0x0000002d popad 0x0000002e mov dword ptr [esi+3Ch], eax 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 push ecx 0x00000035 pop edi 0x00000036 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470852 second address: 74708CC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCF5D4055EAh 0x00000008 sub cl, FFFFFF98h 0x0000000b jmp 00007FCF5D4055EBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov bx, cx 0x00000016 popad 0x00000017 mov eax, dword ptr [ebx+20h] 0x0000001a jmp 00007FCF5D4055F2h 0x0000001f mov dword ptr [esi+40h], eax 0x00000022 jmp 00007FCF5D4055F0h 0x00000027 lea eax, dword ptr [ebx+00000080h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FCF5D4055EDh 0x00000036 sbb ax, 0196h 0x0000003b jmp 00007FCF5D4055F1h 0x00000040 popfd 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74708CC second address: 74708D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74708D1 second address: 74708DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1B3646A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74708DB second address: 7470909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000001h 0x00000009 jmp 00007FCF5CF171A5h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCF5CF1719Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470909 second address: 747097F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCF5D4055F7h 0x00000009 jmp 00007FCF5D4055F3h 0x0000000e popfd 0x0000000f mov dx, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 jmp 00007FCF5D4055F5h 0x0000001b nop 0x0000001c jmp 00007FCF5D4055EEh 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FCF5D4055F7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747097F second address: 74709CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCF5CF1719Fh 0x00000008 pop eax 0x00000009 mov ebx, 5FDB32ACh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 pushad 0x00000013 mov dh, ch 0x00000015 mov di, 4DAEh 0x00000019 popad 0x0000001a mov dword ptr [esp], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FCF5CF1719Eh 0x00000026 and esi, 5F10F7F8h 0x0000002c jmp 00007FCF5CF1719Bh 0x00000031 popfd 0x00000032 mov edi, ecx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74709E7 second address: 74709EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74709EB second address: 74709EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74709EF second address: 74709F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74709F5 second address: 7470A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF171A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470A12 second address: 7470A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470A16 second address: 7470AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b jmp 00007FCF5CF171A3h 0x00000010 pushfd 0x00000011 jmp 00007FCF5CF171A8h 0x00000016 sbb cx, F648h 0x0000001b jmp 00007FCF5CF1719Bh 0x00000020 popfd 0x00000021 popad 0x00000022 test edi, edi 0x00000024 jmp 00007FCF5CF171A6h 0x00000029 js 00007FCFCA8A5DE2h 0x0000002f jmp 00007FCF5CF171A0h 0x00000034 mov eax, dword ptr [ebp-0Ch] 0x00000037 pushad 0x00000038 mov cl, F9h 0x0000003a mov dh, ADh 0x0000003c popad 0x0000003d mov dword ptr [esi+04h], eax 0x00000040 pushad 0x00000041 push esi 0x00000042 push edi 0x00000043 pop eax 0x00000044 pop edx 0x00000045 call 00007FCF5CF171A8h 0x0000004a pop eax 0x0000004b popad 0x0000004c lea eax, dword ptr [ebx+78h] 0x0000004f jmp 00007FCF5CF1719Dh 0x00000054 push 00000001h 0x00000056 jmp 00007FCF5CF1719Eh 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f mov dx, 1FE0h 0x00000063 jmp 00007FCF5CF171A9h 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470AFA second address: 7470BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c call 00007FCF5D4055F4h 0x00000011 pushfd 0x00000012 jmp 00007FCF5D4055F2h 0x00000017 add eax, 42606FB8h 0x0000001d jmp 00007FCF5D4055EBh 0x00000022 popfd 0x00000023 pop ecx 0x00000024 pushfd 0x00000025 jmp 00007FCF5D4055F9h 0x0000002a jmp 00007FCF5D4055EBh 0x0000002f popfd 0x00000030 popad 0x00000031 nop 0x00000032 jmp 00007FCF5D4055F6h 0x00000037 lea eax, dword ptr [ebp-08h] 0x0000003a pushad 0x0000003b jmp 00007FCF5D4055EEh 0x00000040 mov esi, 28F056C1h 0x00000045 popad 0x00000046 nop 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a mov edi, 73DC7FECh 0x0000004f pushfd 0x00000050 jmp 00007FCF5D4055F5h 0x00000055 sbb si, 97C6h 0x0000005a jmp 00007FCF5D4055F1h 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470BCD second address: 7470BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF1719Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470C24 second address: 7470C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5D4055F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470C3C second address: 7470C96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a jmp 00007FCF5CF171A7h 0x0000000f test edi, edi 0x00000011 jmp 00007FCF5CF171A6h 0x00000016 js 00007FCFCA8A5BDAh 0x0000001c jmp 00007FCF5CF171A0h 0x00000021 mov eax, dword ptr [ebp-04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov eax, edx 0x00000029 push edi 0x0000002a pop esi 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470C96 second address: 7470D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCF5D4055EEh 0x00000013 adc cx, DEA8h 0x00000018 jmp 00007FCF5D4055EBh 0x0000001d popfd 0x0000001e mov ch, D1h 0x00000020 popad 0x00000021 lea eax, dword ptr [ebx+70h] 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FCF5D4055F1h 0x0000002b sbb eax, 2FFCA2C6h 0x00000031 jmp 00007FCF5D4055F1h 0x00000036 popfd 0x00000037 call 00007FCF5D4055F0h 0x0000003c pushad 0x0000003d popad 0x0000003e pop esi 0x0000003f popad 0x00000040 push 00000001h 0x00000042 jmp 00007FCF5D4055F7h 0x00000047 nop 0x00000048 jmp 00007FCF5D4055F6h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FCF5D4055EEh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470D56 second address: 7470D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470D5C second address: 7470D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov ebx, 09DBEECAh 0x0000000f mov cx, dx 0x00000012 popad 0x00000013 lea eax, dword ptr [ebp-18h] 0x00000016 pushad 0x00000017 mov ax, di 0x0000001a movsx edi, si 0x0000001d popad 0x0000001e nop 0x0000001f pushad 0x00000020 jmp 00007FCF5D4055ECh 0x00000025 push eax 0x00000026 push edx 0x00000027 call 00007FCF5D4055F0h 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470D9B second address: 7470DC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov edi, 7402758Ah 0x00000011 mov ebx, 501A6056h 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 mov di, 242Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470E45 second address: 7470E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470E4C second address: 7470EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov eax, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-14h] 0x0000000e jmp 00007FCF5CF171A9h 0x00000013 mov ecx, esi 0x00000015 pushad 0x00000016 movzx esi, bx 0x00000019 pushfd 0x0000001a jmp 00007FCF5CF171A9h 0x0000001f sbb esi, 6DB77896h 0x00000025 jmp 00007FCF5CF171A1h 0x0000002a popfd 0x0000002b popad 0x0000002c mov dword ptr [esi+0Ch], eax 0x0000002f jmp 00007FCF5CF1719Eh 0x00000034 mov edx, 74E806ECh 0x00000039 pushad 0x0000003a call 00007FCF5CF1719Eh 0x0000003f push esi 0x00000040 pop edx 0x00000041 pop eax 0x00000042 mov edi, 05840D32h 0x00000047 popad 0x00000048 mov eax, 00000000h 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FCF5CF171A5h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470EF6 second address: 7470EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470EFC second address: 7470F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470F00 second address: 7470F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470F04 second address: 7470F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lock cmpxchg dword ptr [edx], ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCF5CF171A2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470F24 second address: 7470F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5D4055EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470F36 second address: 7470FAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCF5CF171A4h 0x00000013 add ax, B238h 0x00000018 jmp 00007FCF5CF1719Bh 0x0000001d popfd 0x0000001e call 00007FCF5CF171A8h 0x00000023 jmp 00007FCF5CF171A2h 0x00000028 pop eax 0x00000029 popad 0x0000002a test eax, eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCF5CF1719Ch 0x00000033 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7470FAB second address: 7471046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FCFCAD93D08h 0x0000000f jmp 00007FCF5D4055F6h 0x00000014 mov edx, dword ptr [ebp+08h] 0x00000017 pushad 0x00000018 movzx ecx, di 0x0000001b push edi 0x0000001c mov bx, cx 0x0000001f pop eax 0x00000020 popad 0x00000021 mov eax, dword ptr [esi] 0x00000023 jmp 00007FCF5D4055F1h 0x00000028 mov dword ptr [edx], eax 0x0000002a pushad 0x0000002b mov di, si 0x0000002e mov ecx, 160817EFh 0x00000033 popad 0x00000034 mov eax, dword ptr [esi+04h] 0x00000037 jmp 00007FCF5D4055F2h 0x0000003c mov dword ptr [edx+04h], eax 0x0000003f jmp 00007FCF5D4055F0h 0x00000044 mov eax, dword ptr [esi+08h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FCF5D4055F7h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471046 second address: 747106C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747106C second address: 7471072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471072 second address: 7471078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471078 second address: 747107C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747107C second address: 7471170 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+0Ch] 0x0000000e jmp 00007FCF5CF171A0h 0x00000013 mov dword ptr [edx+0Ch], eax 0x00000016 jmp 00007FCF5CF171A0h 0x0000001b mov eax, dword ptr [esi+10h] 0x0000001e pushad 0x0000001f call 00007FCF5CF1719Eh 0x00000024 pushfd 0x00000025 jmp 00007FCF5CF171A2h 0x0000002a or cl, FFFFFFF8h 0x0000002d jmp 00007FCF5CF1719Bh 0x00000032 popfd 0x00000033 pop eax 0x00000034 call 00007FCF5CF171A9h 0x00000039 pushfd 0x0000003a jmp 00007FCF5CF171A0h 0x0000003f and ax, 7388h 0x00000044 jmp 00007FCF5CF1719Bh 0x00000049 popfd 0x0000004a pop eax 0x0000004b popad 0x0000004c mov dword ptr [edx+10h], eax 0x0000004f pushad 0x00000050 jmp 00007FCF5CF171A5h 0x00000055 pushfd 0x00000056 jmp 00007FCF5CF171A0h 0x0000005b jmp 00007FCF5CF171A5h 0x00000060 popfd 0x00000061 popad 0x00000062 mov eax, dword ptr [esi+14h] 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471170 second address: 7471183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471183 second address: 74711EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 89h 0x00000005 pushfd 0x00000006 jmp 00007FCF5CF171A0h 0x0000000b sub ch, FFFFFFD8h 0x0000000e jmp 00007FCF5CF1719Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [edx+14h], eax 0x0000001a pushad 0x0000001b mov edi, ecx 0x0000001d pushad 0x0000001e mov esi, 0E51C1DDh 0x00000023 jmp 00007FCF5CF1719Ah 0x00000028 popad 0x00000029 popad 0x0000002a mov eax, dword ptr [esi+18h] 0x0000002d jmp 00007FCF5CF171A0h 0x00000032 mov dword ptr [edx+18h], eax 0x00000035 pushad 0x00000036 mov di, ax 0x00000039 mov ebx, eax 0x0000003b popad 0x0000003c mov eax, dword ptr [esi+1Ch] 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov bh, 80h 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74711EB second address: 7471228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ch, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [edx+1Ch], eax 0x0000000d jmp 00007FCF5D4055ECh 0x00000012 mov eax, dword ptr [esi+20h] 0x00000015 pushad 0x00000016 jmp 00007FCF5D4055EEh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FCF5D4055F0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471228 second address: 7471293 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCF5CF171A2h 0x00000008 add ch, FFFFFF88h 0x0000000b jmp 00007FCF5CF1719Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [edx+20h], eax 0x00000017 pushad 0x00000018 mov edi, ecx 0x0000001a jmp 00007FCF5CF171A0h 0x0000001f popad 0x00000020 mov eax, dword ptr [esi+24h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FCF5CF1719Dh 0x0000002c xor cx, 8C56h 0x00000031 jmp 00007FCF5CF171A1h 0x00000036 popfd 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471293 second address: 7471298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471298 second address: 74712A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF1719Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74712A6 second address: 74712B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74712B7 second address: 74712CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74712CF second address: 74713B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+28h] 0x0000000c pushad 0x0000000d call 00007FCF5D4055F4h 0x00000012 pushfd 0x00000013 jmp 00007FCF5D4055F2h 0x00000018 xor esi, 3E629268h 0x0000001e jmp 00007FCF5D4055EBh 0x00000023 popfd 0x00000024 pop eax 0x00000025 pushfd 0x00000026 jmp 00007FCF5D4055F9h 0x0000002b or ax, BC86h 0x00000030 jmp 00007FCF5D4055F1h 0x00000035 popfd 0x00000036 popad 0x00000037 mov dword ptr [edx+28h], eax 0x0000003a pushad 0x0000003b mov di, cx 0x0000003e jmp 00007FCF5D4055F8h 0x00000043 popad 0x00000044 mov ecx, dword ptr [esi+2Ch] 0x00000047 jmp 00007FCF5D4055F0h 0x0000004c mov dword ptr [edx+2Ch], ecx 0x0000004f jmp 00007FCF5D4055F0h 0x00000054 mov ax, word ptr [esi+30h] 0x00000058 jmp 00007FCF5D4055F0h 0x0000005d mov word ptr [edx+30h], ax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74713B2 second address: 74713B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74713B6 second address: 74713D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74713D3 second address: 74713D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74713D9 second address: 74713DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74713DD second address: 74713E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747150D second address: 7471512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471512 second address: 7471518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471518 second address: 747151C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 747151C second address: 7471547 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+38h], FFFFFFFFh 0x0000000c pushad 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop edx 0x00000010 pop ecx 0x00000011 mov si, di 0x00000014 popad 0x00000015 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCF5CF171A0h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7471547 second address: 747154D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0B9B second address: 74B0BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF1719Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BAB second address: 74B0BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BBA second address: 74B0BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BBE second address: 74B0BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BC4 second address: 74B0BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCF5CF171A7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BDF second address: 74B0BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BE3 second address: 74B0BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, esi 0x00000010 jmp 00007FCF5CF1719Ah 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0BFE second address: 74B0C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0C04 second address: 74B0C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCF5CF1719Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0C28 second address: 74B0C5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCF5D4055F8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0C5A second address: 74B0C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74607E7 second address: 74607FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7400689 second address: 74006B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCF5CF171A5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, 7799h 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7400A7F second address: 7400A92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7400A92 second address: 7400AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5030513Ah 0x00000008 mov di, 4706h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 pushad 0x00000011 call 00007FCF5CF171A3h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7400AB8 second address: 7400AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A21 second address: 7450A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A3D second address: 7450A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A41 second address: 7450A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A47 second address: 7450A4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A4D second address: 7450A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A51 second address: 7450A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCF5D4055F7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450A7E second address: 7450B21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 call 00007FCF5CF171A5h 0x0000000c pop esi 0x0000000d pop edi 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov edx, eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FCF5CF171A4h 0x0000001a adc ax, EA38h 0x0000001f jmp 00007FCF5CF1719Bh 0x00000024 popfd 0x00000025 call 00007FCF5CF171A8h 0x0000002a pop esi 0x0000002b popad 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 pushad 0x00000031 call 00007FCF5CF1719Dh 0x00000036 pop eax 0x00000037 call 00007FCF5CF171A1h 0x0000003c pop esi 0x0000003d popad 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FCF5CF171A7h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 743001A second address: 7430048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 call 00007FCF5D4055F7h 0x0000000a mov edx, esi 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 mov al, 1Ch 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov ah, A8h 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7430048 second address: 7430078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007FCF5CF1719Fh 0x0000000d and esp, FFFFFFF0h 0x00000010 pushad 0x00000011 mov di, si 0x00000014 call 00007FCF5CF171A0h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7430078 second address: 74300B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 sub esp, 44h 0x00000009 jmp 00007FCF5D4055F7h 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 call 00007FCF5D4055F4h 0x00000015 push eax 0x00000016 pop ebx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a mov si, bx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74300B6 second address: 743013D instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FCF5CF1719Bh 0x0000000e xchg eax, ebx 0x0000000f jmp 00007FCF5CF171A6h 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007FCF5CF1719Ch 0x0000001c mov eax, 5F3F5F11h 0x00000021 popad 0x00000022 call 00007FCF5CF1719Eh 0x00000027 pushfd 0x00000028 jmp 00007FCF5CF171A2h 0x0000002d adc ch, FFFFFF98h 0x00000030 jmp 00007FCF5CF1719Bh 0x00000035 popfd 0x00000036 pop eax 0x00000037 popad 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FCF5CF171A0h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 743013D second address: 743014C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 743014C second address: 74301C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FCF5CF1719Eh 0x0000000f xchg eax, edi 0x00000010 jmp 00007FCF5CF171A0h 0x00000015 push eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCF5CF171A1h 0x0000001d sub eax, 253790A6h 0x00000023 jmp 00007FCF5CF171A1h 0x00000028 popfd 0x00000029 mov eax, 4FDECBD7h 0x0000002e popad 0x0000002f xchg eax, edi 0x00000030 pushad 0x00000031 mov ecx, 7E015ECFh 0x00000036 push eax 0x00000037 push edx 0x00000038 mov dx, cx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74301C7 second address: 74302B2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCF5D4055EEh 0x00000008 adc ax, F178h 0x0000000d jmp 00007FCF5D4055EBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov edi, dword ptr [ebp+08h] 0x00000019 jmp 00007FCF5D4055F6h 0x0000001e mov dword ptr [esp+24h], 00000000h 0x00000026 pushad 0x00000027 jmp 00007FCF5D4055EDh 0x0000002c popad 0x0000002d lock bts dword ptr [edi], 00000000h 0x00000032 jmp 00007FCF5D4055EEh 0x00000037 jc 00007FCFCCEA77EAh 0x0000003d jmp 00007FCF5D4055F0h 0x00000042 pop edi 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FCF5D4055EDh 0x0000004a sbb ch, FFFFFFD6h 0x0000004d jmp 00007FCF5D4055F1h 0x00000052 popfd 0x00000053 popad 0x00000054 pop esi 0x00000055 jmp 00007FCF5D4055EEh 0x0000005a pop ebx 0x0000005b pushad 0x0000005c movzx esi, bx 0x0000005f pushad 