Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558936
MD5:eeafcff9019f6db830551b94ded6ec31
SHA1:0177b0c665ce005f1a82cea394af45fcc798331e
SHA256:b51c39f9a5b2176d0e3a06036460db52d19a94cb4827cf523c00a2e567fd586e
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EEAFCFF9019F6DB830551B94DED6EC31)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00FEC6E0
Source: file.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Joe Sandbox ViewIP Address: 34.116.198.130 34.116.198.130
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 34.116.198.130:80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: home.fvtekk5pn.top
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1955733667.0000000001E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347
Source: file.exe, 00000000.00000002.1955733667.0000000001E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW173201934735a1
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347libgcc_s_dw2-1.dll__register_frame_info__der
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: file.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: file.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: file.exe, file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: file.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .rsrc
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD59900_2_00FD5990
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01089B700_2_01089B70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCEFA00_2_00FCEFA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108B1600_2_0108B160
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010782700_2_01078270
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC93500_2_00FC9350
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD33300_2_00FD3330
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107B2F00_2_0107B2F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013315B00_2_013315B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010005D00_2_010005D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132B4300_2_0132B430
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCB5A00_2_00FCB5A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011954B00_2_011954B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013247300_2_01324730
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013427800_2_01342780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD47A00_2_00FD47A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013179200_2_01317920
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD28C00_2_00FD28C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE48A00_2_00FE48A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108D9800_2_0108D980
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010879800_2_01087980
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE39600_2_00FE3960
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCFAD60_2_00FCFAD6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01336BF00_2_01336BF0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132FBD00_2_0132FBD0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01341A700_2_01341A70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108EAD00_2_0108EAD0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108AD100_2_0108AD10
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01342D400_2_01342D40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133AD800_2_0133AD80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108CDD00_2_0108CDD0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01024C000_2_01024C00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01325CC00_2_01325CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01310F900_2_01310F90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01347F800_2_01347F80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108EE100_2_0108EE10
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D8E300_2_012D8E30
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FC5DE0 appears 86 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0119B5B0 appears 77 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FC5F90 appears 526 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 01003930 appears 176 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FDB6C0 appears 38 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 010039C0 appears 181 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 010A2E90 appears 72 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FDB730 appears 40 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FCB490 appears 39 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 01175C10 appears 78 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FC5BD0 appears 42 times
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: file.exeStatic PE information: Section: vjuwrkbf ZLIB complexity 0.9944692149749558
Source: classification engineClassification label: mal100.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: file.exeReversingLabs: Detection: 31%
Source: file.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: file.exeStatic file information: File size 4339200 > 1048576
Source: file.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x277800
Source: file.exeStatic PE information: Raw size of vjuwrkbf is bigger than: 0x100000 < 0x1a8400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fc0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vjuwrkbf:EW;ukxgiinv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vjuwrkbf:EW;ukxgiinv:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x42ade9 should be: 0x42cc2e
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .rsrc
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: vjuwrkbf
Source: file.exeStatic PE information: section name: ukxgiinv
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013421D0 push eax; mov dword ptr [esp], edx0_2_013421D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107B1E0 push eax; mov dword ptr [esp], 00000000h0_2_0107B133
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01042390 push eax; mov dword ptr [esp], 00000000h0_2_01042393
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFF4B0 push eax; mov dword ptr [esp], 00000000h0_2_00FFF4B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101FE20 push eax; mov dword ptr [esp], 00000000h0_2_0101FE23
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01347EE0 push dword ptr [eax+04h]; ret 0_2_01347F0F
Source: file.exeStatic PE information: section name: vjuwrkbf entropy: 7.9560524700033115

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 16D5298 second address: 16D4AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D18AAh], eax 0x0000000f push dword ptr [ebp+122D02E5h] 0x00000015 mov dword ptr [ebp+122D3493h], ebx 0x0000001b call dword ptr [ebp+122D1D1Ch] 0x00000021 pushad 0x00000022 pushad 0x00000023 mov edx, dword ptr [ebp+122D296Dh] 0x00000029 jng 00007F4378C6239Ch 0x0000002f xor dword ptr [ebp+122D2577h], ebx 0x00000035 popad 0x00000036 xor eax, eax 0x00000038 cmc 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d pushad 0x0000003e sub dword ptr [ebp+122D2577h], ebx 0x00000044 or dword ptr [ebp+122D2577h], edi 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D2577h], eax 0x00000051 mov dword ptr [ebp+122D2981h], eax 0x00000057 mov dword ptr [ebp+122D2577h], ebx 0x0000005d mov dword ptr [ebp+122D2577h], esi 0x00000063 mov esi, 0000003Ch 0x00000068 cld 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d jmp 00007F4378C6239Bh 0x00000072 lodsw 0x00000074 mov dword ptr [ebp+122D2577h], eax 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e cld 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 stc 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 jmp 00007F4378C6239Dh 0x0000008d pop eax 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1836FDF second address: 1836FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D9065Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1836FF2 second address: 1836FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1836FF6 second address: 1836FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1844521 second address: 184452E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4378C62398h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 184452E second address: 184455F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4378D90665h 0x0000000f pushad 0x00000010 jnp 00007F4378D90656h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007F4378D90656h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 184455F second address: 184456E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4378C62396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1844A8F second address: 1844A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1844A9C second address: 1844ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4378C623A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1844D6F second address: 1844D87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90662h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18466D6 second address: 18466E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378C6239Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18466E9 second address: 18466F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18466F9 second address: 18466FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18466FE second address: 1846717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90665h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1846891 second address: 1846895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1846895 second address: 18468E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 xor bx, 4177h 0x0000000e call 00007F4378D90667h 0x00000013 mov dword ptr [ebp+122D2CC5h], eax 0x00000019 pop eax 0x0000001a popad 0x0000001b push 00000000h 0x0000001d mov cl, ah 0x0000001f push B63DB40Fh 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 jmp 00007F4378D90668h 0x0000002c pop esi 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18468E7 second address: 1846973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 49C24C71h 0x00000010 mov ecx, dword ptr [ebp+122D2AA1h] 0x00000016 adc dx, 1417h 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F4378C62398h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 pushad 0x00000038 jmp 00007F4378C623A4h 0x0000003d cld 0x0000003e popad 0x0000003f mov dword ptr [ebp+122D32B4h], eax 0x00000045 push 00000000h 0x00000047 xor dword ptr [ebp+122D340Dh], edi 0x0000004d push 00000003h 0x0000004f jg 00007F4378C6239Ch 0x00000055 sbb esi, 4DADC4FDh 0x0000005b push A51B9A1Eh 0x00000060 push eax 0x00000061 push edx 0x00000062 push edi 0x00000063 jbe 00007F4378C62396h 0x00000069 pop edi 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1846973 second address: 184699C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F4378D90656h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 1AE465E2h 0x00000013 or ecx, 214CD820h 0x00000019 lea ebx, dword ptr [ebp+124455E7h] 0x0000001f mov cx, dx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 push edi 0x00000027 pop edi 0x00000028 pop ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1846BBE second address: 1846BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1846BC2 second address: 1846BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1846BCB second address: 1846BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183A495 second address: 183A4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4378D9065Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183A4A8 second address: 183A4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 jc 00007F4378C623A8h 0x0000000f jmp 00007F4378C6239Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183A4C5 second address: 183A4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4378D90669h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183A4E4 second address: 183A4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183A4E8 second address: 183A4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F4378D90656h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1865A9F second address: 1865AAE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F4378C62396h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1865D51 second address: 1865D5D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4378D90656h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1865D5D second address: 1865D66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1865D66 second address: 1865D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jp 00007F4378D90656h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1865ED4 second address: 1865EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4378C62396h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1865FE8 second address: 1866002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F4378D90656h 0x0000000e jmp 00007F4378D9065Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18668D5 second address: 18668DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18668DD second address: 18668E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18672AD second address: 18672BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18672BA second address: 18672BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18672BF second address: 18672DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F4378C62396h 0x00000009 jmp 00007F4378C6239Fh 0x0000000e pop ebx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18672DB second address: 18672E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18698AF second address: 18698B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18698B6 second address: 18698BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183F474 second address: 183F47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183F47B second address: 183F488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F4378D90656h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186CA83 second address: 186CA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186CA88 second address: 186CAA3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4378D9065Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F4378D90660h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186CFED second address: 186CFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186CFF1 second address: 186CFFB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4378D90656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186CFFB second address: 186D009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C6239Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187299A second address: 18729B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F4378D90660h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18729B5 second address: 18729B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1872B00 second address: 1872B1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4378D90666h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1872B1C second address: 1872B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1872DD9 second address: 1872DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1872DDD second address: 1872DF4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4378C62396h 0x00000008 jmp 00007F4378C6239Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18730CF second address: 18730F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F4378D9065Ah 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4378D90662h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18730F5 second address: 18730F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18758CE second address: 18758D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1875CF0 second address: 1875D02 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4378C62396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F4378C62396h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1876450 second address: 1876455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1876455 second address: 1876469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C623A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18764BE second address: 18764C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1876587 second address: 18765A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18765A4 second address: 18765B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90660h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18765B8 second address: 18765BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18766B4 second address: 18766BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18766BA second address: 18766BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187678D second address: 1876793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1876811 second address: 1876815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1876815 second address: 187681F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187681F second address: 187683A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18779C4 second address: 1877A43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jl 00007F4378D90658h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 nop 0x00000015 pushad 0x00000016 mov ecx, dword ptr [ebp+122D2971h] 0x0000001c mov edx, dword ptr [ebp+122D2B45h] 0x00000022 popad 0x00000023 or dword ptr [ebp+122D1ED6h], edx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F4378D90658h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov esi, dword ptr [ebp+122D1F5Bh] 0x0000004b mov si, A403h 0x0000004f push 00000000h 0x00000051 add edi, dword ptr [ebp+122D2C28h] 0x00000057 jns 00007F4378D90656h 0x0000005d push eax 0x0000005e jc 00007F4378D90664h 0x00000064 push eax 0x00000065 push edx 0x00000066 je 00007F4378D90656h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18788E8 second address: 1878984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4378C6239Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F4378C62398h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D3318h], eax 0x0000002c push 00000000h 0x0000002e adc esi, 7841AF1Bh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007F4378C62398h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 call 00007F4378C623A0h 0x00000055 add dword ptr [ebp+122D33A4h], eax 0x0000005b pop edi 0x0000005c xor di, A56Ah 0x00000061 mov esi, 1163A781h 0x00000066 xchg eax, ebx 0x00000067 jmp 00007F4378C6239Ch 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f ja 00007F4378C6239Ch 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187A776 second address: 187A77E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187A51C second address: 187A52F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4378C6239Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187A52F second address: 187A533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187BB10 second address: 187BB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187BB15 second address: 187BB1A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187BB1A second address: 187BBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F4378C62398h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+122D2A59h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F4378C62398h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007F4378C6239Dh 0x0000004d xchg eax, ebx 0x0000004e jmp 00007F4378C6239Bh 0x00000053 push eax 0x00000054 pushad 0x00000055 jp 00007F4378C623A3h 0x0000005b push eax 0x0000005c push edx 0x0000005d jo 00007F4378C62396h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187BBA7 second address: 187BBAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187DB42 second address: 187DB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187F99E second address: 187F9A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4378D90656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1880B03 second address: 1880B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187FB34 