0x00000060 movsx ebx, cx 0x00000063 jmp 00007FCF5D4055F2h 0x00000068 popad 0x00000069 popad 0x0000006a mov esp, ebp 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FCF5D4055F7h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74302B2 second address: 74302B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7450905 second address: 745090B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 745090B second address: 74509B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCF5CF1719Ch 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FCF5CF1719Bh 0x0000000f sub ch, 0000002Eh 0x00000012 jmp 00007FCF5CF171A9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FCF5CF1719Eh 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 mov ch, dl 0x00000026 mov ax, 789Fh 0x0000002a popad 0x0000002b jmp 00007FCF5CF171A4h 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov edx, 4AB9A420h 0x0000003a pushfd 0x0000003b jmp 00007FCF5CF171A9h 0x00000040 add eax, 62997F26h 0x00000046 jmp 00007FCF5CF171A1h 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460A7C second address: 7460A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460A82 second address: 7460A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460A86 second address: 7460A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460A8A second address: 7460ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FCF5CF171A0h 0x00000011 adc esi, 0E7C9EB8h 0x00000017 jmp 00007FCF5CF1719Bh 0x0000001c popfd 0x0000001d push esi 0x0000001e pop edx 0x0000001f popad 0x00000020 movzx esi, bx 0x00000023 popad 0x00000024 mov dword ptr [esp], ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FCF5CF1719Ah 0x0000002e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460ACE second address: 7460AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460AD4 second address: 7460B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov eax, 1AC15463h 0x00000013 pushad 0x00000014 mov di, si 0x00000017 popad 0x00000018 popad 0x00000019 push dword ptr [ebp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop eax 0x00000021 push edi 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460B00 second address: 7460B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007FCF5D4055F0h 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov di, 5520h 0x0000001b push ebx 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460B32 second address: 7460B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460B38 second address: 7460B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 7460B5E second address: 7460B91 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCF5CF171A4h 0x00000008 sbb cl, FFFFFFC8h 0x0000000b jmp 00007FCF5CF1719Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push edi 0x00000019 pop eax 0x0000001a mov ax, dx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0AA2 second address: 74C0AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0AA6 second address: 74C0AB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0AB4 second address: 74C0ACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0ACA second address: 74C0AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0AD0 second address: 74C0B40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FCF5D4055F1h 0x00000010 jmp 00007FCF5D4055F0h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FCF5D4055F0h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FCF5D4055EDh 0x00000027 and ax, 8786h 0x0000002c jmp 00007FCF5D4055F1h 0x00000031 popfd 0x00000032 mov ah, 41h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0B40 second address: 74C0B81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, byte ptr [ebp+14h] 0x0000000c jmp 00007FCF5CF171A0h 0x00000011 mov eax, dword ptr [ebp+10h] 0x00000014 pushad 0x00000015 mov al, 74h 0x00000017 mov bx, 1B6Eh 0x0000001b popad 0x0000001c and dl, 00000007h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCF5CF171A0h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0B81 second address: 74C0BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007FCF5D4055F6h 0x00000010 je 00007FCFCCE3AC30h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCF5D4055EAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0BBC second address: 74C0BCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF1719Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74C0BCB second address: 74C0AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b jmp 00007FCF5D4055F7h 0x00000010 inc ecx 0x00000011 jmp 00007FCF5D4055F6h 0x00000016 shr eax, 1 0x00000018 jmp 00007FCF5D4055F0h 0x0000001d jmp 00007FCFCCE3AB8Dh 0x00000022 jne 00007FCF5D4055DDh 0x00000024 inc ecx 0x00000025 shr eax, 1 0x00000027 jne 00007FCF5D4055DDh 0x00000029 imul ecx, ecx, 03h 0x0000002c movzx eax, dl 0x0000002f cdq 0x00000030 sub ecx, 03h 0x00000033 call 00007FCF5D415ADDh 0x00000038 cmp cl, 00000040h 0x0000003b jnc 00007FCF5D4055F7h 0x0000003d cmp cl, 00000020h 0x00000040 jnc 00007FCF5D4055E8h 0x00000042 shld edx, eax, cl 0x00000045 shl eax, cl 0x00000047 ret 0x00000048 or edx, dword ptr [ebp+0Ch] 0x0000004b or eax, dword ptr [ebp+08h] 0x0000004e or edx, 80000000h 0x00000054 pop ebp 0x00000055 retn 0010h 0x00000058 push ebp 0x00000059 push 00000001h 0x0000005b push edx 0x0000005c push eax 0x0000005d call edi 0x0000005f mov edi, edi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0494 second address: 74B04B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCF5CF1719Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B04B8 second address: 74B04F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 jmp 00007FCF5D4055EAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov eax, 698C827Dh 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FCF5D4055F7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B04F3 second address: 74B04F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B04F7 second address: 74B04FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B04FD second address: 74B0503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0503 second address: 74B0507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0507 second address: 74B0516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov ebx, eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0516 second address: 74B0523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0523 second address: 74B0527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0527 second address: 74B052D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B052D second address: 74B058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c call 00007FCF5CF1719Dh 0x00000011 pop eax 0x00000012 pop edi 0x00000013 pushfd 0x00000014 jmp 00007FCF5CF1719Eh 0x00000019 or cx, 33A8h 0x0000001e jmp 00007FCF5CF1719Bh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FCF5CF171A5h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B058C second address: 74B05CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop edx 0x0000000d popad 0x0000000e pushfd 0x0000000f jmp 00007FCF5D4055EAh 0x00000014 adc cx, C868h 0x00000019 jmp 00007FCF5D4055EBh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCF5D4055F5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B05CF second address: 74B05F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5CF171A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCF5CF1719Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B05F6 second address: 74B0658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCF5D4055F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCF5D4055F8h 0x00000012 sbb ecx, 01FDAAB8h 0x00000018 jmp 00007FCF5D4055EBh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 jmp 00007FCF5D4055F6h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRDTSC instruction interceptor: First address: 74B0658 second address: 74B065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSpecial instruction interceptor: First address: FB13B5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSpecial instruction interceptor: First address: FDD6F8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSpecial instruction interceptor: First address: E0B941 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSpecial instruction interceptor: First address: 1038B89 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeCode function: 0_2_07440A44 rdtsc 0_2_07440A44
Source: C:\Users\user\Desktop\dCdr6IBojN.exeAPI coverage: 5.0 %
Source: C:\Users\user\Desktop\dCdr6IBojN.exe TID: 6720Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: dCdr6IBojN.exe, dCdr6IBojN.exe, 00000000.00000002.2042577838.0000000000F93000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: dCdr6IBojN.exe, 00000000.00000003.1766766125.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2043119074.0000000001A5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: dCdr6IBojN.exe, 00000000.00000002.2042577838.0000000000F93000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\dCdr6IBojN.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\dCdr6IBojN.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\dCdr6IBojN.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile opened: NTICE
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile opened: SICE
Source: C:\Users\user\Desktop\dCdr6IBojN.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeCode function: 0_2_07440A44 rdtsc 0_2_07440A44
Source: dCdr6IBojN.exe, dCdr6IBojN.exe, 00000000.00000002.2042577838.0000000000F93000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dCdr6IBojN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: dCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dCdr6IBojN.exe66%ReversingLabsWin32.Trojan.Amadey
dCdr6IBojN.exe71%VirustotalBrowse
dCdr6IBojN.exe100%AviraTR/Crypt.TPM.Gen
dCdr6IBojN.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
httpbin.org
34.226.108.155
truefalse
    		high
    home.fivetk5ht.top
    		unknown
    		unknownfalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmldCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtddCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpdCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://httpbin.org/ipbeforedCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmldCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985135a1dCdr6IBojN.exe, 00000000.00000002.2043119074.00000000019FE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851dCdr6IBojN.exe, 00000000.00000002.2043119074.00000000019FE000.00000004.00000020.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2043119074.0000000001A5B000.00000004.00000020.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.4.drfalse
                          		high
                          https://curl.se/docs/alt-svc.htmldCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://.cssdCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://.jpgdCdr6IBojN.exe, 00000000.00000003.1732732779.0000000007756000.00000004.00001000.00020000.00000000.sdmp, dCdr6IBojN.exe, 00000000.00000002.2042114476.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                34.226.108.155
                                		httpbin.orgUnited States
                                		14618AMAZON-AESUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1579690
                                Start date and time:2024-12-23 07:35:58 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 13s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:dCdr6IBojN.exe
                                renamed because original name is a hash value
                                Original Sample Name:6b2f7dfaa5274d0e0addf60021df87d3.exe
                                Detection:MAL
                                Classification:mal100.evad.winEXE@2/5@14/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.190.177.147, 52.149.20.212, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                01:36:59API Interceptor6x Sleep call for process: dCdr6IBojN.exe modified
                                01:37:24API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                34.226.108.15594g4KHMj9B.exeGet hashmaliciousUnknownBrowse
                                  Gy53Tq6BdK.exeGet hashmaliciousUnknownBrowse
                                    HRpFufG1LJ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          Yda6AxtlVP.exeGet hashmaliciousUnknownBrowse
                                            2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                              ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.org94g4KHMj9B.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    95e1Fwp61u.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    7eDrKI88k8.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    Gy53Tq6BdK.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    HRpFufG1LJ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    t9iCli9iWK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    uwa78qqv0x.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    AMAZON-AESUS94g4KHMj9B.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    TmmiCE5Ulm.exeGet hashmaliciousLummaCBrowse
                                                    • 3.5.16.86
                                                    Gy53Tq6BdK.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    HRpFufG1LJ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    OmLwjD18cO.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    N3s5DQ51YF.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    Yda6AxtlVP.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    2OJYjm4J1B.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    ze38hsiGOb.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    armv4l.elfGet hashmaliciousUnknownBrowse
                                                    • 54.88.200.107

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dCdr6IBojN.exe_8e39dbe60c48def8f177f26d11933dce081426a_0d4e8f17_1b2e121c-8698-4d70-824b-31f5ab136e09\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.941311081204289
                                                    Encrypted:false
                                                    SSDEEP:192:+oLypNNvu0BU/Aju0ZrPMtwzuiFEZ24IO8f:HyzNvVBU/Aj5zuiFEY4IO8f
                                                    MD5:57231C160487CFD3CF663048A8393C5D
                                                    SHA1:B18F7676E6A2ECF770AE3A19CC46251865B7B6D3
                                                    SHA-256:292C6747632184C67314A213CCA0C9CCB55D2029F9D0024D71D6AF8E1C6C3F79
                                                    SHA-512:BBCE545DF93577BD0A0FFCE717D47D18A986F45B739323D352C5F8183C8AE3A02869F1268F5A483930B52C69DA6F18CBD6C45ADFF234A90B6CC1AAD6813767D9
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.0.9.4.2.2.2.6.4.8.2.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.0.9.4.2.2.8.1.1.6.9.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.2.e.1.2.1.c.-.8.6.9.8.-.4.d.7.0.-.8.2.4.b.-.3.1.f.5.a.b.1.3.6.e.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.e.a.d.3.4.0.-.7.b.9.7.-.4.6.b.b.-.9.7.7.8.-.0.9.b.7.b.0.a.c.7.d.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.C.d.r.6.I.B.o.j.N...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.e.4.-.0.0.0.1.-.0.0.1.4.-.5.0.b.8.-.d.2.0.d.0.5.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.3.e.d.2.4.f.0.5.2.7.8.a.d.a.0.2.f.3.6.1.b.8.8.6.7.8.3.a.b.e.7.0.0.0.0.f.f.f.f.!.0.0.0.0.5.c.a.3.c.c.3.8.f.4.a.5.e.e.a.d.6.f.e.d.d.0.9.8.4.d.d.8.b.4.5.f.1.e.4.c.6.e.3.0.!.d.C.d.r.6.I.B.o.j.N...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA654.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Mon Dec 23 06:37:02 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):214494
                                                    Entropy (8bit):1.4027153179634086
                                                    Encrypted:false
                                                    SSDEEP:384:W7fVTTHTm6p+hTsEqGLcNO2wLBYAAWIMt5TJiW8YXXcdaMQBHKZL49socP0TS:8VH6aEsEqrriAY5TFXEwp9Dv
                                                    MD5:D164C27A37DEF8C7C00DA0D88EF59BDB
                                                    SHA1:019A9399CC477371B2EA1877474E70DCEE3CE7E7
                                                    SHA-256:7A784C50253BECE2D5CF70A5E3C6AB444516D80737D3A57F710E2AFB044F73F6
                                                    SHA-512:32328D392A1D5C9419DFC26565B6FB4B0A764CA38FE0FB2E0A17561E5C8A0154B6E756AD4BF36E5DF0D747448E208E115C298E51458672E3CFA769D635064402
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... .........ig............D...........D...X............ ......T....z..........`.......8...........T...........H,.............. !...........#..............................................................................eJ.......#......GenuineIntel............T.............ig.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA76E.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8348
                                                    Entropy (8bit):3.696891430083519
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJEa6c6Y91SU2XpPgmfGbVprU89bsUsfi1km:R6lXJ56c6YvSU2XhgmfGb5sHfij
                                                    MD5:0950A31FD3E43145B804F556205143AE
                                                    SHA1:65E0B37DC0E45A5842FD47A879607C62C7B5E44C
                                                    SHA-256:F95FBF2A8B5921466FCAC389D19F25A62ED6882065DB136D5CD33DE647C9F2C5
                                                    SHA-512:BD53055CB6FE26FA92812A889B6067EEE2704B9BEADCCFFDA8C94613BE8E95C4510C05B3D55EACDC8E54A035B6C2ABEC015EA570D265E22DCEFE0E97F51273AD
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.2.8.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7AE.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4594
                                                    Entropy (8bit):4.465013592520321
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsnAJg77aI9XcWpW8VYTYm8M4Jj5FXV9I+q8qaD0EVtBzWId:uIjfnGI7VV7VPJvVu208vzWId
                                                    MD5:17785D6A3577D975EA400743A129D16E
                                                    SHA1:A94C226DA5AAB09ADE03767A3F0EC3265914550E
                                                    SHA-256:4C45143E83E321115C1195DEF1E51743B3ED09E452EE05CD9FCBD4B2E97D5C83
                                                    SHA-512:0F70CE6B1FCF20F39E8C3DF82EBF6096EB979FA787836BB2538FD432AFAC9022DA1DFCF128E14E8B626B13626D28797CF9F51802D0F56302A3FBF37E015A6962
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643539" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.46543279936284
                                                    Encrypted:false
                                                    SSDEEP:6144:DIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN9dwBCswSbV:UXD94+WlLZMM6YFHj+V
                                                    MD5:11582C6E94864BAE168C51EF76405725
                                                    SHA1:DC75D6A72076F8DEBB17ED581B3A6BE712F09B92
                                                    SHA-256:D89D20A50451E500CD23EA9F8988F12FDA13A5C432EA3D1840F33B322AD085AD
                                                    SHA-512:991403C723A44A15DC6EC2D85C3B4E2AB0AA342101E5C682317BD3C39C68967474A046B8B39A4E2A2BC6DDDE53736992AB801674CC6C0ABCD7553C4ABFE99F58
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV. ..U................................................................................................................................................................................................................................................................................................................................................7'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):7.986469676980443
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:dCdr6IBojN.exe
                                                    File size:4'442'624 bytes
                                                    MD5:6b2f7dfaa5274d0e0addf60021df87d3
                                                    SHA1:5ca3cc38f4a5eead6fedd0984dd8b45f1e4c6e30
                                                    SHA256:9ef7338b3451303b3c85261d963edd712570c9bb6693f6abae81f28887680482
                                                    SHA512:5cbca9fdf70d11a0a6807630e6b141a42097172c3468b73ac7fe751d59013396e401ef339a4af7e8e905fe8875b37c272979339af9de8dccb0f2f23e0ce19f19
                                                    SSDEEP:98304:estGBEV3n/wsG2MwCX6Z8lCf2+FgSdSuZeBsY4W2PF:TGBY3nEm6O8K2+Fgu8BsDW2
                                                    TLSH:792633A262672F91CEC08BB6598149CA067B72F79E51117A4C3E040C7FE3722E7E11BD
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...........pH...@..........................@........C...@... ............................

                                                    File Icon

                                                    Icon Hash:90cececece8e8eb0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x1081000
                                                    Entrypoint Section:.taggant
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE
                                                    Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp 00007FCF5CE0A89Ah
                                                    push gs
                                                    inc ebx
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add cl, ch
                                                    add byte ptr [eax], ah
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc7f0640x10ykxkmfnv
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc7f0140x18ykxkmfnv
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    0x10000x7450000x284c0030d223217a95635f8c486e8a00a2351bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x7460000x1ac0x200e92825fe553248f52fd55b2a57f3f447False0.58203125data4.602798081275733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    0x7480000x3830000x200a45fd3a2c0a22f96658334ea395e498eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    ykxkmfnv0xacb0000x1b50000x1b4200c99a41df56627eca4dd87d8b7010d4f2False0.994632684866724data7.955847768802401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    tftxjewg0xc800000x10000x40020bb7cec75f36689553f4e875d2f4b32False0.802734375data6.183751721506948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .taggant0xc810000x30000x22002430b6241f44748af56b546f3bcd52fbFalse0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0xc7f0740x152ASCII text, with CRLF line terminators0.6479289940828402

                                                    Imports

                                                    DLLImport
                                                    kernel32.dlllstrcpy

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 23, 2024 07:36:56.731862068 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:56.731942892 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:56.732012033 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:56.752553940 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:56.752609015 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.492676020 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.494075060 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.494108915 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.495651007 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.495732069 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.514683962 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.514914989 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.568207026 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.568254948 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.615115881 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.649744987 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.695341110 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.970664978 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.970931053 CET4434973034.226.108.155192.168.2.4
                                                    Dec 23, 2024 07:36:58.971025944 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.991627932 CET49730443192.168.2.434.226.108.155
                                                    Dec 23, 2024 07:36:58.991661072 CET4434973034.226.108.155192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 23, 2024 07:36:56.427450895 CET5117553192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:36:56.427655935 CET5117553192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:36:56.566879988 CET53511751.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:36:56.728765011 CET53511751.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:36:59.866436005 CET5117853192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:36:59.866550922 CET5117853192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:00.258810043 CET53511781.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:00.418767929 CET53511781.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:00.590548992 CET5117953192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:00.590626001 CET5117953192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:00.728055954 CET53511791.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:00.728075981 CET53511791.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:00.906136036 CET5118053192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:00.906208038 CET5118053192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:01.046444893 CET53511801.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:01.046474934 CET53511801.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:01.432151079 CET5118153192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:01.432368040 CET5118153192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:01.579114914 CET53511811.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:01.579134941 CET53511811.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:01.784492970 CET5118253192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:01.784563065 CET5118253192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:01.931080103 CET53511821.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:01.932039976 CET53511821.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:02.138289928 CET5118353192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:02.138401985 CET5118353192.168.2.41.1.1.1
                                                    Dec 23, 2024 07:37:02.276715994 CET53511831.1.1.1192.168.2.4
                                                    Dec 23, 2024 07:37:02.276751041 CET53511831.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 23, 2024 07:36:56.427450895 CET192.168.2.41.1.1.10x22fcStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:36:56.427655935 CET192.168.2.41.1.1.10x5ecbStandard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 23, 2024 07:36:59.866436005 CET192.168.2.41.1.1.10xd1e7Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:36:59.866550922 CET192.168.2.41.1.1.10x35Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.590548992 CET192.168.2.41.1.1.10xc19bStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.590626001 CET192.168.2.41.1.1.10x975dStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.906136036 CET192.168.2.41.1.1.10xe9dStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.906208038 CET192.168.2.41.1.1.10xae9eStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.432151079 CET192.168.2.41.1.1.10x1769Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.432368040 CET192.168.2.41.1.1.10x3331Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.784492970 CET192.168.2.41.1.1.10x6f56Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.784563065 CET192.168.2.41.1.1.10x3a9eStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                    Dec 23, 2024 07:37:02.138289928 CET192.168.2.41.1.1.10xd081Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:02.138401985 CET192.168.2.41.1.1.10x8c29Standard query (0)home.fivetk5ht.top28IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 23, 2024 07:36:56.728765011 CET1.1.1.1192.168.2.40x22fcNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:36:56.728765011 CET1.1.1.1192.168.2.40x22fcNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.258810043 CET1.1.1.1192.168.2.40x35Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.418767929 CET1.1.1.1192.168.2.40xd1e7Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.728055954 CET1.1.1.1192.168.2.40x975dName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:37:00.728075981 CET1.1.1.1192.168.2.40xc19bName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.046444893 CET1.1.1.1192.168.2.40xe9dName error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.046474934 CET1.1.1.1192.168.2.40xae9eName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.579114914 CET1.1.1.1192.168.2.40x1769Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.579134941 CET1.1.1.1192.168.2.40x3331Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.931080103 CET1.1.1.1192.168.2.40x6f56Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:01.932039976 CET1.1.1.1192.168.2.40x3a9eName error (3)home.fivetk5ht.topnonenone28IN (0x0001)false
                                                    Dec 23, 2024 07:37:02.276715994 CET1.1.1.1192.168.2.40xd081Name error (3)home.fivetk5ht.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 23, 2024 07:37:02.276751041 CET1.1.1.1192.168.2.40x8c29Name error (3)home.fivetk5ht.topnonenone28IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • httpbin.org

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.44973034.226.108.1554436628C:\Users\user\Desktop\dCdr6IBojN.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-23 06:36:58 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-23 06:36:58 UTC224INHTTP/1.1 200 OK
                                                    Date: Mon, 23 Dec 2024 06:36:58 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-23 06:36:58 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:01:36:53
                                                    Start date:23/12/2024
                                                    Path:C:\Users\user\Desktop\dCdr6IBojN.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\dCdr6IBojN.exe"
                                                    Imagebase:0x6c0000
                                                    File size:4'442'624 bytes
                                                    MD5 hash:6B2F7DFAA5274D0E0ADDF60021DF87D3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:01:37:02
                                                    Start date:23/12/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 1124
                                                    Imagebase:0x7ff70f330000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:0.2%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:61
                                                      Total number of Limit Nodes:4
                                                      execution_graph 8049 749068b 8050 7490671 Process32FirstW 8049->8050 8051 7490692 8049->8051 8050->8051 8220 7460285 8221 74602b3 8220->8221 8222 74602ce 2 API calls 8221->8222 8223 74602c0 8222->8223 8158 7460000 8159 746001c 8158->8159 8162 746027b 8159->8162 8163 7460297 8162->8163 8166 74602ce 8163->8166 8167 74602e7 8166->8167 8168 7460364 GetLogicalDrives 8167->8168 8169 7460361 GetLogicalDrives 8167->8169 8168->8167 8171 746040c 8169->8171 8171->8171 8078 746030a 8079 7460313 8078->8079 8081 7460361 GetLogicalDrives 8079->8081 8084 7460364 8079->8084 8083 746040c 8081->8083 8085 74603a4 GetLogicalDrives 8084->8085 8087 746040c 8085->8087 8087->8087 8126 7490385 8127 7490389 8126->8127 8128 749039e Process32FirstW 8127->8128 8129 7490398 Process32FirstW 8127->8129 8128->8129 8131 7490694 8129->8131 8172 7490404 8173 7490432 Process32FirstW 8172->8173 8175 7490694 8173->8175 8052 7490647 Process32FirstW 8053 7490694 8052->8053 8136 7460391 8137 74603b8 GetLogicalDrives 8136->8137 8139 746040c 8137->8139 8054 7490354 8055 749036d 8054->8055 8057 7490398 Process32FirstW 8054->8057 8060 749039e 8055->8060 8059 7490694 8057->8059 8061 74903b9 Process32FirstW 8060->8061 8063 7490694 8061->8063 8063->8057 8088 7460327 8090 746031f 8088->8090 8089 7460364 GetLogicalDrives 8089->8090 8090->8089 8091 7460361 GetLogicalDrives 8090->8091 8093 746040c 8091->8093 8228 74602a2 8229 74602ec 8228->8229 8230 7460364 GetLogicalDrives 8229->8230 8231 7460361 GetLogicalDrives 8229->8231 8230->8229 8233 746040c 8231->8233 8233->8233 8146 74603b4 8147 74603b8 GetLogicalDrives 8146->8147 8149 746040c 8147->8149 8149->8149 8238 74902b6 8239 74902d8 8238->8239 8240 749039e Process32FirstW 8239->8240 8241 7490398 Process32FirstW 8240->8241 8243 7490694 8241->8243

                                                      Executed Functions

                                                      Function 07440A44 Relevance: .2, Instructions: 157COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2e62765136207525f424efab47bffaaaac29c8c0326ac4a6e7dab0b9e1c5219f
                                                      • Instruction ID: 833d3060ab531fb9172d9439ac12131de41e980c0dd50697ae0280f71e2ea83c
                                                      • Opcode Fuzzy Hash: 2e62765136207525f424efab47bffaaaac29c8c0326ac4a6e7dab0b9e1c5219f
                                                      • Instruction Fuzzy Hash: 6131B0F716C214BDB211C5815B54EFB67AEE6D7330B308CABFA03D6512E3940B6A6131
                                                      Function 074903A5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: =ZgW
                                                      • API String ID: 2623510744-2644340017
                                                      • Opcode ID: 4ce505fe77ce42358779c819a1704af597c0e10403b893e374357c05fac24591
                                                      • Instruction ID: 761e9895dc9d07cf3e4cc67178e8e471eee3f9617795dae069255cf23ba78803
                                                      • Opcode Fuzzy Hash: 4ce505fe77ce42358779c819a1704af597c0e10403b893e374357c05fac24591
                                                      • Instruction Fuzzy Hash: C2515BEB2A91227DBA12C0412F24AFA6E6EE5D3730B31883BF807D6552E3944E4F5131
                                                      Function 07490354 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 37 7490354-749036b 38 749036d-749039c call 749039e 37->38 39 74903e4-7490641 37->39 38->39 67 7490650-7490686 Process32FirstW 39->67 68 7490694-74906c7 call 74906d6 67->68
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: =ZgW
                                                      • API String ID: 0-2644340017
                                                      • Opcode ID: 95763f70e440ed0c8df52870063226230f071e348221118b77adf64d944b5d6d
                                                      • Instruction ID: 43b39eb76b511edb53811a4729071b5a94a1bb2613c3b74d12dcfc47674961a8
                                                      • Opcode Fuzzy Hash: 95763f70e440ed0c8df52870063226230f071e348221118b77adf64d944b5d6d
                                                      • Instruction Fuzzy Hash: FC517BEB29D162BD7A02C1416F14AFA6F6EE5C3730B31887BF807D6552E3984E4B6131
                                                      Function 0749039E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 73 749039e-7490641 100 7490650-7490686 Process32FirstW 73->100 101 7490694-74906c7 call 74906d6 100->101
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: =ZgW
                                                      • API String ID: 2623510744-2644340017
                                                      • Opcode ID: 3828dd75faad1d45b421be24b27dc7a3d2f1050d71991354dca0a336e546b70f
                                                      • Instruction ID: 25aaf39798028237ebca35a9ee7e12c6fafd28e7149fb19c66d3a44a08f70fe9
                                                      • Opcode Fuzzy Hash: 3828dd75faad1d45b421be24b27dc7a3d2f1050d71991354dca0a336e546b70f
                                                      • Instruction Fuzzy Hash: 79411BEB2A8122BD7552C0422F14EFA5A6EE5D3730B318837F807D6556E3D84E4F6131
                                                      Function 07490404 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 106 7490404-7490641 129 7490650-7490686 Process32FirstW 106->129 130 7490694-74906c7 call 74906d6 129->130
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: =ZgW
                                                      • API String ID: 2623510744-2644340017
                                                      • Opcode ID: bca810f9a530177580491e6690a94385f9035e63a700ba4239b86fd0994ac870