second address: 187FB56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F4378D90656h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4378D9065Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1880B07 second address: 1880B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187FB56 second address: 187FB70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90666h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1880B16 second address: 1880B96 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F4378C62396h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push ecx 0x00000010 mov bx, AA22h 0x00000014 pop ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F4378C62398h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D1DE0h], edi 0x00000037 jmp 00007F4378C623A8h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F4378C62398h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 xchg eax, esi 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jno 00007F4378C62396h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1880B96 second address: 1880BA0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1880BA0 second address: 1880BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1880BA4 second address: 1880BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1881B62 second address: 1881B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1882AD1 second address: 1882B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 add ebx, 749E4512h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F4378D90658h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov edi, 02E2F96Bh 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D2C65h], edx 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c je 00007F4378D90656h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1883BB9 second address: 1883BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D284Dh] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F4378C62398h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov bx, 2864h 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edi 0x00000034 push eax 0x00000035 pop eax 0x00000036 pop edi 0x00000037 pop eax 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d pop edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1884B6A second address: 1884B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4378D90656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1885BE3 second address: 1885C05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F4378C623A5h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1885C05 second address: 1885C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90666h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1885C1F second address: 1885C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+1246D887h], esi 0x0000000f push 00000000h 0x00000011 sub dword ptr [ebp+122D2CC0h], ebx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F4378C62398h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+1244A765h] 0x00000039 mov ebx, edx 0x0000003b xchg eax, esi 0x0000003c jnc 00007F4378C623A0h 0x00000042 push eax 0x00000043 push edi 0x00000044 push edi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1887C70 second address: 1887C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1888E05 second address: 1888E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1888E0A second address: 1888E0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1886D9A second address: 1886DA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1887EAA second address: 1887EE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4378D90656h 0x00000009 jmp 00007F4378D90666h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4378D90663h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1888FD7 second address: 1888FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1886DA4 second address: 1886DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1887EE2 second address: 1887EE7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1886DA8 second address: 1886E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F4378D90665h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F4378D90658h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D296Dh] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F4378D90658h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000016h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov edi, 5BB09374h 0x0000005c add bh, 00000073h 0x0000005f mov eax, dword ptr [ebp+122D0A29h] 0x00000065 and bx, 3973h 0x0000006a push FFFFFFFFh 0x0000006c js 00007F4378D9065Ch 0x00000072 mov dword ptr [ebp+12449257h], ebx 0x00000078 mov dword ptr [ebp+122D2D58h], ecx 0x0000007e nop 0x0000007f pushad 0x00000080 pushad 0x00000081 pushad 0x00000082 popad 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 188AFA8 second address: 188AFAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1886E45 second address: 1886E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 188AFAD second address: 188AFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jnc 00007F4378C62398h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1886E4D second address: 1886E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4378D90668h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 188C009 second address: 188C00F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 188CF9B second address: 188CFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4378D90658h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4378D90666h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 188CFC5 second address: 188CFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 188CFCB second address: 188D071 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4378D90656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F4378D90658h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e jne 00007F4378D90660h 0x00000034 mov bl, E0h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d xor dword ptr [ebp+122D1A6Ah], esi 0x00000043 mov eax, dword ptr [ebp+122D10E5h] 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F4378D90658h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 0000001Bh 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 movsx ebx, bx 0x00000066 mov di, 473Ah 0x0000006a push FFFFFFFFh 0x0000006c stc 0x0000006d nop 0x0000006e push eax 0x0000006f push edx 0x00000070 push edx 0x00000071 jmp 00007F4378D90668h 0x00000076 pop edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1893D28 second address: 1893D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18973FC second address: 1897404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1897404 second address: 189740A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 189740A second address: 1897415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4378D90656h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1897415 second address: 189741A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1896DF7 second address: 1896E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90661h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F4378D90656h 0x00000014 je 00007F4378D90656h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 189D786 second address: 189D78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 189D78A second address: 189D790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 189D878 second address: 189D87C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 189D87C second address: 189D8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jp 00007F4378D9066Fh 0x0000000e jmp 00007F4378D90669h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 je 00007F4378D9065Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A2743 second address: 18A2749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A2749 second address: 18A277A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4378D90656h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jno 00007F4378D90662h 0x00000013 pushad 0x00000014 jmp 00007F4378D9065Dh 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A13B1 second address: 18A13B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A13B6 second address: 18A13CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jng 00007F4378D90656h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A13CC second address: 18A13D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A197E second address: 18A1982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1982 second address: 18A1999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1999 second address: 18A199D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A199D second address: 18A19B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A19B9 second address: 18A19D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4378D90668h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1B2D second address: 18A1B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4378C62396h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1B38 second address: 18A1B67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90669h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4378D9065Ch 0x0000000e jbe 00007F4378D90656h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1CDF second address: 18A1CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 jmp 00007F4378C6239Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F4378C62396h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1CFB second address: 18A1CFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1CFF second address: 18A1D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1D08 second address: 18A1D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A1E91 second address: 18A1E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A22CD second address: 18A22E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4378D9065Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A2590 second address: 18A25A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jbe 00007F4378C62396h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A25A1 second address: 18A25B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90662h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A25B7 second address: 18A25EB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4378C623A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F4378C62396h 0x00000010 jmp 00007F4378C623A8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A25EB second address: 18A25EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6A63 second address: 18A6A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6A69 second address: 18A6A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6A6D second address: 18A6A77 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4378C62396h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6C5C second address: 18A6C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4378D90656h 0x0000000a jmp 00007F4378D90665h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6C7B second address: 18A6C7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6C7F second address: 18A6C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4378D90656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6F39 second address: 18A6F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18A6F55 second address: 18A6F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18AC624 second address: 18AC63E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18AC63E second address: 18AC65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4378D90666h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18AC65E second address: 18AC662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B3547 second address: 18B3555 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F4378D90662h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B3555 second address: 18B355B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B24DD second address: 18B24E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F4378D90656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874758 second address: 1874774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874774 second address: 16D4AF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F4378D90666h 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f and edi, dword ptr [ebp+122D2B01h] 0x00000015 push dword ptr [ebp+122D02E5h] 0x0000001b movzx edx, dx 0x0000001e and di, 6C83h 0x00000023 call dword ptr [ebp+122D1D1Ch] 0x00000029 pushad 0x0000002a pushad 0x0000002b mov edx, dword ptr [ebp+122D296Dh] 0x00000031 jng 00007F4378D9065Ch 0x00000037 popad 0x00000038 xor eax, eax 0x0000003a cmc 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 sub dword ptr [ebp+122D2577h], ebx 0x00000046 or dword ptr [ebp+122D2577h], edi 0x0000004c popad 0x0000004d mov dword ptr [ebp+122D2577h], eax 0x00000053 mov dword ptr [ebp+122D2981h], eax 0x00000059 mov dword ptr [ebp+122D2577h], ebx 0x0000005f mov dword ptr [ebp+122D2577h], esi 0x00000065 mov esi, 0000003Ch 0x0000006a cld 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f jmp 00007F4378D9065Bh 0x00000074 lodsw 0x00000076 mov dword ptr [ebp+122D2577h], eax 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 cld 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 stc 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 push eax 0x0000008a jmp 00007F4378D9065Dh 0x0000008f pop eax 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874A38 second address: 1874A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874A41 second address: 1874A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874B2F second address: 1874B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874D89 second address: 1874DAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90666h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F4378D90658h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874DAE second address: 1874DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874DB4 second address: 1874E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F4378D90658h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push edx 0x00000024 call 00007F4378D9065Ch 0x00000029 mov edi, dword ptr [ebp+122D2A91h] 0x0000002f pop edi 0x00000030 pop edi 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F4378D90658h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d add edx, dword ptr [ebp+122D2D18h] 0x00000053 nop 0x00000054 push ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874E1E second address: 1874E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874E22 second address: 1874E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F4378D9065Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1874E34 second address: 1874E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18751F7 second address: 18751FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18751FD second address: 1875225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b pushad 0x0000000c or dword ptr [ebp+122D2785h], edx 0x00000012 mov dword ptr [ebp+122D32B4h], edi 0x00000018 popad 0x00000019 push 0000001Eh 0x0000001b mov cl, D3h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007F4378C6239Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1875225 second address: 1875229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18754F6 second address: 1875525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 js 00007F4378C62398h 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007F4378C6239Fh 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007F4378C62398h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1875525 second address: 187552B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183DAF4 second address: 183DAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183DAFA second address: 183DB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B2E8E second address: 18B2EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378C623A5h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B2FEC second address: 18B2FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B8B00 second address: 18B8B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B756C second address: 18B7588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90668h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B7588 second address: 18B758C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B758C second address: 18B7592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B79AF second address: 18B79B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B79B5 second address: 18B79E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F4378D90656h 0x0000000c popad 0x0000000d jp 00007F4378D9066Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B79E0 second address: 18B79EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B79EC second address: 18B79F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B79F2 second address: 18B79F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B7B32 second address: 18B7B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B7B38 second address: 18B7B3D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B7C8F second address: 18B7C99 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B7C99 second address: 18B7C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B7F33 second address: 18B7F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F4378D90656h 0x00000011 jne 00007F4378D90656h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B8096 second address: 18B80B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jng 00007F4378C62396h 0x00000012 popad 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B80B8 second address: 18B80CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90662h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B8977 second address: 18B897B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B897B second address: 18B89BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90661h 0x00000007 jmp 00007F4378D90668h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F4378D9065Eh 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18B89BC second address: 18B89C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BB964 second address: 18BB981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F4378D90660h 0x0000000a jl 00007F4378D9065Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BE3B8 second address: 18BE3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BE3C1 second address: 18BE3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18337D5 second address: 18337DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18337DE second address: 18337FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 je 00007F4378D90656h 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jo 00007F4378D90656h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18337FC second address: 1833802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1833802 second address: 1833806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BDE67 second address: 18BDE6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BDFE9 second address: 18BE010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4378D90656h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F4378D90662h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F4378D90656h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BFA8B second address: 18BFAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnp 00007F4378C62396h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 pop edx 0x00000014 pushad 0x00000015 js 00007F4378C6239Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18BFAA8 second address: 18BFAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4378D90670h 0x0000000a jmp 00007F4378D9065Bh 0x0000000f jmp 00007F4378D9065Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183BFCE second address: 183BFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007F4378C62396h 0x0000000c popad 0x0000000d je 00007F4378C6239Ah 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 