                                                      • Instruction ID: 48a8b0bf8bb98d2b6db9d5f68c8b2c8e898dcd6f11ac12fab3144986f99a71ac
                                                      • Opcode Fuzzy Hash: bca810f9a530177580491e6690a94385f9035e63a700ba4239b86fd0994ac870
                                                      • Instruction Fuzzy Hash: 3F416EFB2A8122BD7A12C4452F14AFA6E6EE5D3770B31883BF807D6552E3D44E4B5131
                                                      Function 0746033A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 135 746033a-746033c 136 74602d7-746031c 135->136 137 746033e-7460349 135->137 150 746031f-7460320 136->150 139 746034c-746035c call 7460364 137->139 145 7460321-7460335 139->145 146 746035e-746035f 139->146 145->139 149 7460361-74603db 146->149 146->150 155 74603ea-74603fd GetLogicalDrives 149->155 150->145 156 746040c-74604a9 call 74604b0 155->156 165 74604ab 156->165 165->165
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: c3ea2c0d48140c37c78a9c45a32465a5f3736bbf92b5a96ef3f5a958e69ef1c6
                                                      • Instruction ID: 95a8d65e160f8a21b0a459d7a5a94c3f73acb57d0d74bec2486b1db7f31cc4f4
                                                      • Opcode Fuzzy Hash: c3ea2c0d48140c37c78a9c45a32465a5f3736bbf92b5a96ef3f5a958e69ef1c6
                                                      • Instruction Fuzzy Hash: FB31D1EB66C2217EB61291923B18EFB6B6DE5C6B31730C92BF403C5416D2940E8F1073
                                                      Function 074602CE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 166 74602ce-746031c 171 746031f-7460320 166->171 172 7460321-746035c call 7460364 171->172 177 746035e-746035f 172->177 177->171 178 7460361-74603db 177->178 183 74603ea-74603fd GetLogicalDrives 178->183 184 746040c-74604a9 call 74604b0 183->184 193 74604ab 184->193 193->193
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 40b6813bffd345e1fe2338c5ebb7d18c28f23a017b0707e0ec130f29da272b49
                                                      • Instruction ID: aa5ef2b6097de63501c1806e3b59fac770dbf5ec96a7b0fa89a391ecb4754231
                                                      • Opcode Fuzzy Hash: 40b6813bffd345e1fe2338c5ebb7d18c28f23a017b0707e0ec130f29da272b49
                                                      • Instruction Fuzzy Hash: AC217AEB26D221BE761181922B28EFB5B6DE4C6B31730C92BF407C5526D2950E8B5133
                                                      Function 074602A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 194 74602a2-746031c 199 746031f-7460320 194->199 200 7460321-746035c call 7460364 199->200 205 746035e-746035f 200->205 205->199 206 7460361-74603db 205->206 211 74603ea-74603fd GetLogicalDrives 206->211 212 746040c-74604a9 call 74604b0 211->212 221 74604ab 212->221 221->221
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 928a492dbfed43dc0d2115a2b8eef7263f13fe5450ed2e6328d133c45121c440
                                                      • Instruction ID: 3d52bd630fcd0833b818b851d7c68f6d0c4126945a904c69d5d4f2874b4ea3a6
                                                      • Opcode Fuzzy Hash: 928a492dbfed43dc0d2115a2b8eef7263f13fe5450ed2e6328d133c45121c440
                                                      • Instruction Fuzzy Hash: 5A21CEFB26D210BEB61285923B18DFB6B6DD5C2B31730CC6BF403C5526D2A40A8B5133
                                                      Function 074602DB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 222 74602db-746031c 227 746031f-7460320 222->227 228 7460321-746035c call 7460364 227->228 233 746035e-746035f 228->233 233->227 234 7460361-74603db 233->234 239 74603ea-74603fd GetLogicalDrives 234->239 240 746040c-74604a9 call 74604b0 239->240 249 74604ab 240->249 249->249
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 0c36ec46d30f428f3c5939a1e632b754e2a54eb076c000eb2b2c92cd910da2a1
                                                      • Instruction ID: 2570ea0be70a0341b54a04a06da6ac725faf49b858295938b2d6e0b3eb6c7581
                                                      • Opcode Fuzzy Hash: 0c36ec46d30f428f3c5939a1e632b754e2a54eb076c000eb2b2c92cd910da2a1
                                                      • Instruction Fuzzy Hash: 2B21ADEB66C2217E7611C1A22B28EFB6B6DD4C7731730C82BF407C5526D2950E8B5033
                                                      Function 0749053B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 250 749053b-7490641 261 7490650-7490686 Process32FirstW 250->261 262 7490694-74906c7 call 74906d6 261->262
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID: `
                                                      • API String ID: 2623510744-2679148245
                                                      • Opcode ID: 3ad05ffd317513ff119e0abdb5bf04f4fcb3e06823ae70ce23f379f5ea12abed
                                                      • Instruction ID: 9fff31c77fb535cf565ac48bfc8aef30e5a31788d305e2b60428f27c775dadc8
                                                      • Opcode Fuzzy Hash: 3ad05ffd317513ff119e0abdb5bf04f4fcb3e06823ae70ce23f379f5ea12abed
                                                      • Instruction Fuzzy Hash: 12218EFB26C2227C7A16D0912B14AF66F6EE4D3730B31883BF807D6956E3880E5B1135
                                                      Function 07440252 Relevance: 3.2, Strings: 2, Instructions: 726COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 267 7440252-7440371 call 7440272 call 7440376 282 7440373-74403be 267->282 283 74403bf-7440759 267->283 282->283 321 7440804-7440c11 283->321 322 744075f-7440803 283->322 376 7440c26-7440c3d 321->376 322->321 377 7440c43-7440c7e call 7440c7f 376->377
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 96e83311b635d3f883adb9bc45b5cbce92771c7d682bf013deea3cf8d15f91cf
                                                      • Instruction ID: eeb4d3d2738ee93a9b025be2dda2b62790668ca0e266521e01721823ac8ac847
                                                      • Opcode Fuzzy Hash: 96e83311b635d3f883adb9bc45b5cbce92771c7d682bf013deea3cf8d15f91cf
                                                      • Instruction Fuzzy Hash: F0E18DEB16C110BDF211C1816B54BFB6B6DE6D7730F3088ABFA07D5562E3980A6B2531
                                                      Function 074402A7 Relevance: 3.2, Strings: 2, Instructions: 726COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 382 74402a7-74402a8 383 7440268-74402a1 382->383 384 74402aa-74402ac 382->384 385 74402ad-7440371 call 7440376 383->385 384->385 396 7440373-74403be 385->396 397 74403bf-7440759 385->397 396->397 435 7440804-7440c11 397->435 436 744075f-7440803 397->436 490 7440c26-7440c3d 435->490 436->435 491 7440c43-7440c7e call 7440c7f 490->491
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: dbd34b4c6383641c43088b6d45fe0c7bc621cdfea4ef643a15318eec31bfe905
                                                      • Instruction ID: 1f3a331de3f18a90d9a033935612b128e519e76f2258eb2141c1f3846aeb68ee
                                                      • Opcode Fuzzy Hash: dbd34b4c6383641c43088b6d45fe0c7bc621cdfea4ef643a15318eec31bfe905
                                                      • Instruction Fuzzy Hash: 59E18EEB16C120BDF211C1816B54BFB6B6DE6D7730F3088ABFA07D5552E2980A6F2531
                                                      Function 074402C7 Relevance: 3.2, Strings: 2, Instructions: 681COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 496 74402c7-7440371 call 7440376 504 7440373-74403be 496->504 505 74403bf-7440759 496->505 504->505 543 7440804-7440c11 505->543 544 744075f-7440803 505->544 598 7440c26-7440c3d 543->598 544->543 599 7440c43-7440c7e call 7440c7f 598->599
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 95bd0d2e224589881a4b13f45078d5afff5e149f065b04f7aacb1db85b7e0245
                                                      • Instruction ID: 6abff748b63f99de2b914e7885fbf25b76c847190944dbf72507d3c832ab0933
                                                      • Opcode Fuzzy Hash: 95bd0d2e224589881a4b13f45078d5afff5e149f065b04f7aacb1db85b7e0245
                                                      • Instruction Fuzzy Hash: E1D18DEB16C124BDF251C1816B14BFB676DE6D7730F3088ABFA07D5522E3980A6B2531
                                                      Function 074402DD Relevance: 3.2, Strings: 2, Instructions: 676COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 604 74402dd-7440371 call 7440376 612 7440373-74403be 604->612 613 74403bf-7440759 604->613 612->613 651 7440804-7440c11 613->651 652 744075f-7440803 613->652 706 7440c26-7440c3d 651->706 652->651 707 7440c43-7440c7e call 7440c7f 706->707
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: ad648711c07803939df48e1ee4503d8e8434bc32cf90f0ebabd3e6aae30a514d
                                                      • Instruction ID: 0d7c83d32bbc9c85bb4c5b5c7f3915181b4c617c5bd3834d3164cefbec37e58c
                                                      • Opcode Fuzzy Hash: ad648711c07803939df48e1ee4503d8e8434bc32cf90f0ebabd3e6aae30a514d
                                                      • Instruction Fuzzy Hash: 4FD17EEB16C124BDF211C1816B14BFB676DE6D7730F3088ABFA07D5512E3980A6A2531
                                                      Function 0744030B Relevance: 3.2, Strings: 2, Instructions: 661COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 712 744030b-7440371 call 7440376 719 7440373-74403be 712->719 720 74403bf-7440759 712->720 719->720 758 7440804-7440c11 720->758 759 744075f-7440803 720->759 813 7440c26-7440c3d 758->813 759->758 814 7440c43-7440c7e call 7440c7f 813->814
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: d3c282a200eaf96b7d6bf008757345463d2bde09120d5a4dab00f7831a02ffea
                                                      • Instruction ID: 117e80d888711228d01cc1e83dbb3d9d2e8f6a692c418c4ff4b70d1d5c4c5122
                                                      • Opcode Fuzzy Hash: d3c282a200eaf96b7d6bf008757345463d2bde09120d5a4dab00f7831a02ffea
                                                      • Instruction Fuzzy Hash: 41D17DEB16C124BDF211C1816B14BFB676DE6D7730F3088ABFA07D5522E3980A6A2531
                                                      Function 07440317 Relevance: 3.2, Strings: 2, Instructions: 657COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 819 7440317-7440371 call 7440376 824 7440373-74403be 819->824 825 74403bf-7440759 819->825 824->825 863 7440804-7440c11 825->863 864 744075f-7440803 825->864 918 7440c26-7440c3d 863->918 864->863 919 7440c43-7440c7e call 7440c7f 918->919
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 41239f42232f7465afb128acdb54a133071914f527a021143d5e76ccd4e1a39b
                                                      • Instruction ID: 1a433765a7725bdfd7589b52939ac42b0023a60f48254c0c1674e74f465f9e10
                                                      • Opcode Fuzzy Hash: 41239f42232f7465afb128acdb54a133071914f527a021143d5e76ccd4e1a39b
                                                      • Instruction Fuzzy Hash: 19D18EEB16C120BDF211C1816B54BFB676DE6D7730F3088ABFA07D5522E3980A6B2531
                                                      Function 07440393 Relevance: 3.1, Strings: 2, Instructions: 647COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: a7144ca78efbc706bb319c66efe6cddc3a472ced93c1d643e592c2d0326fecbf
                                                      • Instruction ID: 03d5d9faed2ee540ce26ddb41722595789a0643e86e4a0dac4477730a33c82c2
                                                      • Opcode Fuzzy Hash: a7144ca78efbc706bb319c66efe6cddc3a472ced93c1d643e592c2d0326fecbf
                                                      • Instruction Fuzzy Hash: 91D18DEB16C110BDF211C1816B54BFA676DE7D7730F3088ABF607D5562E3A80A6B2531
                                                      Function 07440338 Relevance: 3.1, Strings: 2, Instructions: 644COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 8721cb6b6a393389cf93f614c4864567f65f870f14e5fcba786f394496728354
                                                      • Instruction ID: c2cb32a4357e96cb80c7f1c91a5bd2108f3e0b86d846232971d5670d2d0fd40b
                                                      • Opcode Fuzzy Hash: 8721cb6b6a393389cf93f614c4864567f65f870f14e5fcba786f394496728354
                                                      • Instruction Fuzzy Hash: 03D18DEB16C110BDF211C1816B14BFB676DE7D7730F3088ABFA07D5562E3A80A6A2531
                                                      Function 07440356 Relevance: 3.1, Strings: 2, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: c71263ebee275c94785a05b7635786854c34664869e8825451e7deaa446c1f64
                                                      • Instruction ID: 7b3b91eccf29d6231d8c61cdf4b44af7e7c2734bf073e3d43958fed419eff18c
                                                      • Opcode Fuzzy Hash: c71263ebee275c94785a05b7635786854c34664869e8825451e7deaa446c1f64
                                                      • Instruction Fuzzy Hash: 44C19FEB16C120BDF211C1816B14BFB676DE7D7730F3088ABFA03D5522E3980A6A2531
                                                      Function 074403DB Relevance: 3.1, Strings: 2, Instructions: 629COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: d09ed1de6a4f1351c0852976d98b1b18a1a9e54eb8289fd9275a82dbf088ac66
                                                      • Instruction ID: d27c850042b0b2a398212611ea7d0215cc604babe2f0149ed66c24616e4c36e1
                                                      • Opcode Fuzzy Hash: d09ed1de6a4f1351c0852976d98b1b18a1a9e54eb8289fd9275a82dbf088ac66
                                                      • Instruction Fuzzy Hash: 18C18FEB16C120BDF212C1816B54BFB676DE7D7730F3088ABF607D5522E3980A6A6531
                                                      Function 074403AB Relevance: 3.1, Strings: 2, Instructions: 613COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 168cc77cd537ac49a0fd77d2e6256d8d03c2236f88b84591769f616cc0fc579e
                                                      • Instruction ID: ef75db1832444bc3be0e9667aa3ba73f6783acbbe40e1e983ebdb99ac8890b42
                                                      • Opcode Fuzzy Hash: 168cc77cd537ac49a0fd77d2e6256d8d03c2236f88b84591769f616cc0fc579e
                                                      • Instruction Fuzzy Hash: A8C17DEB16C120BDF211C1816B54BFB676DE7D7730F3088ABFA07D5522E3980A6A6531
                                                      Function 07440426 Relevance: 3.1, Strings: 2, Instructions: 579COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 3c4f34af720e5acd385759e09bc8568751c529fc0f026c8c1bf8a91342a3a85f
                                                      • Instruction ID: e2afcde0285cc6edd07674dcc01d6dd8c27bbf6b9f416f1b4e9e75fef64aa629
                                                      • Opcode Fuzzy Hash: 3c4f34af720e5acd385759e09bc8568751c529fc0f026c8c1bf8a91342a3a85f
                                                      • Instruction Fuzzy Hash: A3C17EEB56C120BDF211C1816B54BFB676DE7D7330F3088ABF607D5522E3A80A6A6531
                                                      Function 07440405 Relevance: 3.1, Strings: 2, Instructions: 573COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 70010dcd0f7da3cab17ac68a503432182d4cf0defe13b555bbe2e2011da8bdb7
                                                      • Instruction ID: b77c68009a6aee7f9a911d587155ea9a8bdf03c403f488ec7055fea353738983
                                                      • Opcode Fuzzy Hash: 70010dcd0f7da3cab17ac68a503432182d4cf0defe13b555bbe2e2011da8bdb7
                                                      • Instruction Fuzzy Hash: 98C18EFB16C114BDF211C1816B54BFA676DE7D7330F3088ABF607D5522E3A80A6A6531
                                                      Function 074404CB Relevance: 3.1, Strings: 2, Instructions: 558COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: ef8db1fae4fef8b723047030c75c3ca91c21f2f7a61ecd6caf1adc4358f1edb2
                                                      • Instruction ID: c25de482c0f6fc2633e5949eb3fd4753251a449b55462396380c85a844e68aab
                                                      • Opcode Fuzzy Hash: ef8db1fae4fef8b723047030c75c3ca91c21f2f7a61ecd6caf1adc4358f1edb2
                                                      • Instruction Fuzzy Hash: 50B1ADFB56C110BDF211C5816B54BFAA7ADE7D7330F3088ABF603D5512E3A80A6A2531
                                                      Function 07440447 Relevance: 3.1, Strings: 2, Instructions: 555COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 7647a1f856128eede3fe0621741d39537915a81ee83f7f24b867d20b6a202b75
                                                      • Instruction ID: 175e0523df45a524f7d2948cf7fefb2d9e16800464f1beedd2a308656bf86852
                                                      • Opcode Fuzzy Hash: 7647a1f856128eede3fe0621741d39537915a81ee83f7f24b867d20b6a202b75
                                                      • Instruction Fuzzy Hash: 11B18EFB16C110BDF211C1816B54BFA676DE7D7330F3088ABFA07D5522E3A80A6A6531
                                                      Function 07440456 Relevance: 3.1, Strings: 2, Instructions: 551COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 30a16b432060a2259166090ac1866ba2e41e4f95125a0873db9581b16f6b5aae
                                                      • Instruction ID: 008a652e427c812eef33ec01d8451369750c847e2fda078c27d43200c8c2b0e3
                                                      • Opcode Fuzzy Hash: 30a16b432060a2259166090ac1866ba2e41e4f95125a0873db9581b16f6b5aae
                                                      • Instruction Fuzzy Hash: C9B18FEB56C114BDF211C1816B54BFA676DE7D7330F3088A7F603D5522E3A80A6A6531
                                                      Function 074404AA Relevance: 3.0, Strings: 2, Instructions: 546COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 4d6d1cc1de6a4c53c2c7c67f84ca7409fc3f4661d509f9c7615b56512c00fac9
                                                      • Instruction ID: 3e675298d2bfb1159545a949ec0dbd466a3e957cdea41f28a0151c78957ffda0
                                                      • Opcode Fuzzy Hash: 4d6d1cc1de6a4c53c2c7c67f84ca7409fc3f4661d509f9c7615b56512c00fac9
                                                      • Instruction Fuzzy Hash: 54B19EEB56C114BDF211C1816B54BFAA76DE7D7330F3088ABF603D5522E3A80A6B6531
                                                      Function 0744048B Relevance: 3.0, Strings: 2, Instructions: 544COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 710a57429fc1e3ec26496abfd2826567d8f65dc8358fd663a51170e1861d871b
                                                      • Instruction ID: 42b2bbce4e7fa7a17c791e2524bc3edb2239faa6d4787ae10937fd03e58f6d82
                                                      • Opcode Fuzzy Hash: 710a57429fc1e3ec26496abfd2826567d8f65dc8358fd663a51170e1861d871b
                                                      • Instruction Fuzzy Hash: EAB18EEB16C114BDF211C1816B54BFA676DE7D7330F3088ABFA03D5522E3A80A6A6531
                                                      Function 0744049D Relevance: 3.0, Strings: 2, Instructions: 535COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: cc985e96f01152ec46c77391675472be662e69b55dd8ff91cb1b0161d903e8dd
                                                      • Instruction ID: 30c4152c0411c1563f558b5f5d1387ec9d2cfc9aaf3ab61181935845ff9bc269
                                                      • Opcode Fuzzy Hash: cc985e96f01152ec46c77391675472be662e69b55dd8ff91cb1b0161d903e8dd
                                                      • Instruction Fuzzy Hash: 8BB18EEB16C114BDF211C1816B54BFAA76DE7D7330F3088ABF607D5522E3A80A6A6531
                                                      Function 07440517 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: ccf057790433e68a34f29d5a084f33ae248f94f48313cbc4e65a8e03d0cb628b
                                                      • Instruction ID: 357f7f3147764570490a7f06adf255847ea4cc23ad302fbfc37c3abef637c4bf
                                                      • Opcode Fuzzy Hash: ccf057790433e68a34f29d5a084f33ae248f94f48313cbc4e65a8e03d0cb628b
                                                      • Instruction Fuzzy Hash: 4AA18EEB56C114BDF211C1816B54BFAA76DE7D7330F3088ABF603D5522E3A80A6B6531
                                                      Function 07440534 Relevance: 3.0, Strings: 2, Instructions: 505COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 9af675f7029ce88a7c185c53878dc656dee10f9d31b56f152e043835390a52aa
                                                      • Instruction ID: 9c221a2ba615874470ac7ce0fd7bef36394528c416a7e08eca208271d86725c4
                                                      • Opcode Fuzzy Hash: 9af675f7029ce88a7c185c53878dc656dee10f9d31b56f152e043835390a52aa
                                                      • Instruction Fuzzy Hash: DBA19FFB56C114BDF21181816B54BFAA76EE7D7330F3088ABF603D5512E3A80A6A6531
                                                      Function 07440570 Relevance: 3.0, Strings: 2, Instructions: 484COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 5c3962a87caf4e8717d48af1b50b1b896f89973bd2be181512f9446d271ec775
                                                      • Instruction ID: f5c3a4f60b7686c924397ed23f15c28ad2ba8a715020fdfe32cd86bd906aaf77
                                                      • Opcode Fuzzy Hash: 5c3962a87caf4e8717d48af1b50b1b896f89973bd2be181512f9446d271ec775
                                                      • Instruction Fuzzy Hash: 7AA1AEFB56C114BDF21181816B54BFAA76DE7D7330F3088ABF607D5522E3A80A6B2531
                                                      Function 07440579 Relevance: 3.0, Strings: 2, Instructions: 480COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 7a8e2025f15ab9aae80bd65030877b4e118cd40d104a88d6778f5135b89021e3
                                                      • Instruction ID: b188c6885f8ca750ed5d95d6c9e1686d4bae5183926efda001a9271a3639e4b7
                                                      • Opcode Fuzzy Hash: 7a8e2025f15ab9aae80bd65030877b4e118cd40d104a88d6778f5135b89021e3
                                                      • Instruction Fuzzy Hash: D9A18DFB56C114BDF21181816B54BFAA76DE7D7330F3088ABF603D5522E3A80A6B6531
                                                      Function 07440591 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: a419c416feb769103787a8e4797b0199d127699f7828aa7941122af3f70baddc
                                                      • Instruction ID: 1ada732e5e9f9654541c6752e44f3082384a1357dbc956dcfef1b24f1b46aea3
                                                      • Opcode Fuzzy Hash: a419c416feb769103787a8e4797b0199d127699f7828aa7941122af3f70baddc
                                                      • Instruction Fuzzy Hash: D7A18DEB56C114BDF21181816B54BFAA76DE7D7330F3088ABF603D5522E3A80A6B6531
                                                      Function 07440614 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 5593b10bfe0f458e531d3e41e3bcacc738684515d5e8b047d5092c01b060c245
                                                      • Instruction ID: db74082e1365a3967ab03d6e8f641d4742bedd3e8366dc8c00f0ab9fb8860d87
                                                      • Opcode Fuzzy Hash: 5593b10bfe0f458e531d3e41e3bcacc738684515d5e8b047d5092c01b060c245
                                                      • Instruction Fuzzy Hash: 9B9190FB56C114BDF2118181AB54BFA676DE7D7330F3088ABF603D5512E3A80A6B6531
                                                      Function 074405B8 Relevance: 3.0, Strings: 2, Instructions: 460COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 1c4bdeb172c342b7e296eecc342de84419dbc141580a6f05e96ed29fbc3e232d
                                                      • Instruction ID: 5f3f155df6dc69d14500d0b90bc2333cf07bc2018136ca13dd9e1a7cc754e141
                                                      • Opcode Fuzzy Hash: 1c4bdeb172c342b7e296eecc342de84419dbc141580a6f05e96ed29fbc3e232d
                                                      • Instruction Fuzzy Hash: 5691A0FB56C114BDF2118181AB54BFAA76DE7D7330F3088ABF603D5512E3A80A6B6531
                                                      Function 074405E3 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: a6fe0c32232dfde4a02cd9d56ee4b9b75db2884e15a532fb3c25b4df73a05ab3
                                                      • Instruction ID: 2831f4849878954c6ef5744052fe82c1d617d64f3a40d1603a125657eedd4423
                                                      • Opcode Fuzzy Hash: a6fe0c32232dfde4a02cd9d56ee4b9b75db2884e15a532fb3c25b4df73a05ab3
                                                      • Instruction Fuzzy Hash: 8591AEFB56C114BDF2518081AB54BFA676DE7D7330F3088ABF603D5522E3A80A6B6531
                                                      Function 07440641 Relevance: 2.9, Strings: 2, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: c74c3074225a500fce41514e81a79d320634956cbd10a8c1fbecec1e6389abe0
                                                      • Instruction ID: 9ebf61e71f95a2a11add18bbae94057e1ac5771fa61c5370be181a54fbc86598
                                                      • Opcode Fuzzy Hash: c74c3074225a500fce41514e81a79d320634956cbd10a8c1fbecec1e6389abe0
                                                      • Instruction Fuzzy Hash: 4B91BEFB56C114BDF2118081AB54BFA676DE7D7330F3088ABF603D5522E3A80A6B2531
                                                      Function 07440604 Relevance: 2.9, Strings: 2, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 41d175e47f51a6e15fb0b1e9aa92fd70079ef13824f1cf965f2817eb95a6fd77
                                                      • Instruction ID: 400238fa544ffcf7694bb7331dc24bae3d9c7733ed91c0fee03c4d1a417f2f24
                                                      • Opcode Fuzzy Hash: 41d175e47f51a6e15fb0b1e9aa92fd70079ef13824f1cf965f2817eb95a6fd77
                                                      • Instruction Fuzzy Hash: 9491AFFB56C114BDF2118081AB54BFA676DE7D7330F3088ABF603D5522E3A80A6B6531
                                                      Function 0744062C Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: bdb00d661049b6c956cd4f5683ec2360323c773f122d7abd4c2688dec1d4ce84
                                                      • Instruction ID: 6e9542ef803283ce3c81231000e4895d5ec867f5d7357b8d8439a7835d824666
                                                      • Opcode Fuzzy Hash: bdb00d661049b6c956cd4f5683ec2360323c773f122d7abd4c2688dec1d4ce84
                                                      • Instruction Fuzzy Hash: 9C819EEB56C114BDF2518081AB54BFB676DE7D7330F3088A7F603D5512E3A80A6B6531
                                                      Function 0744067D Relevance: 2.9, Strings: 2, Instructions: 389COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 4620c086a691796a3d4c7905ec9b39f0fe790ea56a2e195f87987848c5da67ae
                                                      • Instruction ID: 3ad8d9ba9d8fc32a1546716b7be1b977ea9879674f34319efdcd8f76ca773852
                                                      • Opcode Fuzzy Hash: 4620c086a691796a3d4c7905ec9b39f0fe790ea56a2e195f87987848c5da67ae
                                                      • Instruction Fuzzy Hash: 7281DEFB16C114BDF25180816B50BFA676EE7D7330F3088ABF603D6522E3980A6B2531
                                                      Function 074406C9 Relevance: 2.9, Strings: 2, Instructions: 365COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 12adeb36b218cc7a0698763868e18fd1df3a1c6212f85d3f4693681c8d8973ae
                                                      • Instruction ID: 475a0dc08ef01330a9f7f59a79ab28b57bdd7db66401be57199e0ae67423e867
                                                      • Opcode Fuzzy Hash: 12adeb36b218cc7a0698763868e18fd1df3a1c6212f85d3f4693681c8d8973ae
                                                      • Instruction Fuzzy Hash: 5571AEEB16C114BDF25180816B50AFB676EE6D7330F3088ABF607D5622E3980A6B7531
                                                      Function 074406B5 Relevance: 2.9, Strings: 2, Instructions: 365COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: ba52acd012375e60df9213bc5b09530f295e41e167dca4fdcf65138cc0ca979a
                                                      • Instruction ID: 7d80cb000f5edd929c19549e5f331e983999fbce5745f24e4988adbaabba18df
                                                      • Opcode Fuzzy Hash: ba52acd012375e60df9213bc5b09530f295e41e167dca4fdcf65138cc0ca979a
                                                      • Instruction Fuzzy Hash: 0671CEEB16C114BDF25181816B54BFA676EE6D7330F3088A7FA07D5522E3980A6B3531
                                                      Function 0744074E Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 6e65cea07107df52bdbee4e501a2bd4f69f4bdd38de0c308254fe2687918bda7
                                                      • Instruction ID: e63ca68c6eee45bcbe40596e2ee0ddc4c13c546ce489500223c2202476213190
                                                      • Opcode Fuzzy Hash: 6e65cea07107df52bdbee4e501a2bd4f69f4bdd38de0c308254fe2687918bda7
                                                      • Instruction Fuzzy Hash: 5661AFEB16C114BDF25180816F50AFB676EE6D7330F308CA7FA07D5522E2980A6B7531
                                                      Function 07440704 Relevance: 2.9, Strings: 2, Instructions: 358COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 4fac1755a3b8fbeaf104dc98bf3d0ea2ba6dee0dbaa33c07578d6d998596924f
                                                      • Instruction ID: 50342262de153ebad57f2e9d1b48dd82508f331ee31f154968b322871aa13e3e
                                                      • Opcode Fuzzy Hash: 4fac1755a3b8fbeaf104dc98bf3d0ea2ba6dee0dbaa33c07578d6d998596924f
                                                      • Instruction Fuzzy Hash: 0B61A0EB16C114FDF25181816B50AFB676EE6D7330F308CA7FA07D5522E2980A6B7532
                                                      Function 074406EA Relevance: 2.9, Strings: 2, Instructions: 358COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 4f6ceeac73444e1c7061e35273886ba74164cd49438575cb32abfa3d898defec
                                                      • Instruction ID: b89c39fd3cbf1b90cd8ec234a0cf97ae4f276089c205e90e74aec2e1184b71c8
                                                      • Opcode Fuzzy Hash: 4f6ceeac73444e1c7061e35273886ba74164cd49438575cb32abfa3d898defec
                                                      • Instruction Fuzzy Hash: 1561BFEB16C114BDF25180816B54AFB676EE6D7330F308CABFA07D5522E2980A6B7531
                                                      Function 0744071E Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: d4d32269ab3d8393f46c1fdf24d9209e258cc2c12c7df91ac35c9e82fe6925d2
                                                      • Instruction ID: 2a9cce2e1a613e6f6d29ec017eafc8ab437d12213d877836066b5f80bdedfe7c
                                                      • Opcode Fuzzy Hash: d4d32269ab3d8393f46c1fdf24d9209e258cc2c12c7df91ac35c9e82fe6925d2
                                                      • Instruction Fuzzy Hash: E861A2EB16C114BCF15180816B54AFB676EE6D7330F308CA7F607D5622E3980A6B3531
                                                      Function 0744073E Relevance: 2.8, Strings: 2, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: a79c9ec104c127b6dbc20baf6618465950b3d54956501816091a117b7f9e6b99
                                                      • Instruction ID: fcd366fd0352244a1468f3aaebf7ff38c53c076e390f937daabc805e6f29f213
                                                      • Opcode Fuzzy Hash: a79c9ec104c127b6dbc20baf6618465950b3d54956501816091a117b7f9e6b99
                                                      • Instruction Fuzzy Hash: B6619FEB16C114BDB151C0816F54AFB676EE6D7330F308CA7FA07D5622E2980A6B3571
                                                      Function 07440783 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 14ef33b4fa25157f32658098b83ec09c6ac70df2171b1dcee5912692aa4f2398
                                                      • Instruction ID: 6f9f7ae370246342c71a708a977ffa2cbecf32dc4bf3714ddbf3704439235116