183BFEA second address: 183C00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jbe 00007F4378D90668h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F4378D90660h 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E5F second address: 18C2E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E63 second address: 18C2E6D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4378D90656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E6D second address: 18C2E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E73 second address: 18C2E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E78 second address: 18C2E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4378C62396h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E87 second address: 18C2E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C2E8B second address: 18C2EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Dh 0x00000007 jp 00007F4378C62396h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C303C second address: 18C304B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4378D90658h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C304B second address: 18C3051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C3051 second address: 18C3057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C332C second address: 18C3336 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4378C623A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C3336 second address: 18C333C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8E63 second address: 18C8E98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4378C623A7h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8E98 second address: 18C8E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8E9C second address: 18C8EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8EA2 second address: 18C8EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8EA8 second address: 18C8EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C6239Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8EB8 second address: 18C8EC2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4378D90656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C7ACE second address: 18C7AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4378C62396h 0x0000000a jmp 00007F4378C623A9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C7C78 second address: 18C7C7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C7C7D second address: 18C7C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1875036 second address: 187503C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 187503C second address: 1875040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18750F6 second address: 18750FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18750FF second address: 1875110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007F4378C623A4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C7F42 second address: 18C7F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4378D90656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C7F4C second address: 18C7F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C7F50 second address: 18C7F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F4378D90665h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4378D9065Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8B48 second address: 18C8B58 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4378C62396h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18C8B58 second address: 18C8B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CD737 second address: 18CD73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CD73D second address: 18CD750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4378D90656h 0x0000000a popad 0x0000000b jno 00007F4378D90658h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CCA90 second address: 18CCA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4378C62396h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CCA9E second address: 18CCAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CCD5D second address: 18CCD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CCD63 second address: 18CCD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4378D90660h 0x0000000c jmp 00007F4378D90665h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CCF03 second address: 18CCF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CD05E second address: 18CD066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18CD066 second address: 18CD081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F4378C6239Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007F4378C62396h 0x00000013 push esi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D28D4 second address: 18D28DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D28DA second address: 18D28DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D28DE second address: 18D28E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D28E4 second address: 18D28E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D28E9 second address: 18D2929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4378D90656h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F4378D90668h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jno 00007F4378D9065Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 jp 00007F4378D90656h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D2F5C second address: 18D2F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378C6239Fh 0x00000009 pushad 0x0000000a jmp 00007F4378C623A6h 0x0000000f jmp 00007F4378C623A7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D3B49 second address: 18D3B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F4378D90666h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D40F6 second address: 18D4102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4378C62396h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D43D8 second address: 18D43DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D43DC second address: 18D43EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F4378C62396h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18D43EE second address: 18D43F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18DDA9B second address: 18DDAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378C623A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18DCF94 second address: 18DCFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4378D90656h 0x0000000a pop ecx 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18DCFA3 second address: 18DCFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4378C62396h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007F4378C62396h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18DD3CF second address: 18DD3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18DD3D3 second address: 18DD3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18E5216 second address: 18E521C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18E342B second address: 18E3465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F4378C623B0h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F4378C623A8h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 jmp 00007F4378C6239Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18E3465 second address: 18E3470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18E3470 second address: 18E347A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4378C62396h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18E347A second address: 18E3480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EACC5 second address: 18EACE1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F4378C6239Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F4378C623B7h 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EF57A second address: 18EF581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EEEF3 second address: 18EEEFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4378C62396h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EEEFD second address: 18EEF03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EEF03 second address: 18EEF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4378C623A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EEF23 second address: 18EEF27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EF080 second address: 18EF084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EF084 second address: 18EF09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D90661h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EF09E second address: 18EF0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4378C623A7h 0x0000000b jmp 00007F4378C623A4h 0x00000010 popad 0x00000011 jp 00007F4378C623A2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EF0D8 second address: 18EF0E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4378D90656h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F2148 second address: 18F214D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F214D second address: 18F2171 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4378D9065Eh 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F4378D9065Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18FBE90 second address: 18FBE9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18FBE9F second address: 18FBEB1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F4378D9065Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1906204 second address: 1906211 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4378C62396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 190C138 second address: 190C13E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 190F642 second address: 190F661 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4378C623A3h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F4378C62396h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 190F661 second address: 190F665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 190F4B2 second address: 190F4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378C6239Fh 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b jo 00007F4378C623A2h 0x00000011 jl 00007F4378C6239Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1916600 second address: 191660B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191660B second address: 1916614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1916614 second address: 191661C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191661C second address: 1916626 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4378C62396h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19151AF second address: 19151B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19151B3 second address: 19151B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1915321 second address: 1915330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1915330 second address: 1915336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1915336 second address: 191533C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1915490 second address: 1915494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1915494 second address: 19154BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4378D9065Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F4378D90656h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19154BA second address: 19154BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19154BE second address: 19154FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jl 00007F4378D90656h 0x00000012 jne 00007F4378D90656h 0x00000018 popad 0x00000019 pushad 0x0000001a jc 00007F4378D90656h 0x00000020 jmp 00007F4378D90667h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19157A7 second address: 19157BA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4378C62396h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19157BA second address: 19157BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19157BE second address: 19157C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191592D second address: 191593A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F4378D90656h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191593A second address: 1915942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191A263 second address: 191A267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191A267 second address: 191A27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F4378C6239Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1919D78 second address: 1919D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1919D7C second address: 1919D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1919D82 second address: 1919D95 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4378D9065Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191EDB6 second address: 191EDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191EDBA second address: 191EDF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90666h 0x00000007 jmp 00007F4378D90669h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 196992C second address: 1969930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1969930 second address: 196993C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19697DD second address: 19697E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4378C6239Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 196B8E1 second address: 196B8F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90660h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 196B8F5 second address: 196B8F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 196B4B2 second address: 196B4B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 196B4B7 second address: 196B4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A30509 second address: 1A30513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4378D90656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A30513 second address: 1A3051F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A3051F second address: 1A30523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A2F47B second address: 1A2F481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A2F8E4 second address: 1A2F915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D9065Ah 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F4378D90669h 0x00000010 jg 00007F4378D90656h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A2FD37 second address: 1A2FD67 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4378C6239Eh 0x00000008 push eax 0x00000009 jnl 00007F4378C62396h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F4378C623A1h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A2FD67 second address: 1A2FD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A2FF2D second address: 1A2FF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A2FF31 second address: 1A2FF47 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4378D90656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F4378D9065Ch 0x00000010 jnl 00007F4378D90656h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A3009C second address: 1A300BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F4378C623A6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A3733B second address: 1A37341 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A37341 second address: 1A37347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A37347 second address: 1A3734B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A378AD second address: 1A378B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A378B2 second address: 1A378E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ecx 0x0000000d pop ecx 0x0000000e nop 0x0000000f xor dword ptr [ebp+122D1E47h], eax 0x00000015 push dword ptr [ebp+122D18EFh] 0x0000001b and edx, dword ptr [ebp+122D28A9h] 0x00000021 add edx, dword ptr [ebp+124C8486h] 0x00000027 call 00007F4378D90659h 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A378E7 second address: 1A378F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A378F4 second address: 1A378F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A378F9 second address: 1A3791C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4378C6239Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A3791C second address: 1A3793A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4378D90658h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A3793A second address: 1A37955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A38D98 second address: 1A38DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D90661h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A38DAD second address: 1A38DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799001B second address: 799007E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4378D9065Fh 0x00000008 pop ecx 0x00000009 call 00007F4378D90669h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 jmp 00007F4378D9065Ch 0x00000018 mov dword ptr [esp], ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ebx, 2F5C26E0h 0x00000023 call 00007F4378D90669h 0x00000028 pop eax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799007E second address: 79900B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F4378C623A2h 0x00000011 mov eax, dword ptr fs:[00000030h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F4378C6239Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79900B0 second address: 79900B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79900B6 second address: 79900C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C6239Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79900C7 second address: 799015E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b pushad 0x0000000c mov edx, 247E687Eh 0x00000011 mov dx, 8E8Ah 0x00000015 popad 0x00000016 push esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F4378D9065Ch 0x0000001e or al, 00000048h 0x00000021 jmp 00007F4378D9065Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F4378D90668h 0x0000002d add ecx, 037CB2A8h 0x00000033 jmp 00007F4378D9065Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov dword ptr [esp], ebx 0x0000003d jmp 00007F4378D90666h 0x00000042 mov ebx, dword ptr [eax+10h] 0x00000045 pushad 0x00000046 mov edi, ecx 0x00000048 movzx esi, dx 0x0000004b popad 0x0000004c push ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F4378D90661h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799015E second address: 79901E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4378C623A7h 0x00000009 xor ecx, 6637C2AEh 0x0000000f jmp 00007F4378C623A9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F4378C623A0h 0x0000001b or ch, 00000028h 0x0000001e jmp 00007F4378C6239Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov dword ptr [esp], esi 0x0000002a jmp 00007F4378C623A6h 0x0000002f mov esi, dword ptr [74E806ECh] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79901E0 second address: 79901E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79901E7 second address: 799020E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4378C623A4h 0x00000008 pop esi 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ch, dl 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799020E second address: 7990213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990213 second address: 7990219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990219 second address: 799021D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799021D second address: 7990281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F4378C63276h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4378C6239Bh 0x00000015 and si, 68DEh 0x0000001a jmp 00007F4378C623A9h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F4378C623A0h 0x00000026 adc si, A8D8h 0x0000002b jmp 00007F4378C6239Bh 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, edi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990281 second address: 7990285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990285 second address: 799028B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799028B second address: 799029D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 mov si, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ah, CFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799029D second address: 79902CC instructions: 0x00000000 rdtsc 0x00000002 mov si, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F4378C6239Bh 0x0000000d jmp 00007F4378C623A3h 0x00000012 popfd 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79902CC second address: 79902D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79902D0 second address: 79902D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79902D4 second address: 79902DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79902DA second address: 799033F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4378C623A8h 0x00000009 adc si, 6F28h 0x0000000e jmp 00007F4378C6239Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F4378C623A8h 0x0000001a sub esi, 1B53A188h 0x00000020 jmp 00007F4378C6239Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 call dword ptr [74E50B60h] 0x0000002f mov eax, 750BE5E0h 0x00000034 ret 0x00000035 pushad 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799033F second address: 79903D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushfd 0x00000007 jmp 00007F4378D9065Ah 0x0000000c xor si, 83E8h 0x00000011 jmp 00007F4378D9065Bh 0x00000016 popfd 0x00000017 movzx ecx, bx 0x0000001a popad 0x0000001b popad 0x0000001c push 00000044h 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F4378D9065Ch 0x00000025 jmp 00007F4378D90665h 0x0000002a popfd 0x0000002b popad 0x0000002c pop edi 0x0000002d jmp 00007F4378D9065Eh 0x00000032 xchg eax, edi 0x00000033 pushad 0x00000034 mov dh, ch 0x00000036 mov dx, 993Eh 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f pushfd 0x00000040 jmp 00007F4378D90660h 0x00000045 jmp 00007F4378D90665h 0x0000004a popfd 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79903D0 second address: 799040E instructions: 0x00000000 rdtsc 0x00000002 mov esi, 0C2B2D77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bh, ch 0x0000000b popad 0x0000000c xchg eax, edi 0x0000000d jmp 00007F4378C6239Fh 0x00000012 push dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov edi, 290A44D6h 0x0000001c jmp 00007F4378C623A7h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79904C8 second address: 79904EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, 78EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79904EC second address: 79904F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79904F1 second address: 79904F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79904F7 second address: 7990527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007F4378C623A0h 0x00000012 je 00007F43E60D1523h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990527 second address: 7990544 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990544 second address: 7990588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007F4378C623A7h 0x00000010 mov dword ptr [esi], edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4378C623A0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990588 second address: 799058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799058C second address: 7990592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990592 second address: 7990612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4378D9065Eh 0x00000013 or cl, FFFFFFE8h 0x00000016 jmp 00007F4378D9065Bh 0x0000001b popfd 0x0000001c popad 0x0000001d mov dword ptr [esi+08h], eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F4378D90660h 0x00000027 and ax, BC48h 0x0000002c jmp 00007F4378D9065Bh 0x00000031 popfd 0x00000032 jmp 00007F4378D90668h 0x00000037 popad 0x00000038 mov dword ptr [esi+0Ch], eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov ax, bx 0x00000041 mov al, bh 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990612 second address: 799065E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c jmp 00007F4378C623A6h 0x00000011 mov dword ptr [esi+10h], eax 0x00000014 jmp 00007F4378C623A0h 0x00000019 mov eax, dword ptr [ebx+50h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4378C6239Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799065E second address: 7990664 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990664 second address: 799067F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799067F second address: 7990685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990685 second address: 799068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799075C second address: 7990760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990760 second address: 7990766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79908E7 second address: 799093E instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 7C6F0BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movsx ebx, ax 0x0000000c popad 0x0000000d mov eax, dword ptr [ebx+18h] 0x00000010 jmp 00007F4378D90660h 0x00000015 mov dword ptr [esi+38h], eax 0x00000018 jmp 00007F4378D90660h 0x0000001d mov eax, dword ptr [ebx+1Ch] 0x00000020 jmp 00007F4378D90660h 0x00000025 mov dword ptr [esi+3Ch], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F4378D9065Ah 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799093E second address: 799094D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799094D second address: 7990953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990953 second address: 7990957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990957 second address: 799099D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+20h] 0x0000000e jmp 00007F4378D90666h 0x00000013 mov dword ptr [esi+40h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4378D90667h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799099D second address: 79909D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4378C6239Fh 0x00000009 sbb ecx, 5AF6303Eh 0x0000000f jmp 00007F4378C623A9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79909D2 second address: 79909F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lea eax, dword ptr [ebx+00000080h] 0x0000000d jmp 00007F4378D9065Ch 0x00000012 push 00000001h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79909F2 second address: 7990A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F4378C623A8h 0x0000000c adc ecx, 52795F98h 0x00000012 jmp 00007F4378C6239Bh 0x00000017 popfd 0x00000018 popad 0x00000019 nop 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007F4378C623A2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990A3B second address: 7990A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bh, ah 0x00000010 push edx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990A4E second address: 7990ACD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e pushfd 0x0000000f jmp 00007F4378C6239Ah 0x00000014 xor ax, EEB8h 0x00000019 jmp 00007F4378C6239Bh 0x0000001e popfd 0x0000001f popad 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 jmp 00007F4378C623A6h 0x00000028 nop 0x00000029 pushad 0x0000002a push edx 0x0000002b jmp 00007F4378C623A8h 0x00000030 pop eax 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov si, bx 0x00000039 mov cx, dx 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990ACD second address: 7990AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990AD3 second address: 7990AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990AD7 second address: 7990AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990AE6 second address: 7990AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990AEA second address: 7990AFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990AFF second address: 7990B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C6239Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990B2C second address: 7990B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990B47 second address: 7990BC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007F4378C6239Eh 0x00000010 test edi, edi 0x00000012 pushad 0x00000013 mov edi, esi 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 js 00007F43E60D0EDCh 0x0000001f jmp 00007F4378C623A5h 0x00000024 mov eax, dword ptr [ebp-0Ch] 0x00000027 jmp 00007F4378C6239Eh 0x0000002c mov dword ptr [esi+04h], eax 0x0000002f jmp 00007F4378C623A0h 0x00000034 lea eax, dword ptr [ebx+78h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990BC5 second address: 7990BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990BC9 second address: 7990BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990BCD second address: 7990BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990BD3 second address: 7990C06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4378C623A7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990C06 second address: 7990C71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F4378D9065Bh 0x0000000b sub ax, 063Eh 0x00000010 jmp 00007F4378D90669h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a jmp 00007F4378D9065Eh 0x0000001f push eax 0x00000020 pushad 0x00000021 mov cx, dx 0x00000024 mov bl, 09h 0x00000026 popad 0x00000027 nop 0x00000028 jmp 00007F4378D90664h 0x0000002d lea eax, dword ptr [ebp-08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 movsx edi, ax 0x00000036 mov al, B3h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990C71 second address: 7990CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F4378C6239Ah 0x0000000b sub si, AFF8h 0x00000010 jmp 00007F4378C6239Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a jmp 00007F4378C623A6h 0x0000001f push eax 0x00000020 jmp 00007F4378C6239Bh 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 call 00007F4378C6239Bh 0x0000002e pop esi 0x0000002f mov dh, 47h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990CFE second address: 7990D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990D02 second address: 7990D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990D06 second address: 7990D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990D0C second address: 7990D5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4378C6239Eh 0x00000009 and eax, 27A43978h 0x0000000f jmp 00007F4378C6239Bh 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test edi, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F4378C623A1h 0x00000025 jmp 00007F4378C6239Bh 0x0000002a popfd 0x0000002b mov dx, si 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990D5C second address: 7990D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F43E61FEF9Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4378D9065Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990D8A second address: 7990DC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c jmp 00007F4378C6239Eh 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4378C6239Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990DC1 second address: 7990DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990DC5 second address: 7990DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990DCB second address: 7990E2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c pushad 0x0000000d mov eax, 74DDD27Dh 0x00000012 mov ecx, 497A1979h 0x00000017 popad 0x00000018 push 00000001h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F4378D90662h 0x00000021 or esi, 4B008C88h 0x00000027 jmp 00007F4378D9065Bh 0x0000002c popfd 0x0000002d mov dx, ax 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F4378D90661h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E2C second address: 7990E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 54h 0x00000005 jmp 00007F4378C623A8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E53 second address: 7990E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E57 second address: 7990E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E5D second address: 7990E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E63 second address: 7990E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E67 second address: 7990E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E6B second address: 7990E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov cx, di 0x0000000d push ebx 0x0000000e movzx ecx, di 0x00000011 pop ebx 0x00000012 popad 0x00000013 lea eax, dword ptr [ebp-18h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4378C623A9h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990E9C second address: 7990F04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4378D9065Ch 0x00000011 adc cl, 00000068h 0x00000014 jmp 00007F4378D9065Bh 0x00000019 popfd 0x0000001a jmp 00007F4378D90668h 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 call 00007F4378D90667h 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990F4B second address: 7990F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990F51 second address: 7990F83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4378D90665h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990F83 second address: 7990FA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c mov esi, 342B2853h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990FA4 second address: 7990FDB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4378D90664h 0x00000008 xor cl, FFFFFFD8h 0x0000000b jmp 00007F4378D9065Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 js 00007F43E61FED38h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movsx edi, si 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990FDB second address: 7990FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7990FE0 second address: 7991000 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991000 second address: 7991004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991004 second address: 799100A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799100A second address: 7991050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007F4378C623A0h 0x00000010 mov dword ptr [esi+0Ch], eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F4378C6239Ch 0x0000001b xor esi, 227EE8F8h 0x00000021 jmp 00007F4378C6239Bh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991050 second address: 79910A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 mov edx, 74E806ECh 0x0000000d jmp 00007F4378D90660h 0x00000012 sub eax, eax 0x00000014 jmp 00007F4378D90661h 0x00000019 lock cmpxchg dword ptr [edx], ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F4378D90668h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79910A0 second address: 79910AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79910AF second address: 79910E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov edi, 2BFCD856h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop edi 0x0000000e jmp 00007F4378D9065Dh 0x00000013 test eax, eax 0x00000015 jmp 00007F4378D9065Eh 0x0000001a jne 00007F43E61FEC58h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79910E6 second address: 79910EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79910EA second address: 79910EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79910EE second address: 79910F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79910F4 second address: 7991103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D9065Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991103 second address: 79911A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c movsx ebx, cx 0x0000000f pushfd 0x00000010 jmp 00007F4378C6239Ch 0x00000015 xor esi, 595ADC08h 0x0000001b jmp 00007F4378C6239Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [esi] 0x00000024 pushad 0x00000025 jmp 00007F4378C623A4h 0x0000002a pushfd 0x0000002b jmp 00007F4378C623A2h 0x00000030 sbb al, FFFFFF98h 0x00000033 jmp 00007F4378C6239Bh 0x00000038 popfd 0x00000039 popad 0x0000003a mov dword ptr [edx], eax 0x0000003c jmp 00007F4378C623A6h 0x00000041 mov eax, dword ptr [esi+04h] 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F4378C623A7h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79911A0 second address: 79911C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, bl 0x00000011 mov bx, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79911C9 second address: 7991267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4378C623A7h 0x00000009 and eax, 2BAD427Eh 0x0000000f jmp 00007F4378C623A9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F4378C623A0h 0x0000001b sub cx, 8578h 0x00000020 jmp 00007F4378C6239Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov eax, dword ptr [esi+08h] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F4378C623A4h 0x00000033 sbb ah, FFFFFFD8h 0x00000036 jmp 00007F4378C6239Bh 0x0000003b popfd 0x0000003c mov ch, 16h 0x0000003e popad 0x0000003f mov dword ptr [edx+08h], eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F4378C6239Eh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991267 second address: 799126D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799126D second address: 799129C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+0Ch] 0x0000000b jmp 00007F4378C623A9h 0x00000010 mov dword ptr [edx+0Ch], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799129C second address: 79912D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 jmp 00007F4378D9065Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esi+10h] 0x00000010 jmp 00007F4378D90660h 0x00000015 mov dword ptr [edx+10h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edx, 3E5F9240h 0x00000020 mov edx, 51CB926Ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79912D4 second address: 79912DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79912DA second address: 79912DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79912DE second address: 79912FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4378C6239Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79912FA second address: 7991312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90664h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991312 second address: 799134C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+14h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, 7C26F2DFh 0x00000013 pushfd 0x00000014 jmp 00007F4378C623A4h 0x00000019 or cx, 4D48h 0x0000001e jmp 00007F4378C6239Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991464 second address: 79914A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c movzx ecx, di 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [edx+28h], eax 0x00000014 jmp 00007F4378D90667h 0x00000019 mov ecx, dword ptr [esi+2Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov di, AC16h 0x00000023 mov dx, 73A2h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79914A4 second address: 7991541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 movsx edx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [edx+2Ch], ecx 0x0000000f pushad 0x00000010 mov dx, 70AAh 0x00000014 popad 0x00000015 mov ax, word ptr [esi+30h] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F4378C623A7h 0x00000020 adc si, 8DFEh 0x00000025 jmp 00007F4378C623A9h 0x0000002a popfd 0x0000002b movzx eax, di 0x0000002e popad 0x0000002f mov word ptr [edx+30h], ax 0x00000033 jmp 00007F4378C623A3h 0x00000038 mov ax, word ptr [esi+32h] 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F4378C623A4h 0x00000043 and ecx, 79F88F58h 0x00000049 jmp 00007F4378C6239Bh 0x0000004e popfd 0x0000004f push eax 0x00000050 push edx 0x00000051 mov bx, si 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C045C second address: 79C0462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970C0D second address: 7970C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970C11 second address: 7970C9E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4378D9065Ah 0x00000008 or al, FFFFFFD8h 0x0000000b jmp 00007F4378D9065Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 mov ebx, 122D02FAh 0x00000019 pop edi 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F4378D9065Ch 0x00000023 adc ch, 00000038h 0x00000026 jmp 00007F4378D9065Bh 0x0000002b popfd 0x0000002c movzx eax, bx 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F4378D90662h 