                                                      • Opcode Fuzzy Hash: 14ef33b4fa25157f32658098b83ec09c6ac70df2171b1dcee5912692aa4f2398
                                                      • Instruction Fuzzy Hash: 2A61CFEB16C114BDF25281816B50AFB676EE6D7330B3088A7FA03D5512E3980A6B7131
                                                      Function 07440765 Relevance: 2.8, Strings: 2, Instructions: 340COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: f0429124b4005f79e7e64778204b69e4c498a895b645bf79a04cf80a58798f74
                                                      • Instruction ID: 1b2a8de703dd82dd020a0c88b00e6428879928cd8babcb060d7e0ce5d031b7ac
                                                      • Opcode Fuzzy Hash: f0429124b4005f79e7e64778204b69e4c498a895b645bf79a04cf80a58798f74
                                                      • Instruction Fuzzy Hash: 34519CEB16C114BDB15190816F54AFB676EE6D7330F308CABFA07D5622E2980A6B3131
                                                      Function 074407B4 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 41e1dfda40385bfdb8ab58235733af1b53664df20898551a993a92f61b80fdda
                                                      • Instruction ID: 651e7a6e33a01891c9eafd0469cf97aa7e0a81b05a0851d2777db77822d374cb
                                                      • Opcode Fuzzy Hash: 41e1dfda40385bfdb8ab58235733af1b53664df20898551a993a92f61b80fdda
                                                      • Instruction Fuzzy Hash: DD517CEB16C114BDB151C1816B54AFB676EE6D7330B308CABFA07D5522E3980A6B3131
                                                      Function 074407DF Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: c788ba91dcd25b69586e75af5cbc7e4cb05b5a0b494f31fc07bce5ae903fbaee
                                                      • Instruction ID: c82edb64dd2e8f6d94c9385c9966bf4f8102c11b280b0985f5cc9059eccd9f28
                                                      • Opcode Fuzzy Hash: c788ba91dcd25b69586e75af5cbc7e4cb05b5a0b494f31fc07bce5ae903fbaee
                                                      • Instruction Fuzzy Hash: 9A516DEB16C114BDB151C1816B54EFBA76EE6D7330B3088ABFA07D5522E3980A6F3131
                                                      Function 074407E8 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: 5d3917905577d77af90eef3739fce63c1b7ab0657a2b3b5951bb9b0020966a94
                                                      • Instruction ID: e8867a38cf07bdb8d8470db5787d7e8908a556337ea57e4128821ec3426acf91
                                                      • Opcode Fuzzy Hash: 5d3917905577d77af90eef3739fce63c1b7ab0657a2b3b5951bb9b0020966a94
                                                      • Instruction Fuzzy Hash: DA515AEB16C114BDB151C1816B54AFBA76EE6D7330B308CABFA07D5522E3980A6F7131
                                                      Function 07440866 Relevance: 2.8, Strings: 2, Instructions: 308COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: cb32efa37947015eb11a3b339d8788bd581f1f07034d318455b2d254dba9fc24
                                                      • Instruction ID: e6add00d018b0cbeeabc6391b97b65c77f10354874de52551f998c447edb8ca9
                                                      • Opcode Fuzzy Hash: cb32efa37947015eb11a3b339d8788bd581f1f07034d318455b2d254dba9fc24
                                                      • Instruction Fuzzy Hash: C951AEEB16C114BDB251C0816F50AFBA76EE6D7730B308CABFA07D5522E3940A6B7171
                                                      Function 07440810 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR$PR
                                                      • API String ID: 0-1480931156
                                                      • Opcode ID: c650987a05cc69ed1cee928ca7b2fe9269bd0547d5589025e747afa1a989e5a5
                                                      • Instruction ID: 11515df0a147d20cd74347c37a481b0f67f9fcf57639ea106e48ce94a262d480
                                                      • Opcode Fuzzy Hash: c650987a05cc69ed1cee928ca7b2fe9269bd0547d5589025e747afa1a989e5a5
                                                      • Instruction Fuzzy Hash: D1517DEB16C114BDB151C1816F50AFBA76EE6D7330B308CA7FA07D6522E3980A6B7131
                                                      Function 07490429 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db11c75c3088787ad44f616ba4fbfef3b68f64e36590ba0ad4c83ad9bd4406a9
                                                      • Instruction ID: e86e25ad650b8f7a9a3e649a04aa204d348cf2e0867a3ccf8b26a2a924187786
                                                      • Opcode Fuzzy Hash: db11c75c3088787ad44f616ba4fbfef3b68f64e36590ba0ad4c83ad9bd4406a9
                                                      • Instruction Fuzzy Hash: EA413AEB2A9122BC7912C1452F18AFA6E6EE5D7730B31883BF807D6552E3D84E4B5031
                                                      Function 0749043C Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: e54e32a7a5102fd05e2cf0f8520060cf61c5ee660ea04cb999496d6f273fdefc
                                                      • Instruction ID: af18604ffdbd45ba69e356e6417da5fd2b7506da6d8078fdfaa6523294ee5478
                                                      • Opcode Fuzzy Hash: e54e32a7a5102fd05e2cf0f8520060cf61c5ee660ea04cb999496d6f273fdefc
                                                      • Instruction Fuzzy Hash: AC313AEB2A8122BD7912C5452F18AFA6E6EE5D3730B318837F807D6552E3D84E4F5031
                                                      Function 07490467 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 93a219b3c9d829b4ee32ffd9bec4cf8160baaf1cd6972fe0acc1d3362f15da50
                                                      • Instruction ID: 56deac65ce3b20ad131b2eddcb68f3342ae542f724e2f28bcd06c80c1f4d44aa
                                                      • Opcode Fuzzy Hash: 93a219b3c9d829b4ee32ffd9bec4cf8160baaf1cd6972fe0acc1d3362f15da50
                                                      • Instruction Fuzzy Hash: 39314DEB298122BD7902C1456F14AFA6F6EE5D7730B318837F807D6552E3D80E4B5131
                                                      Function 074904F0 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a95f6484581b17ef7a05a61edccd0e4e6724961742ee4804818272b711e24e5
                                                      • Instruction ID: 9aa2a0496ef835ba7a6b32a4a93d762b487fa2c3db20c89594d925b2a16cd0bb
                                                      • Opcode Fuzzy Hash: 7a95f6484581b17ef7a05a61edccd0e4e6724961742ee4804818272b711e24e5
                                                      • Instruction Fuzzy Hash: C431AEEB26C1227C7A02C4516B54AFA6F6EE5D3730B31887BF807D6956E3880E4F5131
                                                      Function 07490484 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 6a881e708c3e0ec89d805754ba7660548d0ff9c2c944019dc2ed9d7559e90557
                                                      • Instruction ID: c66fcea2e036962411948b76dcc639b186eade88d2707370bd7045ea731472f8
                                                      • Opcode Fuzzy Hash: 6a881e708c3e0ec89d805754ba7660548d0ff9c2c944019dc2ed9d7559e90557
                                                      • Instruction Fuzzy Hash: 45313CEB269122BDB602C1456F18AFA6E6EE5D3730B31887BF807D6552E3D80E4F5131
                                                      Function 074904B6 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: f1fd67bba83718b5252e95ea60abe4158e9024b83a49fce88e30a196d31c4070
                                                      • Instruction ID: 3062e70f1e587810b855c5f2e4e487d23610fe9d9ede6ce3f88f00492b8b047b
                                                      • Opcode Fuzzy Hash: f1fd67bba83718b5252e95ea60abe4158e9024b83a49fce88e30a196d31c4070
                                                      • Instruction Fuzzy Hash: 1C312DEB2681227D7942D0452F58AFA6E6EE1D3730B318837F807D6556E3D44E4B1031
                                                      Function 0746030A Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 074603F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 45923ea08ed4bc8f6110162f9128cfa70424b60c711b2397f8bd474359bef773
                                                      • Instruction ID: 9a187d1eab4b76181d5523e8340310c17212cc67eae39f96b9f78be768083036
                                                      • Opcode Fuzzy Hash: 45923ea08ed4bc8f6110162f9128cfa70424b60c711b2397f8bd474359bef773
                                                      • Instruction Fuzzy Hash: C921BDEB22C2217E761681A22B2CEFB2B6DD5C7732730C92BF407C5526D6850E8B5033
                                                      Function 07460327 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: d4c64f213c0210e64408c285e6afa6dbd9684798ab703a5146c98dfe75704723
                                                      • Instruction ID: b11a43451532d601dfc14826146123dac8875570ed7e8d644d6ac4b46b0bf467
                                                      • Opcode Fuzzy Hash: d4c64f213c0210e64408c285e6afa6dbd9684798ab703a5146c98dfe75704723
                                                      • Instruction Fuzzy Hash: 662188EB26C2217E761291A23B18EFB176DD4C2B31730CD2BF403C4526E2894A8B1033
                                                      Function 07460364 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 074603F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: fbd393b64916eb5e60a40a0099c6feea908d6cf9ff3a4fa442fce6b716699b8a
                                                      • Instruction ID: bcdbf1ed0079b74db68966dd84f6f002b67299e995823333da9fde50d6b845ed
                                                      • Opcode Fuzzy Hash: fbd393b64916eb5e60a40a0099c6feea908d6cf9ff3a4fa442fce6b716699b8a
                                                      • Instruction Fuzzy Hash: 761106EB2AC2217DB15281563F28EFB576ED0D6B31730C92BF807D191AD6990E4E2033
                                                      Function 07490574 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 6484171ec3f7e1c4237ae855663118adb76b18b8d917d48f2c8def5d137bb768
                                                      • Instruction ID: 8982641a549a87cf01ceb4aeeab49fc37578a882c5b4c6bbae8c7b3ca38e0c6b
                                                      • Opcode Fuzzy Hash: 6484171ec3f7e1c4237ae855663118adb76b18b8d917d48f2c8def5d137bb768
                                                      • Instruction Fuzzy Hash: FF116AEB2681227C7956D1822B14AFA5B6EE0D3730B318837F807D5916E3C80E5B1035
                                                      Function 07490598 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 29662436ca8d0101634716485c908b86a20274cb098b0e6d2d3439e218a13657
                                                      • Instruction ID: 80507e486f6de5e53459d63f8387c9651eff1a3b54be460e802960d0bfe43f0c
                                                      • Opcode Fuzzy Hash: 29662436ca8d0101634716485c908b86a20274cb098b0e6d2d3439e218a13657
                                                      • Instruction Fuzzy Hash: E11127EB26D1227C791690822F18AFA6E6EE5D3730B318837F807D6956E3C80E4B1031
                                                      Function 074905B2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: f32a39a60d692fd37cf8ab0a01213f764f9da2f1f98a5b6e79185065af91506e
                                                      • Instruction ID: 9eed0c2ddaadf46e3d78a16d0974cc5ec8df7aad94548bf03d31d1ad212ba6b2
                                                      • Opcode Fuzzy Hash: f32a39a60d692fd37cf8ab0a01213f764f9da2f1f98a5b6e79185065af91506e
                                                      • Instruction Fuzzy Hash: 4D0169FB2581237C391690822B18AFA5E5EE1D3730B319837F803E6956E3C80E4B1071
                                                      Function 0749056A Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 17be1b35c43f151023340f33895625e117fe932b294da34a3b652f3bd1559c06
                                                      • Instruction ID: a7999bd73240d54cb897e0ed1519c85e2b2d2006db2c3253d5f3fc932332a72f
                                                      • Opcode Fuzzy Hash: 17be1b35c43f151023340f33895625e117fe932b294da34a3b652f3bd1559c06
                                                      • Instruction Fuzzy Hash: 410169EB26C112BC794690826B18AFA5E5EE4D3730B31983BB803D6952E3C84E4F1031
                                                      Function 07460391 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 074603F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: b95a0d318fc28c2d679e4739a0ab47511d18db8b2dda300966ced177a0ccee89
                                                      • Instruction ID: 39febcc6d6bf72840852014d7b15cbf64d2fe03c238e7bfc0a247cb6e112c1b1
                                                      • Opcode Fuzzy Hash: b95a0d318fc28c2d679e4739a0ab47511d18db8b2dda300966ced177a0ccee89
                                                      • Instruction Fuzzy Hash: 690100EB76C211BE722691662B58EFE676EE4C3731730883BF003C1915E2894A4B0033
                                                      Function 074905C3 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 1a122ea77a57ad34b227d355b13cda83711dabd1ad094ef34d97555fbb34d006
                                                      • Instruction ID: a6ec2180017775299835b0a96a9f7e52c93e9d0b021dfbae23c82cef059137be
                                                      • Opcode Fuzzy Hash: 1a122ea77a57ad34b227d355b13cda83711dabd1ad094ef34d97555fbb34d006
                                                      • Instruction Fuzzy Hash: 95019AFB2581227C790694822B08AFA6E2FE4D3730B31883BB807D6912E3C80E4F1031
                                                      Function 074905E3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: ff7e6b1f012b28dec9863072c416f34a5c417cc3cd9af08ab0a2a90de399adca
                                                      • Instruction ID: 2063ce107bd7f072135e5beb1a6360f7d700d54502dcd52329ccd6308997046e
                                                      • Opcode Fuzzy Hash: ff7e6b1f012b28dec9863072c416f34a5c417cc3cd9af08ab0a2a90de399adca
                                                      • Instruction Fuzzy Hash: 790114FB25C1227C791694966B58AFA5F6EE4C3730B319837F402D5916E3C84E5F1036
                                                      Function 074603B4 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 074603F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 70b9b7200ffb0072cc6a01b492b19b728cb4bf046174d12be2c87e1ad2519b55
                                                      • Instruction ID: 946aed62ae5ec03a219a0aa03f38ac3f64aa9647f8c9256d92ed768ca21d1aab
                                                      • Opcode Fuzzy Hash: 70b9b7200ffb0072cc6a01b492b19b728cb4bf046174d12be2c87e1ad2519b55
                                                      • Instruction Fuzzy Hash: 9B018BEB3A8210BD715282662B68EFA5B6DD1C77317308D2BF007D1915D6990A4B0033
                                                      Function 074603C7 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 074603F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 1160a27b7b19f10cb01c746057619f876ab5ed2451d7176aede2ae7340910c85
                                                      • Instruction ID: 99ad0dd38bbc9f660c446cf7a0d845c3eb545f5c85e97f5d2a784a8ac285f6b8
                                                      • Opcode Fuzzy Hash: 1160a27b7b19f10cb01c746057619f876ab5ed2451d7176aede2ae7340910c85
                                                      • Instruction Fuzzy Hash: CA01D1EB3982107D711282562B68EFA576DD0C3731730CD3BF007D1915D6990E4E0033
                                                      Function 07490614 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 3349f40cce18a85ead030089625800e52320b29ec7f78f71de5e2477ccaedb0d
                                                      • Instruction ID: e3cf9f577a4d382a6b31fb8df542ea8c23e1472d57317e576c13475026bb66a3
                                                      • Opcode Fuzzy Hash: 3349f40cce18a85ead030089625800e52320b29ec7f78f71de5e2477ccaedb0d