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 mov di, ax 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F4378D90668h 0x00000042 and ax, 92F8h 0x00000047 jmp 00007F4378D9065Bh 0x0000004c popfd 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793001B second address: 793001F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793001F second address: 7930033 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90660h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7930033 second address: 7930045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C6239Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793075E second address: 7930762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7930762 second address: 7930768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7930768 second address: 793076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793076E second address: 7930772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7930B8B second address: 7930BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4378D9065Fh 0x00000009 adc cl, 0000007Eh 0x0000000c jmp 00007F4378D90669h 0x00000011 popfd 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007F4378D9065Ah 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F4378D90660h 0x00000024 mov ebp, esp 0x00000026 jmp 00007F4378D90660h 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7930BF6 second address: 7930BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7930BFA second address: 7930C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970B62 second address: 7970B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4378C623A7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970B8E second address: 7970BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4378D90662h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F4378D9065Ah 0x00000016 push esi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960027 second address: 796002D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796002D second address: 7960080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F4378D90661h 0x00000010 pushfd 0x00000011 jmp 00007F4378D90660h 0x00000016 sub esi, 6AC08538h 0x0000001c jmp 00007F4378D9065Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 mov si, dx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960080 second address: 7960086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960086 second address: 796008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796008A second address: 796009E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push ecx 0x0000000c mov si, di 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796009E second address: 79600A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79600A2 second address: 79600D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and esp, FFFFFFF0h 0x0000000a jmp 00007F4378C6239Ch 0x0000000f sub esp, 44h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4378C623A7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79600D4 second address: 79600F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79600F8 second address: 79600FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79600FC second address: 7960102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960102 second address: 796011E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796011E second address: 7960127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 6239h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960127 second address: 79601E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C6239Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F4378C623A6h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov ecx, 45B81A8Dh 0x00000016 mov ch, D2h 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F4378C623A4h 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F4378C6239Eh 0x00000027 jmp 00007F4378C623A5h 0x0000002c popfd 0x0000002d mov ah, E7h 0x0000002f popad 0x00000030 push edx 0x00000031 jmp 00007F4378C623A8h 0x00000036 mov dword ptr [esp], edi 0x00000039 jmp 00007F4378C623A0h 0x0000003e mov edi, dword ptr [ebp+08h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F4378C623A7h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79601E2 second address: 7960249 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+24h], 00000000h 0x00000011 jmp 00007F4378D9065Eh 0x00000016 lock bts dword ptr [edi], 00000000h 0x0000001b jmp 00007F4378D90660h 0x00000020 jc 00007F43E830285Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4378D90667h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960249 second address: 7960261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C623A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7960261 second address: 79602A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jmp 00007F4378D90666h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4378D90667h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970CEC second address: 7970D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4378C6239Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970D19 second address: 7970D2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970D2A second address: 7970DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4378C6239Eh 0x0000000a or ax, 93A8h 0x0000000f jmp 00007F4378C6239Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007F4378C623A8h 0x0000001c add si, 0608h 0x00000021 jmp 00007F4378C6239Bh 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a call 00007F4378C623A4h 0x0000002f pushad 0x00000030 popad 0x00000031 pop eax 0x00000032 mov cx, di 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b movzx ecx, bx 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970DA2 second address: 7970DEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D9065Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, bx 0x00000010 pushfd 0x00000011 jmp 00007F4378D90669h 0x00000016 sbb ecx, 39B97BE6h 0x0000001c jmp 00007F4378D90661h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970DEC second address: 7970DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970A2B second address: 7970ACC instructions: 0x00000000 rdtsc 0x00000002 mov cx, 31C5h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, 5A702541h 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4378D90663h 0x00000017 and esi, 4F59756Eh 0x0000001d jmp 00007F4378D90669h 0x00000022 popfd 0x00000023 call 00007F4378D90660h 0x00000028 pop ecx 0x00000029 popad 0x0000002a pushad 0x0000002b mov edi, 4CBDDB94h 0x00000030 push ebx 0x00000031 pop ecx 0x00000032 popad 0x00000033 popad 0x00000034 xchg eax, ebp 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F4378D90665h 0x0000003c xor ax, 2706h 0x00000041 jmp 00007F4378D90661h 0x00000046 popfd 0x00000047 push eax 0x00000048 push edx 0x00000049 call 00007F4378D9065Eh 0x0000004e pop esi 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7970ACC second address: 7970B07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, A9h 0x0000000e pushfd 0x0000000f jmp 00007F4378C6239Bh 0x00000014 xor eax, 1641CAEEh 0x0000001a jmp 00007F4378C623A9h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7980020 second address: 7980040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D90666h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ebx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7980040 second address: 79800A9 instructions: 0x00000000 rdtsc 0x00000002 mov ah, C9h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F4378C623A5h 0x0000000b jmp 00007F4378C623A0h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F4378C623A0h 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F4378C6239Dh 0x00000022 sub al, FFFFFFE6h 0x00000025 jmp 00007F4378C623A1h 0x0000002a popfd 0x0000002b mov di, si 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C0D06 second address: 79C0D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C0D0C second address: 79C0D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C0D10 second address: 79C0D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4378D90669h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C0D36 second address: 79C0D97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378C623A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dl, 00000007h 0x0000000c jmp 00007F4378C6239Eh 0x00000011 test eax, eax 0x00000013 jmp 00007F4378C623A0h 0x00000018 je 00007F43E819781Ah 0x0000001e pushad 0x0000001f call 00007F4378C6239Eh 0x00000024 mov eax, 36809C11h 0x00000029 pop esi 0x0000002a mov dx, 8F02h 0x0000002e popad 0x0000002f mov ecx, 00000000h 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B058E second address: 79B05B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F4378D9065Eh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4378D9065Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B05B6 second address: 79B05BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B05BC second address: 79B05D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D90663h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B0BCC second address: 79B0BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378C6239Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B0BDE second address: 79B0C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4378D90668h 0x00000012 and ax, AD48h 0x00000017 jmp 00007F4378D9065Bh 0x0000001c popfd 0x0000001d mov ecx, 05692CBFh 0x00000022 popad 0x00000023 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 16D4B63 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 186B748 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A8370 rdtsc 0_2_011A8370
Source: file.exe, file.exe, 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1955733667.0000000001E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A8370 rdtsc 0_2_011A8370
Source: file.exe, file.exe, 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: H` {Program Manager
Source: file.exe, 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oH` {Program Manager
Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping641
Security Software Discovery		Remote Services11
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets213
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe32%ReversingLabsWin32.Infostealer.Tinba
file.exe100%AviraTR/Crypt.TPM.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW170%Avira URL Cloudsafe
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW173201934735a10%Avira URL Cloudsafe
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347libgcc_s_dw2-1.dll__register_frame_info__der0%Avira URL Cloudsafe
http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17320193470%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fvtekk5pn.top
34.116.198.130
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://curl.se/docs/hsts.htmlfile.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
      		high
      http://html4/loose.dtdfile.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
        		high
        https://curl.se/docs/alt-svc.html#file.exefalse
          		high
          http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW173201934735a1file.exe, 00000000.00000002.1955733667.0000000001E4E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://curl.se/docs/http-cookies.htmlfile.exe, file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347libgcc_s_dw2-1.dll__register_frame_info__derfile.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.se/docs/hsts.html#file.exefalse
              		high
              http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://curl.se/docs/http-cookies.html#file.exefalse
                		high
                https://curl.se/docs/alt-svc.htmlfile.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://ace-snapper-privately.ngrok-free.app/test/testFailedfile.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://.cssfile.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347file.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1955733667.0000000001E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ace-snapper-privately.ngrok-free.app/test/testfile.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://.jpgfile.exe, 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1713143859.0000000007C62000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          34.116.198.130
                          		home.fvtekk5pn.topUnited States
                          		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1558936
                          Start date and time:2024-11-20 00:52:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 19s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.evad.winEXE@1/0@2/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com
                          • Not all processes where analyzed, report is missing behavior information
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          34.116.198.130file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                          • fvtekk5pn.top/v1/upload.php
                          file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                          • home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347
                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                          • fvtekk5pn.top/v1/upload.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • fvtekk5pn.top/v1/upload.php
                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                          • fvtekk5pn.top/v1/upload.php
                          file.exeGet hashmaliciousCryptbotBrowse
                          • home.fvtejs5sr.top/iNfkLAsWrCuVUxMyJkfW1731561474
                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • fvtejs5sr.top/v1/upload.php
                          file.exeGet hashmaliciousUnknownBrowse
                          • home.fvtejs5sr.top/iNfkLAsWrCuVUxMyJkfW1731561474
                          file.exeGet hashmaliciousCryptbotBrowse
                          • fvtejs5sr.top/v1/upload.php
                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • fvtejs5sr.top/v1/upload.php

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          home.fvtekk5pn.topfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                          • 34.116.198.130

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousCredential FlusherBrowse
                          • 34.117.188.166
                          file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousCredential FlusherBrowse
                          • 34.117.188.166
                          https://usapress.info/inside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years/Get hashmaliciousUnknownBrowse
                          • 34.117.77.79
                          https://l.facebook.com/l.php?u=https%3A%2F%2Fusapress.info%2Finside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0r3IVxCUPtQPPqP5Ce0_adoAsiHgG3Oy1cYDq3k1JXBIrTGLtjToxlazM_aem_q02YsKkKY0QB_fm5suzUDw&h=AT1Xo_CkNlagO29_sds-m5zdTBZ6-H70m0J__7wjjmSNinwNGqBfRUFK3cH2zXJWNO7msrJPRkNulrkTmUCLkRNMcfCJTNK-cs4SfUQyRy7nw3vP1DNmFisBvlttaen8fHfi-N3lXN_BGQgdBw&__tn__=R%5D-R&c%5B0%5D=AT3euz91upHKeMVK8p24ktUFKClJ0GKt_3lJnV9tGakx0Tro3u7Ymk1z4tOG4eBZxcuD-Ny10eAla4iUyfdG04Fh4GryHwAMuELGG4dQctfWKiu4mfB-eLJ8Qktnq0ptzD_TaZEPEMHQnvP4W65jDpc-XBmWlMSmaRM-2soPhaPGYAODWegqP8h47S90Q2hmwQvQgUDdb35OgV1duzzqudMAyOk7e8E7mfpnrlwhIvWwUkK53AUNuPTqYkQGet hashmaliciousUnknownBrowse
                          • 34.117.77.79
                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 34.116.198.130
                          file.exeGet hashmaliciousCredential FlusherBrowse
                          • 34.117.188.166
                          file.exeGet hashmaliciousCredential FlusherBrowse
                          • 34.117.188.166

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Entropy (8bit):7.986528031387345
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • VXD Driver (31/22) 0.00%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:4'339'200 bytes
                          MD5:eeafcff9019f6db830551b94ded6ec31
                          SHA1:0177b0c665ce005f1a82cea394af45fcc798331e
                          SHA256:b51c39f9a5b2176d0e3a06036460db52d19a94cb4827cf523c00a2e567fd586e
                          SHA512:b37a82d84d1573d908cbbb57422bb4965329204f84452083bfdaa346feeca77db147eae51528d292c7ed477c3c97b0a88d48c23cde522208d200db768f6ecf55
                          SSDEEP:98304:lF1QhWOfAPeI5LcmjMpfMs5EGzuKs7MJeSfaLnw:l8hWQA2I5pMpfMs5dzs4oSfaLnw
                          TLSH:9B1633553670161FF60E7EBF46C2BE4A40E7ABD959210C0ED108BC59299F79C053AE3E
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<g...............(..I...s..2............J...@...................................B...@... ............................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x102e000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                          DLL Characteristics:DYNAMIC_BASE
                          Time Stamp:0x673C85E9 [Tue Nov 19 12:34:49 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F4378D6356Ah
                          unpcklps xmm0, dqword ptr [edx+00h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F4378D65565h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x71005f0x73.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc2c1f80x10vjuwrkbf
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xc2c1a80x18vjuwrkbf
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x70e0000x2778004960ba1f4adea9811415a093f787790funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x70f0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x7100000x10000x200a2d6930c120adbbe66b0377a2360d082False0.166015625data1.091365066296249IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x7110000x3730000x200b4224f60ef0c096e89c672c26995b58aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          vjuwrkbf0xa840000x1a90000x1a84003cd18d4236d71d49c29e6dc5f0cba797False0.9944692149749558data7.9560524700033115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          ukxgiinv0xc2d0000x10000x400ee2ff2f05aae47bea028fac207a6a4d8False0.7607421875data5.977255825522144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0xc2e0000x30000x22000a0b50a4fbe51e33ebfd9fddd5b2298dFalse0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 00:53:04.999805927 CET4974280192.168.2.434.116.198.130
                          Nov 20, 2024 00:53:06.009718895 CET4974280192.168.2.434.116.198.130
                          Nov 20, 2024 00:53:08.009757996 CET4974280192.168.2.434.116.198.130
                          Nov 20, 2024 00:53:12.009659052 CET4974280192.168.2.434.116.198.130
                          Nov 20, 2024 00:53:20.009799957 CET4974280192.168.2.434.116.198.130

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 20, 2024 00:53:04.193731070 CET6035353192.168.2.41.1.1.1
                          Nov 20, 2024 00:53:04.193731070 CET6035353192.168.2.41.1.1.1
                          Nov 20, 2024 00:53:04.997498035 CET53603531.1.1.1192.168.2.4
                          Nov 20, 2024 00:53:04.997543097 CET53603531.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 20, 2024 00:53:04.193731070 CET192.168.2.41.1.1.10x7efStandard query (0)home.fvtekk5pn.topA (IP address)IN (0x0001)false
                          Nov 20, 2024 00:53:04.193731070 CET192.168.2.41.1.1.10xeba7Standard query (0)home.fvtekk5pn.top28IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 20, 2024 00:53:04.997498035 CET1.1.1.1192.168.2.40x7efNo error (0)home.fvtekk5pn.top34.116.198.130A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:18:52:59
                          Start date:19/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xfc0000
                          File size:4'339'200 bytes
                          MD5 hash:EEAFCFF9019F6DB830551B94DED6EC31
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:1.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:7%
                            Total number of Nodes:115
                            Total number of Limit Nodes:18
                            execution_graph 54680 fc274e 54681 fc2720 54680->54681 54681->54680 54682 fc2780 54681->54682 54686 fcf4a0 54681->54686 54689 fce6a0 socket ioctlsocket connect getsockname closesocket 54682->54689 54685 fc27b1 54690 fcefa0 54686->54690 54688 fcf4bd 54688->54681 54689->54685 54693 fcefad 54690->54693 54695 fcf1b7 54690->54695 54691 fcf1df 54691->54695 54700 fd5990 54691->54700 54693->54691 54693->54695 54696 fc6090 54693->54696 54695->54688 54697 fc60d6 send 54696->54697 54698 fc60b0 54696->54698 54699 fc60b9 54697->54699 54698->54697 54698->54699 54699->54693 54702 fd59c4 54700->54702 54703 fd59db 54700->54703 54701 fd5bf7 select 54701->54703 54702->54701 54702->54703 54703->54695 54704 1073110 54708 1073118 54704->54708 54705 1073123 54707 1073164 54708->54705 54715 107315c 54708->54715 54716 1073f30 socket ioctlsocket connect getsockname closesocket 54708->54716 54710 107321e 54710->54715 54717 1077c60 54710->54717 54712 1073250 54722 1073340 54712->54722 54714 1073268 54715->54714 54728 1071a90 socket ioctlsocket connect getsockname closesocket 54715->54728 54716->54710 54729 1078e30 54717->54729 54719 1077c87 54721 1077c9b 54719->54721 54757 107a5d0 socket ioctlsocket connect getsockname closesocket 54719->54757 54721->54712 54723 1073356 54722->54723 54725 10733b5 54723->54725 54727 10733a9 54723->54727 54758 107a5d0 socket ioctlsocket connect getsockname closesocket 54723->54758 54724 1073490 gethostname 54724->54725 54724->54727 54725->54715 54727->54724 54727->54725 54728->54707 54755 1078e5b 54729->54755 54730 10793f3 RegOpenKeyExA 54731 1079417 RegQueryValueExA 54730->54731 54732 1079560 RegOpenKeyExA 54730->54732 54733 1079461 54731->54733 54734 10794bc RegQueryValueExA 54731->54734 54735 1079624 RegOpenKeyExA 54732->54735 54752 1079580 54732->54752 54733->54734 54741 1079475 RegQueryValueExA 54733->54741 54737 1079556 RegCloseKey 54734->54737 54738 10794fe 54734->54738 54736 10796e8 RegOpenKeyExA 54735->54736 54754 1079644 54735->54754 54739 1079746 RegEnumKeyExA 54736->54739 54742 1079704 54736->54742 54737->54732 54738->54737 54745 107950e RegQueryValueExA 54738->54745 54740 107978b 54739->54740 54739->54742 54743 1079806 RegOpenKeyExA 54740->54743 54744 10794a3 54741->54744 54742->54719 54746 1079824 RegQueryValueExA 54743->54746 54747 10797cf RegEnumKeyExA 54743->54747 54744->54734 54750 107953c 54745->54750 54748 1079933 RegQueryValueExA 54746->54748 54756 107979a 54746->54756 54747->54742 54747->54743 54749 1079a42 RegQueryValueExA 54748->54749 54748->54756 54751 10797b7 RegCloseKey 54749->54751 54749->54756 54750->54737 54751->54747 54752->54735 54753 1079990 RegQueryValueExA 54753->54756 54754->54736 54755->54730 54755->54742 54756->54748 54756->54749 54756->54751 54756->54753 54757->54721 54758->54727 54759 1089310 54760 1089334 54759->54760 54761 1089367 send 54760->54761 54762 108933b 54760->54762 54763 ff7540 54764 ff755b 54763->54764 54778 ff75a5 54763->54778 54765 ff757f 54764->54765 54766 ff75e3 54764->54766 54764->54778 54805 fd5830 select 54765->54805 54784 ff8f40 54766->54784 54769 ff75ec 54771 ff760f connect 54769->54771 54775 ff7625 54769->54775 54769->54778 54781 ff76bf 54769->54781 54770 ff7591 54773 ff76a2 54770->54773 54770->54778 54779 ff76c9 54770->54779 54770->54781 54771->54775 54772 ff8b40 getsockname 54782 ff77ef 54772->54782 54773->54781 54803 ff9b70 SleepEx 54773->54803 54799 ff8b40 54775->54799 54780 ff7733 54779->54780 54779->54781 54783 ff8b40 getsockname 54780->54783 54781->54772 54781->54778 54781->54782 54782->54778 54806 fc62a0 closesocket 54782->54806 54783->54778 54785 ff8f65 54784->54785 54788 ff8f87 54785->54788 54808 fc5fd0 54785->54808 54787 fc62a0 closesocket 54790 ff9103 54787->54790 54789 ff9201 setsockopt 54788->54789 54795 ff922b 54788->54795 54797 ff908b 54788->54797 54789->54795 54790->54769 54792 ff9946 54793 ff994d 54792->54793 54792->54797 54793->54790 54794 ff8b40 getsockname 54793->54794 54794->54790 54795->54797 54798 ff95d1 54795->54798 54814 ff55d0 socket ioctlsocket connect getsockname closesocket 54795->54814 54797->54787 54797->54790 54798->54797 54813 10251d0 ioctlsocket 54798->54813 54800 ff8b4f 54799->54800 54802 ff8bc0 54799->54802 54801 ff8b71 getsockname 54800->54801 54800->54802 54801->54802 54802->54770 54804 ff9baa 54803->54804 54804->54781 54805->54770 54807 fc62b5 54806->54807 54807->54778 54809 fc5ff7 socket 54808->54809 54811 fc5fdf 54808->54811 54810 fc601b 54809->54810 54810->54788 54811->54809 54812 fc6033 54811->54812 54812->54788 54813->54792 54814->54798

                            Executed Functions

                            Function 01089B70 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1074 1089b70-1089b85 1075 1089b8b-1089b92 1074->1075 1076 1089dd0-1089dd7 1074->1076 1077 1089ba0-1089ba9 1075->1077 1077->1077 1078 1089bab-1089bad 1077->1078 1078->1076 1079 1089bb3-1089bc0 1078->1079 1081 1089dcb 1079->1081 1082 1089bc6-1089be2 1079->1082 1081->1076 1083 1089c19-1089c1d 1082->1083 1084 1089dd8-1089e07 1083->1084 1085 1089c23-1089c36 1083->1085 1092 1089e0d-1089e19 1084->1092 1093 1089f72-1089f79 1084->1093 1086 1089c38-1089c3b 1085->1086 1087 1089c50-1089c54 1085->1087 1089 1089c3d-1089c46 1086->1089 1090 1089c05-1089c13 1086->1090 1088 1089c59-1089c76 call 1089920 1087->1088 1102 1089c78-1089c93 call 1089a50 1088->1102 1103 1089ce0-1089cf1 1088->1103 1089->1088 1090->1083 1095 1089d05-1089d2c call 1346b00 1090->1095 1096 1089e1b-1089e23 call 1089f80 1092->1096 1097 1089e25-1089e3c call 1089f80 1092->1097 1105 1089daf-1089dba 1095->1105 1106 1089d32-1089d37 1095->1106 1096->1097 1113 1089e48-1089e61 call 1089f80 1097->1113 1114 1089e3e-1089e46 call 1089f80 1097->1114 1119 1089c99-1089cb7 getsockname call 1089a10 1102->1119 1120 1089bf0-1089c03 call 1089a10 1102->1120 1103->1090 1123 1089cf7-1089d00 1103->1123 1115 1089dbc-1089dc9 1105->1115 1110 1089d39-1089d48 1106->1110 1111 1089d74-1089d7f 1106->1111 1117 1089d50-1089d72 1110->1117 1111->1105 1118 1089d81-1089d95 1111->1118 1132 1089e7c-1089e97 1113->1132 1133 1089e63-1089e77 1113->1133 1114->1113 1115->1076 1117->1111 1117->1117 1124 1089da0-1089dad 1118->1124 1130 1089cbc-1089ccd 1119->1130 1120->1090 1123->1115 1124->1105 1124->1124 1130->1090 1134 1089cd3 1130->1134 1135 1089e99-1089ea1 call 108a050 1132->1135 1136 1089ea3-1089ebb call 108a050 1132->1136 1133->1093 1134->1123 1135->1136 1141 1089ec9-1089ee5 call 108a050 1136->1141 1142 1089ebd-1089ec5 call 108a050 1136->1142 1147 1089efd-1089f1b call 108a160 * 2 1141->1147 1148 1089ee7-1089efb 1141->1148 1142->1141 1147->1093 1153 1089f1d-1089f21 1147->1153 1148->1093 1154 1089f70 1153->1154 1155 1089f23-1089f2b 1153->1155 1154->1093 1156 1089f68-1089f6e 1155->1156 1157 1089f2d-1089f37 1155->1157 1156->1093 1157->1156 1158 1089f39-1089f3d 1157->1158 1158->1156 1159 1089f3f-1089f48 1158->1159 1159->1156 1160 1089f4a-1089f66 call 108a260 * 2 1159->1160 1160->1093 1160->1156
                            APIs
                            • getsockname.WS2_32(-00000020,-00000020,?), ref: 01089CA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: getsockname
                            • String ID: ares__sortaddrinfo.c$cur != NULL
                            • API String ID: 3358416759-2430778319
                            • Opcode ID: 0d72073bb74fbff54b38cf61746dc84299c995d55e690691d7fc7eabd3a803e0
                            • Instruction ID: 97fe1f99756fca5e578dafb7970294c235bb32308558adeb1af085f440a8fd64
                            • Opcode Fuzzy Hash: 0d72073bb74fbff54b38cf61746dc84299c995d55e690691d7fc7eabd3a803e0
                            • Instruction Fuzzy Hash: 9EC160316093119FD758FF28C890A6A7BE1EFC9318F05886CE9CA9B392D735D945CB81
                            Function 00FD5990 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1513 fd5990-fd59c2 1514 fd59db-fd59e1 1513->1514 1515 fd59c4-fd59c6 1513->1515 1516 fd5d14-fd5d20 1514->1516 1517 fd59e7-fd59e9 1514->1517 1518 fd59d0-fd59d4 1515->1518 1519 fd59ef-fd5a06 1517->1519 1520 fd5b76-fd5b86 1517->1520 1521 fd5a0b-fd5a31 1518->1521 1522 fd59d6-fd59d9 1518->1522 1519->1516 1520->1516 1523 fd5a50-fd5a64 1521->1523 1522->1514 1522->1518 1526 fd5a47-fd5a4a 1523->1526 1527 fd5a66-fd5a71 1523->1527 1526->1523 1528 fd5b62-fd5b64 1526->1528 1527->1526 1529 fd5a73-fd5a79 1527->1529 1530 fd5b8b-fd5b98 1528->1530 1531 fd5b66-fd5b74 1528->1531 1532 fd5acc-fd5acf 1529->1532 1533 fd5a7b-fd5a7f 1529->1533 1536 fd5be1-fd5c1d call fdc1e0 select 1530->1536 1537 fd5b9a-fd5bae 1530->1537 1531->1536 1534 fd5b1c-fd5b22 1532->1534 1535 fd5ad1-fd5ad5 1532->1535 1538 fd5a81 1533->1538 1539 fd5aa0-fd5aad 1533->1539 1534->1526 1547 fd5b28-fd5b2c 1534->1547 1543 fd5ad7 1535->1543 1544 fd5af0-fd5afd 1535->1544 1559 fd5cfb 1536->1559 1560 fd5c23-fd5c2e 1536->1560 1545 fd5cfd-fd5d00 1537->1545 1546 fd5bb4-fd5bb6 1537->1546 1548 fd5a90-fd5a97 1538->1548 1541 fd5aaf-fd5abe 1539->1541 1542 fd5ac5 1539->1542 1541->1542 1542->1532 1550 fd5ae0-fd5ae7 1543->1550 1551 fd5aff-fd5b0e 1544->1551 1552 fd5b15 1544->1552 1545->1516 1553 fd5d02-fd5d12 1545->1553 1554 fd5bbc-fd5bd6 1546->1554 1555 fd5d21-fd5d34 1546->1555 1556 fd5b3d-fd5b4a 1547->1556 1557 fd5b2e 1547->1557 1548->1539 1558 fd5a99-fd5a9c 1548->1558 1550->1544 1563 fd5ae9-fd5aec 1550->1563 1551->1552 1552->1534 1553->1516 1554->1516 1576 fd5bdc 1554->1576 1555->1516 1573 fd5d36 1555->1573 1561 fd5a40 1556->1561 1562 fd5b50-fd5b5d 1556->1562 1564 fd5b30-fd5b34 1557->1564 1558->1548 1565 fd5a9e 1558->1565 1559->1545 1567 fd5c4c-fd5c59 1560->1567 1561->1526 1562->1561 1563->1550 1568 fd5aee 1563->1568 1564->1556 1571 fd5b36-fd5b39 1564->1571 1565->1539 1574 fd5c5b-fd5c6b call 134593c 1567->1574 1575 fd5c43-fd5c46 1567->1575 1568->1544 1571->1564 1572 fd5b3b 1571->1572 1572->1556 1573->1553 1579 fd5c6d-fd5c77 1574->1579 1580 fd5c8a-fd5c9c call 134593c 1574->1580 1575->1516 1575->1567 1576->1553 1581 fd5c7e-fd5c83 1579->1581 1582 fd5c79 1579->1582 1586 fd5c9e-fd5ca3 1580->1586 1587 fd5caa-fd5cb9 call 134593c 1580->1587 1581->1580 1585 fd5c85 1581->1585 1582->1581 1585->1580 1586->1587 1588 fd5ca5 1586->1588 1591 fd5cbf-fd5ce6 1587->1591 1592 fd5c30 1587->1592 1588->1587 1593 fd5c35-fd5c3c 1591->1593 1594 fd5cec-fd5cf6 1591->1594 1592->1593 1593->1575 1594->1593
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1efea545bd107713d09ad3036b163be19d9b19b2cd751c6b0c478d7a4ab45d61
                            • Instruction ID: d1133cf443d5e442c0ba782f5481243328d0a755974f34856e79e1f68375033c
                            • Opcode Fuzzy Hash: 1efea545bd107713d09ad3036b163be19d9b19b2cd751c6b0c478d7a4ab45d61
                            • Instruction Fuzzy Hash: FC913631A04B1A4BD7358B68C8C47BB72D7EFC0B74F188B2ED499472D4E7749C40A691
                            Function 00FCEFA0 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: multi.c
                            • API String ID: 0-214371023
                            • Opcode ID: 517277d5f8c8a774573629547c2f799c5387944b4fb9663ee60f831f18a2aa84
                            • Instruction ID: 13324893f41bcd65192368bc9e538de306940cb3d3b78f804e62ed8ad339a2a8
                            • Opcode Fuzzy Hash: 517277d5f8c8a774573629547c2f799c5387944b4fb9663ee60f831f18a2aa84
                            • Instruction Fuzzy Hash: A9D1D171A083429FE711CF20C982BABB7E6FF84754F08483DF98586241E779D948EB52
                            Function 01078E30 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 01079409
                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0107943C
                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 01079487
                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 010794D9
                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 01079520
                            • RegCloseKey.KERNELBASE(?), ref: 0107955A
                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 01079572
                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 01079636
                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 010796FA
                            • RegEnumKeyExA.KERNELBASE ref: 0107977D
                            • RegCloseKey.KERNELBASE(?), ref: 010797C9
                            • RegEnumKeyExA.KERNELBASE ref: 010797F8
                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0107981A
                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 01079844
                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 01079953
                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 010799A2
                            • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 01079A62
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: QueryValue$Open$CloseEnum
                            • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                            • API String ID: 4217438148-1047472027
                            • Opcode ID: 3c113fc8e73e61792bdcfb008dc1f7f8a4a0c040ff284390c312973c32e5a5fb
                            • Instruction ID: 0840474f0ade16802f31c2a116201184b1d7ac88c365a811198c4d6952437ece
                            • Opcode Fuzzy Hash: 3c113fc8e73e61792bdcfb008dc1f7f8a4a0c040ff284390c312973c32e5a5fb
                            • Instruction Fuzzy Hash: E572D2B1A04341AFE3209B28CC81F6B7BE8EF85718F14486CFA85D7291E775E944CB56
                            Function 00FF8F40 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                            Download Yara Rule
                            APIs
                            • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00FF9222
                            Strings
                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00FF90BE
                            • Trying %s:%d..., xrefs: 00FF91B2, 00FF91CE
                            • bind failed with errno %d: %s, xrefs: 00FF9A70
                            • cf_socket_open() -> %d, fd=%d, xrefs: 00FF9186
                            • Could not set TCP_NODELAY: %s, xrefs: 00FF9261
                            • @, xrefs: 00FF9632
                            • @, xrefs: 00FF92E4
                            • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00FF96FA
                            • Trying [%s]:%d..., xrefs: 00FF9079
                            • cf-socket.c, xrefs: 00FF8FBD, 00FF9125
                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 00FF979C
                            • Local Interface %s is ip %s using address family %i, xrefs: 00FF9850
                            • Local port: %hu, xrefs: 00FF9918
                            • Couldn't bind to '%s' with errno %d: %s, xrefs: 00FF980F
                            • Bind to local port %d failed, trying next, xrefs: 00FF99D5
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: setsockopt
                            • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                            • API String ID: 3981526788-2373386790
                            • Opcode ID: f33cd81e5e18e03b6304f96e53d707603fb314ef1bb78aa190632f363f137bb5
                            • Instruction ID: b1959d3f5de237cae5f6414e8cdbc033bb9f5a6d0a45c0016e5088797670599b
                            • Opcode Fuzzy Hash: f33cd81e5e18e03b6304f96e53d707603fb314ef1bb78aa190632f363f137bb5
                            • Instruction Fuzzy Hash: 91622671908345ABE721CF24CC45BFBB7E5BF85314F04052DEA88972A2E7B1E944DB92
                            Function 01088130 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 510 1088130-108814b 511 108814d-1088158 call 1086290 510->511 512 1088170-1088172 510->512 521 10883ab-10883b0 511->521 522 108815e-1088160 511->522 514 1088178-1088190 call 1346df0 call 1086290 512->514 515 1088304-108833e call 1346b68 RegOpenKeyExA 512->515 514->521 527 1088196-10881b5 514->527 524 108834a-1088382 RegQueryValueExA RegCloseKey call 1346b90 515->524 525 1088340-1088345 515->525 528 10883fc-1088405 521->528 526 1088162-108816e 522->526 522->527 540 1088387-10883a5 call 1086290 524->540 525->528 526->514 533 1088217-1088223 527->533 534 10881b7-10881d0 527->534 536 108824f-1088262 call 1084690 533->536 537 1088225-108824c call 107cca0 * 2 533->537 538 10881d2-10881e3 call 1346b48 534->538 539 10881e6-10881f9 534->539 551 1088268-108826d call 10861a0 536->551 552 10883e0 536->552 537->536 538->539 539->533 550 10881fb-1088200 539->550 540->521 540->527 550->533 555 1088202-1088212 550->555 557 1088272-1088279 551->557 554 10883e5-10883eb call 10846f0 552->554 565 10883ee-10883f9 554->565 555->528 557->554 561 108827f-108828b call 10739d0 557->561 561->552 568 1088291-10882b3 call 1346b48 call 1086290 561->568 565->528 574 10882b9-10882cb call 107ccc0 568->574 575 10883b2-10883dd call 107cca0 * 2 568->575 574->575 580 10882d1-10882e0 call 107ccc0 574->580 575->552 580->575 586 10882e6-10882f5 call 1084de0 580->586 590 10882fb-10882ff 586->590 591 1088956-108896f call 10846f0 586->591 592 108842f-108844a call 1085130 call 1084de0 590->592 591->565 592->591 599 1088450-108845e call 1085750 592->599 602 108840f-1088429 call 1085230 call 1084de0 599->602 603 1088460-1088484 call 1084bf0 call 10851d0 call 1084d10 599->603 602->591 602->592 614 1088406-1088409 603->614 615 1088486-10884b6 call 107bb10 603->615 614->602 616 10889b1 614->616 621 10884b8-10884cb call 107bb10 615->621 622 10884d1-10884e7 call 107bb80 615->622 618 10889b5-10889ed call 10846f0 call 107cca0 * 2 616->618 618->565 621->602 621->622 622->602 629 10884ed-10884f9 call 10739d0 622->629 629->616 634 10884ff-1088519 call 107d120 629->634 639 108851f-108852a call 1086290 634->639 640 1088974-1088978 634->640 639->640 647 1088530-1088544 call 107d150 639->647 642 1088985-1088989 640->642 644 108898b-108898e 642->644 645 1088990-10889a6 call 107d5e0 * 2 642->645 644->616 644->645 657 10889a7-10889ae 645->657 653 108897a-1088982 647->653 654 108854a-108855e call 107d120 647->654 653->642 660 108857c-1088587 call 1084de0 654->660 661 1088560-10889f4 654->661 657->616 669 108868a-108869b call 107d3f0 660->669 670 108858d-10885af call 1085130 call 1084de0 660->670 666 1088a05-1088a0d 661->666 667 1088a0f-1088a12 666->667 668 1088a14-1088a35 call 107d5e0 * 2 666->668 667->618 667->668 668->618 679 1088921-1088925 669->679 680 10886a1-10886bd call 107d3f0 call 107d350 669->680 670->669 687 10885b5-10885ca call 1085750 670->687 682 1088930-1088951 call 107d5e0 * 2 679->682 683 1088927-108892a 679->683 696 10886ed-10886fe call 107d350 680->696 697 10886bf 680->697 682->602 683->602 683->682 687->669 699 10885d0-10885e4 call 1084bf0 call 10851d0 687->699 708 1088700 696->708 709 1088743-1088745 696->709 700 10886c1-10886dc call 107d3e0 call 107ce90 697->700 699->669 716 10885ea-10885fb call 1084d10 699->716 721 10886de-10886eb call 107d3c0 700->721 722 1088737-1088741 700->722 714 1088702-108871d call 107d3e0 call 107ce90 708->714 713 1088859-108887e call 107d430 call 107ce30 709->713 738 1088880-1088882 713->738 739 1088884-108889a call 107cdb0 713->739 735 108874a-108875f call 107d350 714->735 736 108871f-108872c call 107d3c0 714->736 730 1088601-108860c call 1086560 716->730 731 1088565-1088576 call 107d3f0 716->731 721->696 721->700 727 10887ba-10887cb call 107d350 722->727 744 10887cd-10887cf 727->744 745 108881e-1088826 727->745 730->660 757 1088612-1088623 call 107d350 730->757 731->660 753 108891d 731->753 767 1088761-1088763 735->767 768 10887b2 735->768 736->714 764 108872e-1088732 736->764 749 10888a3-10888b4 call 107d3b0 738->749 761 1088a3a-1088a3c 739->761 762 10888a0-10888a1 739->762 754 10887f6-1088811 call 107d3e0 call 107ce90 744->754 750 1088828-108882b 745->750 751 108882d-108884b call 107d5e0 * 2 745->751 749->602 770 10888ba-10888c0 749->770 750->751 759 108884e-1088857 750->759 751->759 753->679 793 10887d1-10887de call 107d670 754->793 794 1088813-108881c call 107d4b0 754->794 780 1088625 757->780 781 1088656-1088665 call 1086290 757->781 759->713 759->749 773 1088a3e-1088a41 761->773 774 1088a47-1088a60 call 107d5e0 * 2 761->774 762->749 764->713 775 108878a-10887a5 call 107d3e0 call 107ce90 767->775 768->727 778 10888d5-10888e2 call 107d3e0 770->778 773->616 773->774 774->657 808 1088765-1088772 call 107d670 775->808 809 10887a7-10887b0 call 107d4b0 775->809 778->602 802 10888e8-10888fe call 107ce30 778->802 788 1088627-1088641 call 107d3e0 780->788 798 108866b-108867f call 107d1b0 781->798 799 1088a01 781->799 788->660 821 1088647-1088654 call 107d3c0 788->821 812 10887e1-10887f4 call 107d350 793->812 794->812 798->660 823 1088685-10889fe 798->823 799->666 819 1088900-1088916 call 107cdb0 802->819 820 10888c2-10888cf call 107d3d0 802->820 825 1088775-1088788 call 107d350 808->825 809->825 812->745 812->754 819->820 836 1088918 819->836 820->602 820->778 821->781 821->788 823->799 825->768 825->775 836->616