                                                      • Instruction Fuzzy Hash: 94F037FB2181127CB90690826F18AFBAB6EE6C3730B308837F402D4442E3C84E4F1031
                                                      Function 074905FA Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 4291906be988c6bee26340e2960308f92aaa3110e8fd5431d0cff8cb4f39fa42
                                                      • Instruction ID: 67929c93e70578882b4d85d360179dde97b032b5897770bd675a7d3509a12e4d
                                                      • Opcode Fuzzy Hash: 4291906be988c6bee26340e2960308f92aaa3110e8fd5431d0cff8cb4f39fa42
                                                      • Instruction Fuzzy Hash: 62F03CFB21C1227C790594966B54AFA5B6EE5C37307318837F802D5816E7880E5F5035
                                                      Function 07490622 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 199a65bc6b1f2161a3478cfa1ad7ef78a4b88dc5aa84d77a3c6124125a492cc7
                                                      • Instruction ID: c7a86521ffb41c8d8978ffc68b083f408d54bb76e4e3c88cde78cf98a9d582d7
                                                      • Opcode Fuzzy Hash: 199a65bc6b1f2161a3478cfa1ad7ef78a4b88dc5aa84d77a3c6124125a492cc7
                                                      • Instruction Fuzzy Hash: 35F032FB2182127CB506A4926F14AFB6B6EE1D37307319837F802D5842E2D84E8F5035
                                                      Function 074603E7 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 074603F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044783728.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7460000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 02f9d1fcebe2eac4b0302e011fcdaa57489aac9cd5b7d28e242160903cf74a99
                                                      • Instruction ID: c35e3e43ba8fa83ee509d4814dcbeab4d873eaeec56af2531d0613fc14638ed3
                                                      • Opcode Fuzzy Hash: 02f9d1fcebe2eac4b0302e011fcdaa57489aac9cd5b7d28e242160903cf74a99
                                                      • Instruction Fuzzy Hash: 7BF09AEB398210BCB16686562B58EFA579EE5C3730730C97BF003D1A19E6994B0F1033
                                                      Function 07490647 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: bd0163a5da59d14d5a8c5463ff6a68a69f24072ea1b5be49804e212849517b11
                                                      • Instruction ID: 5c66b89979acabf6cc4c4513a9dd21bb661a690950395f1e5870fabaffd3d9ed
                                                      • Opcode Fuzzy Hash: bd0163a5da59d14d5a8c5463ff6a68a69f24072ea1b5be49804e212849517b11
                                                      • Instruction Fuzzy Hash: 5BF034FB2081223CB616D1926F949FAAB6EE4C3B71331883BF402D6446E7D80E4F5032
                                                      Function 07440835 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: daa0f658bf79fb90cf80f22153814fce81355b18156a5c032dd9277a9724b592
                                                      • Instruction ID: e0e8939cd64ef3f7c6db11f4aec57d6bfa0156a515d3224ce5078ea8004c008f
                                                      • Opcode Fuzzy Hash: daa0f658bf79fb90cf80f22153814fce81355b18156a5c032dd9277a9724b592
                                                      • Instruction Fuzzy Hash: 5A518CEB16C114BDB151C1816B50AFB676EE6D7330B308CABFA07D6522E3980A6B7131
                                                      Function 0749068B Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Process32FirstW.KERNEL32(0000ED22,0000ED22,0000ED22,?), ref: 07490678
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044829356.0000000007490000.00000040.00001000.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7490000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID: FirstProcess32
                                                      • String ID:
                                                      • API String ID: 2623510744-0
                                                      • Opcode ID: 9577521886144b2b677fd5fc653e4b719688b2f76ed415ee2bc622d838f03b87
                                                      • Instruction ID: 1405ddb8ae0610b0ecffb88e6c2daf3487bedb431aac230eec4c1a71c43fe922
                                                      • Opcode Fuzzy Hash: 9577521886144b2b677fd5fc653e4b719688b2f76ed415ee2bc622d838f03b87
                                                      • Instruction Fuzzy Hash: E1E08CFB71C213AC7E0AD469AAA04BE6F2AF9C23317358C37E002C6410EBA49D5B4421
                                                      Function 074408AF Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: 5953f3ec0959c8b9968d1cbf4089834a84ab75392e3057c7c66c75d29cd755e3
                                                      • Instruction ID: cd8d4c89fa78412ebeed3c12af749b5f055a5a9a64360ade24e7850a04b3f024
                                                      • Opcode Fuzzy Hash: 5953f3ec0959c8b9968d1cbf4089834a84ab75392e3057c7c66c75d29cd755e3
                                                      • Instruction Fuzzy Hash: 60518DEB16C110BCF11181816B50AFBA76EE6D7730B308CABFA07D5522E2980A6B7131
                                                      Function 074408A3 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: d066cd77667128c44891db1b653887e4bdf3240a6a73f3200decc11e6af9904b
                                                      • Instruction ID: fb9c32d88fbe9d4a5b6efadb67ff12fbdc95f6b7eb896766ff98c5c8d8e503fc
                                                      • Opcode Fuzzy Hash: d066cd77667128c44891db1b653887e4bdf3240a6a73f3200decc11e6af9904b
                                                      • Instruction Fuzzy Hash: 46415AEB16C114BCB111D1816B54AFBA76EE2D7330B308CA7FA07E5522E3980A6B7131
                                                      Function 074408CC Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: d1e4cffb4082d283f313c79d247e23fbe980d60e0a7f6ab03edfacbde3e6a89a
                                                      • Instruction ID: 27f87b32a6500137f64aa511217d12079be52adf0c32900de625aaa8f0f9ee8c
                                                      • Opcode Fuzzy Hash: d1e4cffb4082d283f313c79d247e23fbe980d60e0a7f6ab03edfacbde3e6a89a
                                                      • Instruction Fuzzy Hash: 4F419FEB16C154FCF11281816B54AFB676EE6D7330B308CA7FA07E5622E3940A6B7131
                                                      Function 074408E9 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: c008aa82f1b5e5fe7663a25913807b62f02d809ce144dc6a659f6c8faf8f16df
                                                      • Instruction ID: 6f66a5c19867cd9d50161efae730b88ff579942d4d97d336a5a671c32e03a258
                                                      • Opcode Fuzzy Hash: c008aa82f1b5e5fe7663a25913807b62f02d809ce144dc6a659f6c8faf8f16df
                                                      • Instruction Fuzzy Hash: 4F41A0EB16C114BDF111D1816A54AFBA76EE2D7330F308CABFA03E5522E3940A6B7131
                                                      Function 07440915 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: 842e17d534e003420607e71163e2b4ca97417e5c10a4dee0a53d5eaf3db6f4e0
                                                      • Instruction ID: a55174c05e5da653a5893e84f8a722eaf36f1d682790698579fa69e7440f19e9
                                                      • Opcode Fuzzy Hash: 842e17d534e003420607e71163e2b4ca97417e5c10a4dee0a53d5eaf3db6f4e0
                                                      • Instruction Fuzzy Hash: 18414DEB16C154BDF111C1816F54AFBA76EE6D7230B308CABFA07E5522E2940B6E7131
                                                      Function 0744091E Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: 74d92d7b78065cac97323eb07f2e84c9980b36b02f2895e4d52fe32dd4c5ea38
                                                      • Instruction ID: 77e0fcfae5f127e12c39c225651c59939fa9e40f03a88d7d24a91580d1a0afed
                                                      • Opcode Fuzzy Hash: 74d92d7b78065cac97323eb07f2e84c9980b36b02f2895e4d52fe32dd4c5ea38
                                                      • Instruction Fuzzy Hash: 86417BEB16C154BDF11181816B54AFBA76EE6D7230B3088A7FA07E5522E3980B6A6131
                                                      Function 07440945 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: 5a593b91d810c383a24fd6a4a0095716e8dbed20412470264e946b573bc52acd
                                                      • Instruction ID: 09e0f2c595bc8e038a267fefef1c7a2ccc213659c4b02ee824f3b85dedeb72d7
                                                      • Opcode Fuzzy Hash: 5a593b91d810c383a24fd6a4a0095716e8dbed20412470264e946b573bc52acd
                                                      • Instruction Fuzzy Hash: 544192EB16C154BDF111C1816F54AFBA76EE6D7330B308CA7FA03E6522E3940A6A6131
                                                      Function 0744096A Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PPR
                                                      • API String ID: 0-2555191943
                                                      • Opcode ID: a6fdd112fa30df83330da6f71920894a028befeb571a0d0fb2442c213bfc76c6
                                                      • Instruction ID: 170ca5383425629433b198e57a703c997db8c2befa739024b3e8672e9b1d2787
                                                      • Opcode Fuzzy Hash: a6fdd112fa30df83330da6f71920894a028befeb571a0d0fb2442c213bfc76c6
                                                      • Instruction Fuzzy Hash: 2D4160EB16C014BDB111C1816B54EFB676EE6D7330B308CA7FA03E5522E3940A6A7131
                                                      Function 074409DE Relevance: .2, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f6f59cafb484e63a68f13ffed7f9c47d5dbafb1a2b742c5a2ad49086f342ca3
                                                      • Instruction ID: 29427dfa02137782bf5e21877fd36cdd1a2421e7c75ee0b4f9e055ddc92b250f
                                                      • Opcode Fuzzy Hash: 0f6f59cafb484e63a68f13ffed7f9c47d5dbafb1a2b742c5a2ad49086f342ca3
                                                      • Instruction Fuzzy Hash: 59416EEB16C154BDB111C1816B54AFB676EE6D7330B308CABFA03E5522E3980A6A7131
                                                      Function 07440990 Relevance: .2, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f0835391ebcf6db0f33e66ae61912417ccba55f0d88253bcea27fd25edbfbb4a
                                                      • Instruction ID: 48c8362e6472578dba81ab629792645fc8613469faf74fc7cbf5a29301e32ea0
                                                      • Opcode Fuzzy Hash: f0835391ebcf6db0f33e66ae61912417ccba55f0d88253bcea27fd25edbfbb4a
                                                      • Instruction Fuzzy Hash: 5B316DEB16C154BDF215C1816B54AFB676EE6D7330B3088A7FA03E5522E3940B6E7131
                                                      Function 07440A8D Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a71c239b199a0ca8cfcc878aed137b3f16b0605c3b63193f1c0adb7e292bbc9
                                                      • Instruction ID: 96a397376834058c44c695ead175e1a07418452f02553fd356cfe8c00f221283
                                                      • Opcode Fuzzy Hash: 0a71c239b199a0ca8cfcc878aed137b3f16b0605c3b63193f1c0adb7e292bbc9
                                                      • Instruction Fuzzy Hash: A4414AF715C154BDF21291915B54AFB6B6EE6D7330B3088ABFA03D6123E3940B2A3171
                                                      Function 074409BD Relevance: .2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b5b4a55e1a2f6a647e31f6856b70822afbcbd294a71d2832012ab92f9566333
                                                      • Instruction ID: 11da9f5278759d0584ea5b207dfa1e420d89d0be2f7c3472a9e27ac931284d60
                                                      • Opcode Fuzzy Hash: 2b5b4a55e1a2f6a647e31f6856b70822afbcbd294a71d2832012ab92f9566333
                                                      • Instruction Fuzzy Hash: E6316EEB16C114BDB111D1856B54AFB676EE6D7330F308CA7FA03E5522E3940B6A7131
                                                      Function 074409CC Relevance: .2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d492751d677a18d1cbe28ffacb17cf5b46fd78cde572fd87437259ac2dec0383
                                                      • Instruction ID: 095f3b830e4a4c36a758c40618eea6fde9183a6375e1298c58a5b5aafc6138fa
                                                      • Opcode Fuzzy Hash: d492751d677a18d1cbe28ffacb17cf5b46fd78cde572fd87437259ac2dec0383
                                                      • Instruction Fuzzy Hash: 0C318FEB16C114BDB111C1856B54AFB676EE2D7330B308CA7FA03E5922E3980A6B7131
                                                      Function 074409F8 Relevance: .2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3680b0e92939d177a0435e878924da2b7677620d86c99629aea64ba1f2cc87b9
                                                      • Instruction ID: d0919fd2c4ec2359d2afd069e9e34f70dc65451027e9714d0ca80233fbc966a9
                                                      • Opcode Fuzzy Hash: 3680b0e92939d177a0435e878924da2b7677620d86c99629aea64ba1f2cc87b9
                                                      • Instruction Fuzzy Hash: 3C3191EB16C154BDB21185816A54EFB676EE5D7230B308CABFA03E5512E3940A6E7131
                                                      Function 07440A15 Relevance: .2, Instructions: 165COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb8be51efec3f27dc52ad22853f625df45cb27ffc5bd9b31fbbaffcceba671c0
                                                      • Instruction ID: 2e9e76d2615ca02fe705e6642d3e38ddee10b758a04509153d00a54488823ea4
                                                      • Opcode Fuzzy Hash: fb8be51efec3f27dc52ad22853f625df45cb27ffc5bd9b31fbbaffcceba671c0
                                                      • Instruction Fuzzy Hash: EA31B4F716C114BDB211D5815B54AFB67AEE2D7330B308CABFA03D6512E3940A6A7131
                                                      Function 07440A66 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4b269085889c80ce47146377247bb4056b8a79f0274d82d34c6fa845f8830b9
                                                      • Instruction ID: d4a1a0153a88635650bff05b23fc73b43ea70ee429a76c307cf3ba4521dac8c3
                                                      • Opcode Fuzzy Hash: d4b269085889c80ce47146377247bb4056b8a79f0274d82d34c6fa845f8830b9
                                                      • Instruction Fuzzy Hash: F431D3FB15C154BDB21191916B54AFBA76EE6D7330B3088ABFA03D6513E3940B5A6032
                                                      Function 07440A38 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3e68cfced11aa9e68616bfa6fd501871ce18ab5fd448df8aeaeae66c867f3d1
                                                      • Instruction ID: 5db5cf4856985f4b3cf7a6c329d050ae5afb4089382c76f9c392b8c5347d1585
                                                      • Opcode Fuzzy Hash: e3e68cfced11aa9e68616bfa6fd501871ce18ab5fd448df8aeaeae66c867f3d1
                                                      • Instruction Fuzzy Hash: 6C316FEB16C154BDB11181815B54AFB67AEE2D7330B308CABFA07D5912E3980A6A7131
                                                      Function 07440AA4 Relevance: .1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 173297e5eb82b2ae629638a9806d443b7370d894ec193d423642452c2cc3088a
                                                      • Instruction ID: f079ab09b48eff8cd764cef91f2cfa7cd107e56ea16cec141665a710ad5d7e73
                                                      • Opcode Fuzzy Hash: 173297e5eb82b2ae629638a9806d443b7370d894ec193d423642452c2cc3088a
                                                      • Instruction Fuzzy Hash: 8E217FFB25C154BDB21181816B54EFB67AEE5C7730B3088ABFA03D5516E3980B5E7131
                                                      Function 07440B08 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1deb52f0f61d2206ab5e5e0eb79fec39069e0e16c314076f1108433bf3e81741