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 01088336
                            • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 01088364
                            • RegCloseKey.KERNELBASE(?), ref: 0108837B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                            • API String ID: 3677997916-4129964100
                            • Opcode ID: cb9a5c96dc32703b87931635245b57bbd252d7e4285d0af1eec5dc8c1bb14bb4
                            • Instruction ID: f126fba6103426d6fcafd7a3b7d27b6d7b2b23f2474d6a5a24bb7becf7fa17e4
                            • Opcode Fuzzy Hash: cb9a5c96dc32703b87931635245b57bbd252d7e4285d0af1eec5dc8c1bb14bb4
                            • Instruction Fuzzy Hash: F0320AB5D08202ABF711BB28EC41A5B77E4AF54318F488479EDC9DA252FB31E924C753
                            Function 00FF7540 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 269networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 838 ff7540-ff7559 839 ff755b-ff7564 838->839 840 ff75d6 838->840 842 ff75db-ff75e2 839->842 843 ff7566-ff757d 839->843 841 ff75d9 840->841 841->842 844 ff757f-ff7597 call fd5830 843->844 845 ff75e3-ff75ee call ff8f40 843->845 852 ff759d-ff759f 844->852 853 ff76c9-ff7706 844->853 850 ff77d4-ff77df 845->850 851 ff75f4-ff75f8 845->851 858 ff787c-ff7885 850->858 859 ff77e5-ff77ea call ff8b40 850->859 854 ff75fe-ff760d 851->854 855 ff77ad-ff77b3 851->855 856 ff7696-ff76a0 852->856 857 ff75a5-ff75a9 852->857 883 ff7708-ff7710 853->883 884 ff7712 853->884 861 ff760f-ff7620 connect 854->861 862 ff7625-ff7638 call ff8b40 854->862 855->841 856->853 863 ff76a2-ff76a8 856->863 857->842 866 ff75ab-ff75b2 857->866 864 ff7887-ff788c 858->864 865 ff78f0-ff78f6 858->865 868 ff77ef-ff7809 859->868 861->862 889 ff763d-ff763f 862->889 869 ff76ae-ff76ba call ff9b70 863->869 870 ff77cc-ff77ce 863->870 871 ff78cf-ff78df call fc62a0 864->871 872 ff788e-ff78a6 call fd13f0 864->872 865->842 866->842 873 ff75b4-ff75bc 866->873 892 ff780b-ff7816 868->892 893 ff7878 868->893 887 ff76bf-ff76c4 869->887 870->841 870->850 895 ff78e2-ff78ec 871->895 872->871 890 ff78a8-ff78cd call fd1e00 * 2 872->890 874 ff75be-ff75c2 873->874 875 ff75c4-ff75ca 873->875 874->842 874->875 875->842 881 ff75cc-ff75d1 875->881 891 ff779c-ff77a8 call 1003a90 881->891 894 ff7716-ff7729 883->894 884->894 887->850 896 ff767e-ff7683 889->896 897 ff7641-ff7648 889->897 890->895 891->842 899 ff781e-ff7875 call fdba80 call 10039c0 892->899 900 ff7818-ff781c 892->900 893->858 903 ff772b-ff772d 894->903 904 ff7733-ff7764 call fdc2b0 call ff8b40 894->904 895->865 909 ff7689-ff768f 896->909 910 ff77b8-ff77c9 call ff9af0 896->910 897->896 905 ff764a-ff7652 897->905 899->893 900->893 900->899 903->870 903->904 904->842 926 ff776a-ff7771 904->926 912 ff765a-ff7660 905->912 913 ff7654-ff7658 905->913 909->856 910->870 912->896 918 ff7662-ff767b call 1003a90 912->918 913->896 913->912 918->896 926->842 929 ff7777-ff777f 926->929 930 ff778b-ff7791 929->930 931 ff7781-ff7785 929->931 930->842 932 ff7797 930->932 931->842 931->930 932->891
                            APIs
                            • connect.WS2_32(?,?,00000001), ref: 00FF7620
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: connect
                            • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                            • API String ID: 1959786783-879669977
                            • Opcode ID: d4258387413cffc2df7750ec5e564e313e62a8321d313a92d75a31650e6de532
                            • Instruction ID: dc34b390a6883667e73c9138f161ea159f6a378809db5fe07d88b2862bcf6a8f
                            • Opcode Fuzzy Hash: d4258387413cffc2df7750ec5e564e313e62a8321d313a92d75a31650e6de532
                            • Instruction Fuzzy Hash: FFB1D670A0870A9BDB10EF24C885B76F7E1AF44324F18852DE9598B2F2EB74E845E751
                            Function 00FC6090 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 933 fc6090-fc60ae 934 fc60d6-fc60e2 send 933->934 935 fc60b0-fc60b7 933->935 937 fc614e-fc6152 934->937 938 fc60e4-fc60f9 call fc5c90 934->938 935->934 936 fc60b9-fc60c1 935->936 939 fc60fb-fc6149 call fc5c90 call fcb510 call 1346c40 936->939 940 fc60c3-fc60d4 936->940 938->937 939->937 940->938
                            APIs
                            • send.WS2_32(multi.c,?,?,?,00FC273E,00000000,?,?,00FCF1AF), ref: 00FC60DB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: send
                            • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                            • API String ID: 2809346765-3388739168
                            • Opcode ID: 14cde987f937fa1491b008f08eaa763553c0344acf1f82a03c9a0003522bb5fc
                            • Instruction ID: 4ba1a877eba422aafb2c61552aa1df03af95d09fb82e9cf7a6a3e4a1959e4d5f
                            • Opcode Fuzzy Hash: 14cde987f937fa1491b008f08eaa763553c0344acf1f82a03c9a0003522bb5fc
                            • Instruction Fuzzy Hash: F9113DB5A483156BD220A615EF4BF377B9CEBC1B28F05090CF80477302D1659C10D6B2
                            Function 00FC5FD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 952 fc5fd0-fc5fdd 953 fc5fdf-fc5fe6 952->953 954 fc5ff7-fc6019 socket 952->954 953->954 957 fc5fe8-fc5fef 953->957 955 fc602f-fc6032 954->955 956 fc601b-fc602c call fc5c90 954->956 956->955 958 fc5ff1-fc5ff2 957->958 959 fc6033-fc6089 call fc5c90 call fcb510 call 1346c40 957->959 958->954
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: socket
                            • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                            • API String ID: 98920635-842387772
                            • Opcode ID: 772a29da5154e13d63110ca30ef853c8d07c90017f41071da08365506a19453d
                            • Instruction ID: 567ed624c446491d4b14acf9fb6c1ffa034d30c42d0899ff51d90ecb8517b1e1
                            • Opcode Fuzzy Hash: 772a29da5154e13d63110ca30ef853c8d07c90017f41071da08365506a19453d
                            • Instruction Fuzzy Hash: 02118C75B403522BD3206A39AC47F5B3F98EF82B34F04095CF414B6392D211DCA0D3A5
                            Function 00FF8B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1165 ff8b40-ff8b49 1166 ff8b4f-ff8b6b 1165->1166 1167 ff8c40 1165->1167 1168 ff8c39-ff8c3f 1166->1168 1169 ff8b71-ff8bbe getsockname 1166->1169 1168->1167 1170 ff8be7-ff8c04 call ffd920 1169->1170 1171 ff8bc0-ff8be5 call fdba80 1169->1171 1170->1168 1175 ff8c06-ff8c2b call fdba80 1170->1175 1179 ff8c30-ff8c36 call 1003930 1171->1179 1175->1179 1179->1168
                            APIs
                            • getsockname.WS2_32(?,?,00000080), ref: 00FF8BB6
                            Strings
                            • getsockname() failed with errno %d: %s, xrefs: 00FF8BE0
                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00FF8C2B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: getsockname
                            • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                            • API String ID: 3358416759-2605427207
                            • Opcode ID: b48f40675124234163fb61556f7bf96cae504c992a7e2076e740da738fdb8747
                            • Instruction ID: 6a19837636f875bf1e02af4bc7c0583938bfb3fc413d0fd67888e13816693624
                            • Opcode Fuzzy Hash: b48f40675124234163fb61556f7bf96cae504c992a7e2076e740da738fdb8747
                            • Instruction Fuzzy Hash: E121B971844284AAF7269B18DC46FF673ACEF95368F040614FA9853151FF32598687E2
                            Function 01089420 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1241 1089420-1089454 1243 108945a-1089497 call 107d120 1241->1243 1244 10894f4-10894f9 1241->1244 1248 1089499-10894ad 1243->1248 1249 10894fe-1089503 1243->1249 1246 1089870-1089879 1244->1246 1250 1089508-1089540 1248->1250 1251 10894af-10894b7 1248->1251 1252 108981e 1249->1252 1257 1089548-108955d 1250->1257 1251->1252 1254 10894bd-10894f2 1251->1254 1253 1089820-108983a call 107d450 call 107d5e0 1252->1253 1266 108983c-1089847 1253->1266 1267 1089865-108986d 1253->1267 1254->1257 1260 108955f-1089563 1257->1260 1261 1089586-108959b socket 1257->1261 1260->1261 1263 1089565-108957f 1260->1263 1261->1252 1265 10895a1-10895b5 1261->1265 1263->1265 1277 1089581 1263->1277 1268 10895c0-10895dd ioctlsocket 1265->1268 1269 10895b7-10895ba 1265->1269 1271 1089849-108984e 1266->1271 1272 108985e-1089864 1266->1272 1267->1246 1274 10895df-10895fa 1268->1274 1275 1089600-1089604 1268->1275 1269->1268 1273 108971e-1089729 1269->1273 1271->1272 1280 1089850-108985c 1271->1280 1272->1267 1278 108972b-108973c 1273->1278 1279 1089742-1089746 1273->1279 1274->1275 1285 1089819 1274->1285 1281 1089606-1089621 1275->1281 1282 1089627-1089631 1275->1282 1277->1252 1278->1279 1278->1285 1279->1285 1286 108974c-108975b 1279->1286 1280->1267 1281->1282 1281->1285 1283 108966a-108966e 1282->1283 1284 1089633-1089636 1282->1284 1292 1089670-108968b 1283->1292 1293 10896d7-10896f3 1283->1293 1290 108963c-1089641 1284->1290 1291 10896f4-10896f8 1284->1291 1285->1252 1295 1089760-1089768 1286->1295 1290->1291 1298 1089647-1089668 1290->1298 1291->1273 1297 10896fa-1089718 1291->1297 1292->1293 1299 108968d-10896b1 1292->1299 1293->1291 1300 108976a-108976f 1295->1300 1301 1089790-10897a2 connect 1295->1301 1297->1273 1297->1285 1304 10896b6-10896c7 1298->1304 1299->1304 1300->1301 1305 1089771-1089789 1300->1305 1303 10897a3-10897bf 1301->1303 1311 108987a-1089881 1303->1311 1312 10897c5-10897c8 1303->1312 1304->1285 1313 10896cd-10896d5 1304->1313 1305->1303 1311->1253 1314 10897ca-10897cf 1312->1314 1315 10897d1-10897e1 1312->1315 1313->1291 1313->1293 1314->1295 1314->1315 1316 10897fd-1089802 1315->1316 1317 10897e3-10897f7 1315->1317 1318 108980a-108980c call 1089960 1316->1318 1319 1089804-1089807 1316->1319 1317->1316 1322 1089898-108989d 1317->1322 1323 1089811-1089813 1318->1323 1319->1318 1322->1253 1324 1089883-108988d 1323->1324 1325 1089815-1089817 1323->1325 1326 108989f-10898a1 call 107d150 1324->1326 1327 108988f-1089896 call 107d1b0 1324->1327 1325->1253 1331 10898a6-10898ae 1326->1331 1327->1331 1332 108990a-108990f 1331->1332 1333 10898b0-10898cb call 107cb70 1331->1333 1332->1253 1333->1253 1336 10898d1-10898dc 1333->1336 1337 10898de-10898ef 1336->1337 1338 10898f2-10898f6 1336->1338 1337->1338 1339 10898f8-10898fb 1338->1339 1340 10898fe-1089905 1338->1340 1339->1340 1340->1246
                            APIs
                            • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0108958B
                            • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 010895D3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: ioctlsocketsocket
                            • String ID:
                            • API String ID: 416004797-0
                            • Opcode ID: 5f76071d441c9dcaa281de70c3e817a1c16b9854442a366d35b4ba00855b92ac
                            • Instruction ID: 9c266b304f64bcda606235556eb7c96e03376cf42f7a730ec37e2328eabdcf57
                            • Opcode Fuzzy Hash: 5f76071d441c9dcaa281de70c3e817a1c16b9854442a366d35b4ba00855b92ac
                            • Instruction Fuzzy Hash: 17E1E370608302DBE720EF28C884B7A77E4EFC5318F044A6DEAD99B291D775D954CB52
                            Function 00FC62A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1496 fc62a0-fc62b3 closesocket 1497 fc62cc-fc62ce 1496->1497 1498 fc62b5-fc62c9 call fc5c90 1496->1498 1498->1497
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: closesocket
                            • String ID: FD %s:%d sclose(%d)
                            • API String ID: 2781271927-3116021458
                            • Opcode ID: 044ca5700c0c116d66a5e188ffab8f0fdaea1e4d02017db715113cfdd513f691
                            • Instruction ID: 17b8cf93b3178e22e1251f9ab4600feddc237cefdc8f3c515ddbd73dd8ce78b4
                            • Opcode Fuzzy Hash: 044ca5700c0c116d66a5e188ffab8f0fdaea1e4d02017db715113cfdd513f691
                            • Instruction Fuzzy Hash: 47D05E22A06221678620A559AD46C9B7BA8EEC6E70B16084CF88577200D2269C4193F3
                            Function 01089A50 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1501 1089a50-1089a62 1502 1089a70-1089a78 1501->1502 1503 1089a7a-1089a7f 1502->1503 1504 1089aa0-1089aae connect 1502->1504 1503->1504 1505 1089a81-1089a95 1503->1505 1506 1089aaf-1089ac9 WSAGetLastError 1504->1506 1505->1506 1507 1089acb-1089ad0 1506->1507 1508 1089adc 1506->1508 1510 1089ae1-1089ae5 1507->1510 1511 1089ad2-1089ad8 1507->1511 1508->1510 1511->1502 1512 1089ada 1511->1512 1512->1510
                            APIs
                            • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,01089C8E,?,00000000,?,?), ref: 01089AA9
                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,01072631,00000000), ref: 01089AB1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: ErrorLastconnect
                            • String ID:
                            • API String ID: 374722065-0
                            • Opcode ID: e29efb44d0b28d78741b22637110f5b77e75dbff6a6e8fdfea15d0edd0e1bd2e
                            • Instruction ID: b4b37195efddfc96ba43f643ead47f00ec775967eda07351923f3ebda6116727
                            • Opcode Fuzzy Hash: e29efb44d0b28d78741b22637110f5b77e75dbff6a6e8fdfea15d0edd0e1bd2e
                            • Instruction Fuzzy Hash: 840175323082105FDE517A68DC84E7AF7D9FBC9268F040795E5EAA71D1D326E910C691
                            Function 01073340 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                            Download Yara Rule
                            APIs
                            • gethostname.WS2_32(00000000,00000040), ref: 01073495
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: gethostname
                            • String ID:
                            • API String ID: 144339138-0
                            • Opcode ID: 75a6ccba148dc3593d3e8407faa4f7188ab5aa4992fe4d56ef037f6609f3390e
                            • Instruction ID: 0ffe4f005f028be859d49f53362994486e397b08c96077d848e9e37e7f098b4f
                            • Opcode Fuzzy Hash: 75a6ccba148dc3593d3e8407faa4f7188ab5aa4992fe4d56ef037f6609f3390e
                            • Instruction Fuzzy Hash: 6B51D0B0E043019BF7719A29DD487677AE0BF40318F04497DD9CA8E6D1EB75E444E71A
                            Function 01089960 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                            Download Yara Rule
                            APIs
                            • getsockname.WS2_32(?,?,00000080), ref: 010899C1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: getsockname
                            • String ID:
                            • API String ID: 3358416759-0
                            • Opcode ID: 477183c07a4c1b227c23d2adccf986b4944119fa3984eec791c40e91c2968dca
                            • Instruction ID: 3efec4f578e8a9f8619426d9dc45600fcf9f516d557738f23850b1feed9654f9
                            • Opcode Fuzzy Hash: 477183c07a4c1b227c23d2adccf986b4944119fa3984eec791c40e91c2968dca
                            • Instruction Fuzzy Hash: 3E117230808785A5EB269F1CD4427F6B3F8EFC4329F109619E5D942550FB3296C5CBC2
                            Function 01089310 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                            Download Yara Rule
                            APIs
                            • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0108936E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: send
                            • String ID:
                            • API String ID: 2809346765-0
                            • Opcode ID: 086d1d1101f4bd31b89f2c0b7ba0c8b75baee8a9160473b563678922a42653ad
                            • Instruction ID: 8df855f0a937387146ec2167d942c05423f7fdfc54b885e8fe0b39944f961de0
                            • Opcode Fuzzy Hash: 086d1d1101f4bd31b89f2c0b7ba0c8b75baee8a9160473b563678922a42653ad
                            • Instruction Fuzzy Hash: 1A01A7717017109FD6149F28DC45B5ABBA5EFC4720F498559EAD82B3A1C331AC108BD1
                            Function 00FF9B70 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            • SleepEx.KERNELBASE(00000000,00000000), ref: 00FF9B8C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 29bbea92a38cdc175aee70a9b2778557ed8b08478c59bae9d9aa799e9c8c8708
                            • Instruction ID: 2e8fc01ff46bbb1a245bb57ee78cfe44cb19824d683e656857bec12032cb8c2f
                            • Opcode Fuzzy Hash: 29bbea92a38cdc175aee70a9b2778557ed8b08478c59bae9d9aa799e9c8c8708
                            • Instruction Fuzzy Hash: 30F0A77168921567E2205A14AC41B3A76D4AFC2F20F15052CEBC4AB3D4D6E44D4456A3
                            Function 01089920 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(?,01089C70,00000000,-00000001,00000000,01089C70,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 01089957
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: socket
                            • String ID:
                            • API String ID: 98920635-0
                            • Opcode ID: bea99fcfb2a23bfea0896ade11f00c57274d1976cda2f7b0324f93601a3657d7
                            • Instruction ID: 797e7bd15c2062be8c9c0a85e6536e2568c47121edb18be285f50cd79bee5d32
                            • Opcode Fuzzy Hash: bea99fcfb2a23bfea0896ade11f00c57274d1976cda2f7b0324f93601a3657d7
                            • Instruction Fuzzy Hash: 46E0E576A092226BD655DE1CE8459ABF7A9EFC4B10F054949B9D467204C330AC5086E1
                            Function 01089A10 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • closesocket.WS2_32(?,01087E12,?,?,?,?,?,?,?,?,?,?,?,01071D67,01462EA0,00000000), ref: 01089A3C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: closesocket
                            • String ID:
                            • API String ID: 2781271927-0
                            • Opcode ID: ffd5d49dd95e8320d5315c41dbecddfac7222999a2a8778fd4b58bcc5790274b
                            • Instruction ID: bd95f63cd2ba437a9a84b0d8cfb6c32eeaae7b2d3dff30c5def8a57adeb7fc19
                            • Opcode Fuzzy Hash: ffd5d49dd95e8320d5315c41dbecddfac7222999a2a8778fd4b58bcc5790274b
                            • Instruction Fuzzy Hash: 84D0C27070420057DE50BA18C884A66B7AB7FC0514F68CBA8E5CC4A255D736C8439681
                            Function 010251D0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                            Download Yara Rule
                            APIs
                            • ioctlsocket.WS2_32(?,8004667E,?,?,00FF9946,?,00000001), ref: 010251EC
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID: ioctlsocket
                            • String ID:
                            • API String ID: 3577187118-0
                            • Opcode ID: 16ccfa4bb5184899b86b63eaa12522b7f4a8eb40b8502923827cce7192da8f64
                            • Instruction ID: b1655764e4dcdbc3f01eeb42c5cdaf68e392172bccfb74209a509df258ccb336
                            • Opcode Fuzzy Hash: 16ccfa4bb5184899b86b63eaa12522b7f4a8eb40b8502923827cce7192da8f64
                            • Instruction Fuzzy Hash: 9DC080F121C101BFD70C8714D455B2F77E8DB84355F01581CB086D1180FA345990CF17