                                                      • Instruction ID: c95f6703a2b5d2cca0d368a37701145d8cc74de82b7844b24f2d533987cf7d30
                                                      • Opcode Fuzzy Hash: 1deb52f0f61d2206ab5e5e0eb79fec39069e0e16c314076f1108433bf3e81741
                                                      • Instruction Fuzzy Hash: D321E2F725C110BCB211C5816B54EFB67AEE1C3230B308CABF603D6122E3944E5A6031
                                                      Function 07440AC4 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d6fc808e9d0312dbb739551d7e9e4d206c68109cbac2260505be096b55227ea
                                                      • Instruction ID: 0036523992e8365d7e0564dcea8c6c423db9a3cc548437e146e79f20d1bc9122
                                                      • Opcode Fuzzy Hash: 1d6fc808e9d0312dbb739551d7e9e4d206c68109cbac2260505be096b55227ea
                                                      • Instruction Fuzzy Hash: BC21C1FB25C154BDB221D1816B54EFB67AEE5C7330B308CABFA03D6512E3944A6A6131
                                                      Function 074E025C Relevance: .1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48f906548f83f53c69a078282132bea859510e5a9a27a4910023937856ee52db
                                                      • Instruction ID: ab5395cd4a15291a2d50cd33c05ed4381d03e6dbdfd0ca3d27a49a8c2b552f74
                                                      • Opcode Fuzzy Hash: 48f906548f83f53c69a078282132bea859510e5a9a27a4910023937856ee52db
                                                      • Instruction Fuzzy Hash: 2121F2FB1AC1017FB64286913B54AFA6B6DE1D3232B308D27F423D5562D1D90E5F5232
                                                      Function 07440AF2 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e81e859f06ab9d64b4d33db6ca43fb9bbb9db3472421f25879f1827099a6111
                                                      • Instruction ID: bad77f91f84bf6c393d8302fd0bc00dbaaeb6b4b0874ec68b7fedf515b82b81e
                                                      • Opcode Fuzzy Hash: 3e81e859f06ab9d64b4d33db6ca43fb9bbb9db3472421f25879f1827099a6111
                                                      • Instruction Fuzzy Hash: 1421D1FB21C154BDB221D1C16B54EFB63AEE2C7330B3088ABF903C6512E3A40E5A6135
                                                      Function 07440B28 Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ca7e24a27921edda632d51cac8c8069b0d47fdf4600ed130c13d4754cd52b356
                                                      • Instruction ID: b7dcc4279a26f7b40547d9078faba38413be65734e3128c4a06065d58bc43138
                                                      • Opcode Fuzzy Hash: ca7e24a27921edda632d51cac8c8069b0d47fdf4600ed130c13d4754cd52b356
                                                      • Instruction Fuzzy Hash: 1111D5F721C250BEB32195915A55AFB67ADD6C3230B3088BFF902C6512E3980E5A6132
                                                      Function 074E01EB Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b822223775845b44a242cb4e79d0b4caf6e44dea0128a3fc9cdc25a8b2d1a5e
                                                      • Instruction ID: 46a9b6edf20b189849ba3730edb30225cd8df5d992203f8aa6268e93cc21529f
                                                      • Opcode Fuzzy Hash: 2b822223775845b44a242cb4e79d0b4caf6e44dea0128a3fc9cdc25a8b2d1a5e
                                                      • Instruction Fuzzy Hash: 0611C1E716C111BDE60285902E50BFB6B6ED6C3732F318D17F466CD066E2E64E4B0132
                                                      Function 07440B62 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ede2834b76100c93d3c1ef2c86e33b650b91b113dbfe8f95437f216741150735
                                                      • Instruction ID: 3a59d974bdc8bbf79dd415bc193e09d058b4b78a2f19facbe902b77540f43def
                                                      • Opcode Fuzzy Hash: ede2834b76100c93d3c1ef2c86e33b650b91b113dbfe8f95437f216741150735
                                                      • Instruction Fuzzy Hash: 9711A5FB21C110BDB121D5916B64FFB63ADD6C7330B30886BF907C6512D3990E9A6132
                                                      Function 074E014B Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c06fcf1b1f5b24081a5ba4996ca88ea626a7f28a882a2edb1a666666152b72a9
                                                      • Instruction ID: 96a6a33cc8571f378acd82123455af2c9e5f90f7a2c89d39b09db7550b6f75a3
                                                      • Opcode Fuzzy Hash: c06fcf1b1f5b24081a5ba4996ca88ea626a7f28a882a2edb1a666666152b72a9
                                                      • Instruction Fuzzy Hash: 8001CEE61AD111BDF50181512E50FFBAB6DD3C3732F308927F426CA052E2E2494B0032
                                                      Function 074E01BC Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b29c309cb2f412de138149b7d0c43c9b5a94de0a0b5bf63b6cd7766376789dd8
                                                      • Instruction ID: 5a03fef6e97364ecc3e841a0ec50d13121f9f87bd4c49bc77b810b59687692ee
                                                      • Opcode Fuzzy Hash: b29c309cb2f412de138149b7d0c43c9b5a94de0a0b5bf63b6cd7766376789dd8
                                                      • Instruction Fuzzy Hash: 7A01A1E62AD111BCE50191952F14BFAAB6DD6C3B32F30C927F426CD421E2E2494B1131
                                                      Function 07440B71 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b9858b2383529fada36f78a1cbdbd69fc8a4ed9c6ed7e150c645acc93b5722c
                                                      • Instruction ID: cf436f1a3d3a18f90d6bbb014265986bd61ac964ed3e45473d1d8594771ca0e4
                                                      • Opcode Fuzzy Hash: 4b9858b2383529fada36f78a1cbdbd69fc8a4ed9c6ed7e150c645acc93b5722c
                                                      • Instruction Fuzzy Hash: FE01C4FB21C110BDB221D5926B94AFB67ADD6C6330B308C6BF903C6512D2A90E5A6131
                                                      Function 074E0134 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76faa4991115dbc43e0f76f163fccebde9f31ee13db083e5859be1d37cf4b1b4
                                                      • Instruction ID: 67cff5b322455d6504f7bc31c8fc9c6b7f94e7d4ce6f5bc916debe06a911e2b9
                                                      • Opcode Fuzzy Hash: 76faa4991115dbc43e0f76f163fccebde9f31ee13db083e5859be1d37cf4b1b4
                                                      • Instruction Fuzzy Hash: CF015EE72AC115BDB50145452E10BFEAA6ED2C7772F318927F426CE061E2E64D4B1031
                                                      Function 074E012D Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20bb720b33a0e982bdb9be29bcfa3d5ce4cb124a54b8ca92ba231f2f78010c65
                                                      • Instruction ID: a1154e2abbaaf07210b471b570656985aed07fe5533f01dc356e5c183f56bd82
                                                      • Opcode Fuzzy Hash: 20bb720b33a0e982bdb9be29bcfa3d5ce4cb124a54b8ca92ba231f2f78010c65
                                                      • Instruction Fuzzy Hash: 5D012DE72AC115BDB54255812E14BFA6A6ED2C3772F318D27F426CD066E2E24D4B1131
                                                      Function 074E0139 Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f420be3506fa0056809212b23a6eb7dda6c7f941ad99105284fa4c0c9320cc3
                                                      • Instruction ID: ddef4f0f374f25d38c507ae215c4b7d4a3ace8cf74a4519356c9944508737455
                                                      • Opcode Fuzzy Hash: 1f420be3506fa0056809212b23a6eb7dda6c7f941ad99105284fa4c0c9320cc3
                                                      • Instruction Fuzzy Hash: CC015EE72AC115BCF54245512E10BFA6A6DD2C3772F308D27F426C9466E2E2494B1131
                                                      Function 07440B89 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d034a7c2fec34617a9649f1cb7e159e2540464702b48859d8613bc0492c1d47
                                                      • Instruction ID: 90cbd353e9aa388fcb8ee9dbe3810b6ea61004d11178200a60cc8631451e06da
                                                      • Opcode Fuzzy Hash: 3d034a7c2fec34617a9649f1cb7e159e2540464702b48859d8613bc0492c1d47
                                                      • Instruction Fuzzy Hash: 6801B5FA11C110BDB225D5915A94AFB67ADE6C7330B30886FF903D6511D3A84E5A6131
                                                      Function 074E0183 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45a02fd8b1a32f872ab733ad1fc36188023291893a05fd583972440545c8645f
                                                      • Instruction ID: 96c41f75a14efd70151080e603e16a9e59caeb0f7540180e4aa039f12a16134d
                                                      • Opcode Fuzzy Hash: 45a02fd8b1a32f872ab733ad1fc36188023291893a05fd583972440545c8645f
                                                      • Instruction Fuzzy Hash: B501B1EB2AD215BDF50295952E20FFA6B6DD3C3732F308D27F422CA055E2E2494B0132
                                                      Function 074E016F Relevance: .1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ad7571fe230ac4029aa307ba674bc6812bbe0ed154834655cff81ef6c07098c
                                                      • Instruction ID: 7a9b5b814c4b8508efee0973524bd188ffecfbcc0b3db9204c3043091b315b46
                                                      • Opcode Fuzzy Hash: 9ad7571fe230ac4029aa307ba674bc6812bbe0ed154834655cff81ef6c07098c
                                                      • Instruction Fuzzy Hash: ED01B1F72AD115BCE64595912B10BFA6B6DD3C3732F318927F426C9062E2E24E4B1031
                                                      Function 07440BBA Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 959d776bc405cb5769104352aaae617cf419a8c12772651e567395ccc9530e1a
                                                      • Instruction ID: 923e23b78912b5c5ad4b9bfb7bf230a5fcd0d0c2a70bee3a4752ee9db1e70e1d
                                                      • Opcode Fuzzy Hash: 959d776bc405cb5769104352aaae617cf419a8c12772651e567395ccc9530e1a
                                                      • Instruction Fuzzy Hash: 6201FCF6609114FDB621D5859A84AFA77A9E7C7230B30886FF502C7115D3A84A59A131
                                                      Function 07440BD8 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1d1ff88ace3a35288d9d35ccbf76a2485fba4cf80daa4cd02eb42c176c889cb
                                                      • Instruction ID: 2a74a4053c18ce2e2532d2b8d38fa6996160edaffa62d0de2e50750040dc6d4a
                                                      • Opcode Fuzzy Hash: b1d1ff88ace3a35288d9d35ccbf76a2485fba4cf80daa4cd02eb42c176c889cb
                                                      • Instruction Fuzzy Hash: BE0126F620C110BEF224D5925A94AFE63A9EAC6230B30847FF902CB112D3A94E4A6131
                                                      Function 074E01AB Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 73f7491d48927eb954b27508d4cbb9fca8db1266c850e58dec88efc14118dc8d
                                                      • Instruction ID: d03600f2fa8f195057f9a047b6a9c02a9aaa9f85afdfa74eb45b8b0baa99c290
                                                      • Opcode Fuzzy Hash: 73f7491d48927eb954b27508d4cbb9fca8db1266c850e58dec88efc14118dc8d
                                                      • Instruction Fuzzy Hash: B4F082E626C105BDEA4155606E54BFA6E6ED7C3733F318D17F4268C029D6F28D470132
                                                      Function 07440C16 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a00b454d58ff3ed617b004374d70cf72e371d48159bcc67b684afc74fcb712d
                                                      • Instruction ID: c9f8a25786de68343eff6b9d1b871df4f96b260bfe9f053e3148375412a22661
                                                      • Opcode Fuzzy Hash: 0a00b454d58ff3ed617b004374d70cf72e371d48159bcc67b684afc74fcb712d
                                                      • Instruction Fuzzy Hash: 24F0A0F6609214AEF620A5616A94AFB63E9CAC2260B70886AE841D3005D369098A5131
                                                      Function 07440C0C Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044752164.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7440000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55b5d6882883d455d01035bb85b100073ca2aa4998517503495e8f48b913596f
                                                      • Instruction ID: 96c504de90d0de114406f260c177cd563f5747580b396a561e91d296aa28c864
                                                      • Opcode Fuzzy Hash: 55b5d6882883d455d01035bb85b100073ca2aa4998517503495e8f48b913596f
                                                      • Instruction Fuzzy Hash: 85E09BF6509120ECF620E1516B44AFF93B9D6C3630B308C6FF402D2015D3590E5D2031
                                                      Function 074E01D5 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef047080f1c31733b82c259189c7fc1516365c62d06307b2a7e73f19df598424
                                                      • Instruction ID: e25aae6349b756ebc4cc561d2d4006db279b4f520a84712f8875083d0bdfb5cf
                                                      • Opcode Fuzzy Hash: ef047080f1c31733b82c259189c7fc1516365c62d06307b2a7e73f19df598424
                                                      • Instruction Fuzzy Hash: F5E0E5E626C105ACDA0115906A50AFA1BAED2C2732F318D17F02288424D6F14D470131
                                                      Function 074E021F Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c331fb746d05b758ccce0062f729f61fcd323e7c182b9e031d2e012e61cb9ec8
                                                      • Instruction ID: 78f15920ca072933445be7ccf88360fe84456a44a618eaedc0356c3d5f5d752b
                                                      • Opcode Fuzzy Hash: c331fb746d05b758ccce0062f729f61fcd323e7c182b9e031d2e012e61cb9ec8
                                                      • Instruction Fuzzy Hash: C6E020F735C7515EA301D16126A05FF6BFE94C22317B14C3FF001C7416D6E6484A1032
                                                      Function 074E020B Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5030d5c3ea4500e03b9220cc11d30394c2cb782733745427527b265e365dae43
                                                      • Instruction ID: da2bd77452e1d7a0861ad116acc3475bb75ef91db34a6e0e1b63e257adc7837e
                                                      • Opcode Fuzzy Hash: 5030d5c3ea4500e03b9220cc11d30394c2cb782733745427527b265e365dae43
                                                      • Instruction Fuzzy Hash: 31E026E222C155ACAA0141513A20CF52FAC80C2732B358D27F41189411C2E5480B4133
                                                      Function 074E02C5 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7930cfdbb200b6b2d8e0970b98be5fd2d3d9adcbae457cd103a94831f88cb2d1
                                                      • Instruction ID: 1e29babfe3d8a679d1ed2491b0b717badfdcfe9893f049d3f190eb3934807472
                                                      • Opcode Fuzzy Hash: 7930cfdbb200b6b2d8e0970b98be5fd2d3d9adcbae457cd103a94831f88cb2d1
                                                      • Instruction Fuzzy Hash: 20E020C754C2415DDA5287A161806F86FADE6D73367354D13D0518A213C1FB4C074363
                                                      Function 074E0246 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2044907428.00000000074E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_74e0000_dCdr6IBojN.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 350ae15208a54a5359d33efc97021903bd265944ee68f319b964d075a9b50e5a
                                                      • Instruction ID: f821bd731b5bc0e1bd2140ae12df97867012cf236db8147871be89ea6dd6c378
                                                      • Opcode Fuzzy Hash: 350ae15208a54a5359d33efc97021903bd265944ee68f319b964d075a9b50e5a
                                                      • Instruction Fuzzy Hash: D2D022D729C2006CB44182623B30BFA2FADC0C17327B18E2BF005C2811C1E60C4F0033