                            Non-executed Functions

                            Function 010005D0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                            • API String ID: 0-1371176463
                            • Opcode ID: caaa662bc903817b5fb8faca21c49ee3e33e6b6e1b6c44986844a2210f05b961
                            • Instruction ID: aab3dba1be40758e42252881f4362c8e738e7f2a0f07eaa08230c38cc3772148
                            • Opcode Fuzzy Hash: caaa662bc903817b5fb8faca21c49ee3e33e6b6e1b6c44986844a2210f05b961
                            • Instruction Fuzzy Hash: C1B24970B08701ABF726AE28DC52B6B7BE5AF40744F08446CF9C99B2D2E775E844C752
                            Function 00FD3330 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                            • API String ID: 0-122532811
                            • Opcode ID: f7eeabbe6ba819e6a921e73a583b25c2801197539eb67b5a08a3c36e31d7b8b7
                            • Instruction ID: 1f75a15bf0ce965bfc0864e5e4dde52ecd8d4d4c9cf39ccbde8b088eca49b05c
                            • Opcode Fuzzy Hash: f7eeabbe6ba819e6a921e73a583b25c2801197539eb67b5a08a3c36e31d7b8b7
                            • Instruction Fuzzy Hash: D9420672B08301AFD708DE28CC51B6BB6DAEBC4704F088A2DF64D97391D775B9149B92
                            Function 00FD28C0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                            • API String ID: 0-3977460686
                            • Opcode ID: 954822ff154f29b8f5106d8b21c35ff42959698bae73acb14ab44584eff0f797
                            • Instruction ID: f64005ff58313b9479cf4708895c24c53c1385a91c1f122cf477e5bdcc73a2ba
                            • Opcode Fuzzy Hash: 954822ff154f29b8f5106d8b21c35ff42959698bae73acb14ab44584eff0f797
                            • Instruction Fuzzy Hash: 82322872A043014BC7209F289C4135AB7D7AB95334F1D4B2FE9A59B3D2E734DA45AB82
                            Function 01078270 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                            • API String ID: 0-1574211403
                            • Opcode ID: 2369dc4ac38d920636e78bfa7a42a750caf3f8b977b149ecb203309cf31dab26
                            • Instruction ID: 908e29290130d76eb5df5f79a972b59dcdbddc137fba27858ce2030a220dd489
                            • Opcode Fuzzy Hash: 2369dc4ac38d920636e78bfa7a42a750caf3f8b977b149ecb203309cf31dab26
                            • Instruction Fuzzy Hash: 366107A5E0830667E754B628AC05B7F76D9AFA4304F04C43EFDCAD6292FD71E9108257
                            Function 00FE3960 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                            • API String ID: 0-1914377741
                            • Opcode ID: 57df1188f9c4c965651630382177ec490f63ad7783a7f468521ac01a655ba2cb
                            • Instruction ID: 321ce0361b0fefa452d5d8665702a891604ebd97dc747f24e51fec0f9c7f163a
                            • Opcode Fuzzy Hash: 57df1188f9c4c965651630382177ec490f63ad7783a7f468521ac01a655ba2cb
                            • Instruction Fuzzy Hash: F9727D30E083C19FE7318A2AC44A7A6B7D2AF91754F04861CEDC55B297E776ED84E381
                            Function 00FD47A0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                            • API String ID: 0-3476178709
                            • Opcode ID: dcd8053cf82761a5bfb51f3e141f975ff896e2c26476811ab922046c857f57cc
                            • Instruction ID: 07658dcba60da7d60d1b411b53c75882ada1d60f3b99368140c8d77b5fcf10a2
                            • Opcode Fuzzy Hash: dcd8053cf82761a5bfb51f3e141f975ff896e2c26476811ab922046c857f57cc
                            • Instruction Fuzzy Hash: CE319363B545452BF72C140E9C42F3E104BC3C5B10F6E833EB906AB7D1D9F9AC1562A5
                            Function 0108D980 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: $.$;$?$?$xn--$xn--
                            • API String ID: 0-543057197
                            • Opcode ID: d2084bde4c10efde748db74f1c268243bb4a1f7583bc59d3dddd27cdfca657bc
                            • Instruction ID: 46b4baa8c5257c2d8c58dad27507ddd7c9df4110b219759481ceca88b78a8a3c
                            • Opcode Fuzzy Hash: d2084bde4c10efde748db74f1c268243bb4a1f7583bc59d3dddd27cdfca657bc
                            • Instruction Fuzzy Hash: 6A2218B290C3029BEB61BA78DC40B6B77D5AF95308F04496CF9C9972D2EB70E944C752
                            Function 00FC9350 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                            • API String ID: 0-2555271450
                            • Opcode ID: e707bb16fe31a026c6fb15f681fcfa59b555326aeaea48693952f3534d0415b5
                            • Instruction ID: 09140fb201efb6f2ac8d1b40edf0b29d93af9d8301386eb06545acad407c9559
                            • Opcode Fuzzy Hash: e707bb16fe31a026c6fb15f681fcfa59b555326aeaea48693952f3534d0415b5
                            • Instruction Fuzzy Hash: AAC29031A087468FC714CF18C581B6AB7E2BFC8318F19C92DE8999B351D770ED459B82
                            Function 01024C00 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: default$login$macdef$machine$netrc.c$password
                            • API String ID: 0-1043775505
                            • Opcode ID: 6cd8768f28af3f5b657d8a0c13f06efda35f654f73f989299d2c1359645b0f3b
                            • Instruction ID: cd4ca102916e3e18af09cc686132965808af5ba52709a78246bddf02f5cd44e9
                            • Opcode Fuzzy Hash: 6cd8768f28af3f5b657d8a0c13f06efda35f654f73f989299d2c1359645b0f3b
                            • Instruction Fuzzy Hash: DCE1587050C3619BE361AE19DC85B6FBBE4AF85708F14486CF9C49B282D3B9D548CB92
                            Function 01341A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                            • API String ID: 0-2839762339
                            • Opcode ID: 3eee3448395a65d5b5826e69d5712c006b18909d19663fd5a0d8acf2e4b65717
                            • Instruction ID: f1cf1d1eea2b0c76dbe1ac21f81a28d2db2671c86e749166a18556c4d127de71
                            • Opcode Fuzzy Hash: 3eee3448395a65d5b5826e69d5712c006b18909d19663fd5a0d8acf2e4b65717
                            • Instruction Fuzzy Hash: C90209B56087419FE7359F28D841B6BBBE5AF66308F08842CE9D987241F771F884C792
                            Function 0107B2F0 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                            • API String ID: 0-3285806060
                            • Opcode ID: def5defe4ef1412bf1ace604f36049bbed5a9a79e570af0028424b4ff74a79ca
                            • Instruction ID: 165409073ccc44e3e7a5169b7084aa5693a2f7b9bf2fd1dbfc421b460c31a503
                            • Opcode Fuzzy Hash: def5defe4ef1412bf1ace604f36049bbed5a9a79e570af0028424b4ff74a79ca
                            • Instruction Fuzzy Hash: D2D1E4B1E083058BD7249F28C88177FBBD1AF85704F0D8A6DE9D59B382DB349984C786
                            Function 00FE48A0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: %$&$urlapi.c
                            • API String ID: 0-3891957821
                            • Opcode ID: 5ef08fc9094567e5e5b46bbecce7cb9b819df5acfb95dcac2cbe8bba86f13376
                            • Instruction ID: 46f86ba5c44742f4f82c2d9bd0bc64aa38dac74ace4621f145f36e6445aecb3c
                            • Opcode Fuzzy Hash: 5ef08fc9094567e5e5b46bbecce7cb9b819df5acfb95dcac2cbe8bba86f13376
                            • Instruction Fuzzy Hash: F222DBA1E087C29BEB205A238C4177B33D69F91724F14452DF9864B3D3F729E854B7A2
                            Function 00FEC6E0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                            • API String ID: 0-424504254
                            • Opcode ID: e522b7c102c1fbc567bbf97cc7c74a66e567c9d9dcd7cf282b314bbd57756e6c
                            • Instruction ID: 8cc7d30084d5d0f7d8f6dcdc7941288646e33c867ce33123b24cd081ce4fcd0a
                            • Opcode Fuzzy Hash: e522b7c102c1fbc567bbf97cc7c74a66e567c9d9dcd7cf282b314bbd57756e6c
                            • Instruction Fuzzy Hash: 30317BA6E087C15BD325193E5C81A357EC15F92328F18033CF8959B2D2F7699D029BD1
                            Function 01336BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: #$4
                            • API String ID: 0-353776824
                            • Opcode ID: 021e9d5deab90a039ec7412743d7ba9ab928b7894ccbff6ad2c4017520856b50
                            • Instruction ID: f5d5246a73e748e344ead7819cb5d36be148fd4eebba3b4549cfcbefbc70f6ef
                            • Opcode Fuzzy Hash: 021e9d5deab90a039ec7412743d7ba9ab928b7894ccbff6ad2c4017520856b50
                            • Instruction Fuzzy Hash: AC22E1B55087419FC715CF2CC8806AAFBE4FFC4318F048A2DE89997391D374A985CB9A
                            Function 0132FBD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: #$4
                            • API String ID: 0-353776824
                            • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                            • Instruction ID: 17b3ff9e3c4ae70d1b84478df8f9010892ffcf6c41ca0a2a19ba8e42c86a004d
                            • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                            • Instruction Fuzzy Hash: 7012F332A087118BC725DF28C4807ABB7E5FFC4718F198A3DE99997351DB749884CB86
                            Function 01342780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: H$xn--
                            • API String ID: 0-4022323365
                            • Opcode ID: 8af03ec1da2550fb3484c8b9e98947b58b1910162bb6f21a00d7563eac564206
                            • Instruction ID: 0d152b418f1ed2d82eb386c44ecda99883172d7098ca318656adf3c53ebdc87d
                            • Opcode Fuzzy Hash: 8af03ec1da2550fb3484c8b9e98947b58b1910162bb6f21a00d7563eac564206
                            • Instruction Fuzzy Hash: BEE146316087158BD718DE2CE8C072BBBD2AFC4218F198A3DF9D697381D774AC458752
                            Function 00FCFAD6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: Downgrades to HTTP/1.1$multi.c
                            • API String ID: 0-3089350377
                            • Opcode ID: 74e2f67727eaede970e99eb82c7c103dc948e54694a37da9aa687955f3995801
                            • Instruction ID: a2b5a9522bf3ef7f0ce75809ac76c2ae8d03daceec908d8cfaf06f0c4c28b6f1
                            • Opcode Fuzzy Hash: 74e2f67727eaede970e99eb82c7c103dc948e54694a37da9aa687955f3995801
                            • Instruction Fuzzy Hash: DAC10671E04302ABD710DF24DC82BAAB7E2BF94314F08453EE44957392EB74E954EB92
                            Function 01087980 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: 127.0.0.1$::1
                            • API String ID: 0-3302937015
                            • Opcode ID: 0364f490db236a4eb8f2c73841cc1bdbaf01642035c99331758c6316c005210d
                            • Instruction ID: 03b4dd06a8e4c6c24813dcd806eee645a7352c0e4b42a1dcb1c90ef32527e80c
                            • Opcode Fuzzy Hash: 0364f490db236a4eb8f2c73841cc1bdbaf01642035c99331758c6316c005210d
                            • Instruction Fuzzy Hash: F4A1D4B1D083469BE310EF28C84076AB7E1BF95304F159A6DE9C98B251F7B1E9D0C792
                            Function 0108CDD0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: \
                            • API String ID: 0-2967466578
                            • Opcode ID: 1addc88cb6199c2e8ba0355f4c9ee5e96d5a9e62600cecd41e773a0faea736b5
                            • Instruction ID: 06348bfc84df14598d7c1ed31a14fe91a4faeead3e08c7526ca6101b8b5c71d8
                            • Opcode Fuzzy Hash: 1addc88cb6199c2e8ba0355f4c9ee5e96d5a9e62600cecd41e773a0faea736b5
                            • Instruction Fuzzy Hash: 9F02F8B191C302ABEB51BAA4AC40B6B7AD89F60315F444679FDC9D62C3F634D908C763
                            Function 01325CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: D
                            • API String ID: 0-2746444292
                            • Opcode ID: a3107ccf2373db7b21de00535b92a946e5273bef0d67603627fc9356daa65204
                            • Instruction ID: c0bca85a3d33d3d994745898d1609ea7230c7311977b2c16b967cb8f15d4ed84
                            • Opcode Fuzzy Hash: a3107ccf2373db7b21de00535b92a946e5273bef0d67603627fc9356daa65204
                            • Instruction Fuzzy Hash: 08327F7290D3918BD325EF28D4806AEF7E1BFC9318F158A2DE9D963351D730A945CB82
                            Function 0108EAD0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: H
                            • API String ID: 0-2852464175
                            • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                            • Instruction ID: de5472c14d19874dea8b0ff2be13fd4ecde6e35604c407aa59a4654b1335b5d9
                            • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                            • Instruction Fuzzy Hash: E791B631B0C3158FC719EE1CC49016EB7E3ABC9324F1A897DD9D697391DA31AC468B86
                            Function 012D8E30 Relevance: .6, Instructions: 598COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                            • Instruction ID: 309b904f40c2a596ee69853debe9ca30d634a12eb87844ffa1176e20e36ed4cd
                            • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                            • Instruction Fuzzy Hash: 802264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                            Function 0133AD80 Relevance: .6, Instructions: 574COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                            • Instruction ID: 1c6eb41c8649caf3a5a857ae22a910707c064958236301f9caab228699e48d1e
                            • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                            • Instruction Fuzzy Hash: 9912F676F483154BC30CED6DC992319FAD797C8310F1A893EA85DDB3A0E9B9EC014A81
                            Function 00FCB5A0 Relevance: .4, Instructions: 409COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e962b2e4d44a5a3c2cdb489cc6abd965925338ec9de59719926118378db493c8
                            • Instruction ID: 5f0087db865d477aaf2852f8db30bdf487ab7f93e83f89b500ebefa4e983f341
                            • Opcode Fuzzy Hash: e962b2e4d44a5a3c2cdb489cc6abd965925338ec9de59719926118378db493c8
                            • Instruction Fuzzy Hash: AAE1863990C30A8FD724CF18C643B66BBE2AB85320F24856DE5D54B395DB359C4AFB81
                            Function 01310F90 Relevance: .3, Instructions: 313COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 082cfa24201ab978f2319c1d1ebce6ccc66c6a35e4186a3923efdfedc9d80dff
                            • Instruction ID: af04f0a64c0fd9b132ce90aecce4b8aedb96743f3e4eefa9090d2d2dc07c1efc
                            • Opcode Fuzzy Hash: 082cfa24201ab978f2319c1d1ebce6ccc66c6a35e4186a3923efdfedc9d80dff
                            • Instruction Fuzzy Hash: D2C180B1605605CBD32DCF29C4906A5FBE5FF81318F194A6DD6AA8FB85D730E881CB84
                            Function 0108EE10 Relevance: .3, Instructions: 289COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69d5532937cbd28a722db5a371622bd0fe861d6998754f5303fc11d004f7169a
                            • Instruction ID: a7dd1b951fe1e0e1a2d58822b3846bd909e6af1ee3c854705bde6cc245351735
                            • Opcode Fuzzy Hash: 69d5532937cbd28a722db5a371622bd0fe861d6998754f5303fc11d004f7169a
                            • Instruction Fuzzy Hash: 57A1F57160C7128FD724EF2CC48062ABBE2AFC6350F59866DE5D5973D2E731D8468B82
                            Function 0108B160 Relevance: .3, Instructions: 270COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f6a76792b6b75cc5a81745cf3ea343fb675315df774628bdd67e0f37d5a7c0ca
                            • Instruction ID: e3a3dfdf11c3f9698e8805638ecc8bb72adc7b6c4500e81926c50ce8c95b9a32
                            • Opcode Fuzzy Hash: f6a76792b6b75cc5a81745cf3ea343fb675315df774628bdd67e0f37d5a7c0ca
                            • Instruction Fuzzy Hash: FDA1B531A401598FDB38EE29CC91FDA73E6EFC9310F0A8564DD999F3D1EA30A9458790
                            Function 0108AD10 Relevance: .3, Instructions: 253COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef999fa671dad68d186ff0156528f6ae1ba716445c27fca687d1bad515c6d953
                            • Instruction ID: 714c31c614662ad257a8dbef570a8667198b1ec59727c3bafc5411703600dbf4
                            • Opcode Fuzzy Hash: ef999fa671dad68d186ff0156528f6ae1ba716445c27fca687d1bad515c6d953
                            • Instruction Fuzzy Hash: C3C1E571918B419BD362DF38C881BE6F7E1BF99310F108E1EE9EA57241EB706584CB51
                            Function 01342D40 Relevance: .3, Instructions: 253COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f2cf6e8946fcc5f3cf318475a693c97e401dec9a4adbca32f4e1145e9db0d3e
                            • Instruction ID: 9608023c800b03614fa9655908ef7f68a39bc2d104ca13ea669e52c1707a3f57
                            • Opcode Fuzzy Hash: 6f2cf6e8946fcc5f3cf318475a693c97e401dec9a4adbca32f4e1145e9db0d3e
                            • Instruction Fuzzy Hash: 577138222082640BDB25492D588037BABD79BC312DF8D476EF8FAD7386C631F8878751
                            Function 011954B0 Relevance: .2, Instructions: 222COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 446ac0460f6333dd62ae16fe334983d87f246fd60220982a5e4e5700d491736f
                            • Instruction ID: b7f64d78ed7826edbfc2cd992a0b98b09bc4054039bec47063db14ade91a4bf9
                            • Opcode Fuzzy Hash: 446ac0460f6333dd62ae16fe334983d87f246fd60220982a5e4e5700d491736f
                            • Instruction Fuzzy Hash: 05811861C0DB8597E7269B399A017BBB3E5AFE5308F049719AE9C61113FB30B6D4C302
                            Function 01317920 Relevance: .2, Instructions: 210COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce5ae5733593751eba425c836eafe338214fb7906e97bd2ad1eab90ed5f4a0c9
                            • Instruction ID: f470861913a73de0cd4ae557ba644dc8a39cdb9c8f5a2d1baa7479feb21c6d45
                            • Opcode Fuzzy Hash: ce5ae5733593751eba425c836eafe338214fb7906e97bd2ad1eab90ed5f4a0c9
                            • Instruction Fuzzy Hash: 9C710572A08715CBC7189F18C89072AB7E2FF85328F19872DE9A54B389D735E950CB91
                            Function 0132B430 Relevance: .2, Instructions: 205COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7ba6f8fb3d4d56131190f9191d33f99776b28c950455efd83330e4c486bf6da
                            • Instruction ID: fc3da81d30eb9632be029bdf259688badf4e0db7ba50131f0fe6634be07d2f6a
                            • Opcode Fuzzy Hash: e7ba6f8fb3d4d56131190f9191d33f99776b28c950455efd83330e4c486bf6da
                            • Instruction Fuzzy Hash: ED811972D18B928BD3219F28C8807B6F7A0FFDA314F158B1EE9D606746E7749581C781
                            Function 01324730 Relevance: .2, Instructions: 204COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db52910ce1b93b90b2fb4993c227956f7356dcbaa013bdcad1ffb8c50c3cb01d
                            • Instruction ID: 9bc7a6f2ccbd88161784da29811e3dd27236dbd5c572b152998cd916262c8826
                            • Opcode Fuzzy Hash: db52910ce1b93b90b2fb4993c227956f7356dcbaa013bdcad1ffb8c50c3cb01d
                            • Instruction Fuzzy Hash: 0F81F972D14BD28BE3159F68C8806BABBA0FFDA314F145B1EE9E607742E7749580C781
                            Function 013315B0 Relevance: .2, Instructions: 203COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 664eeea93096b3d8459a017611fcaee1605ad0b509b0885162cce1097c2e6d2c
                            • Instruction ID: bfb41d902c7721ad7c14e3f261ab8011f02d8e07ea69f6d8ee5228d729390dc2
                            • Opcode Fuzzy Hash: 664eeea93096b3d8459a017611fcaee1605ad0b509b0885162cce1097c2e6d2c
                            • Instruction Fuzzy Hash: 38716932D197808BD7128F28C8806697BA2AFC6318F2C876EECD55F353E7749941C749
                            Function 01347F80 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                            • Instruction ID: 5b1978d3a77c574e43479abe9f6d706df10382352ee16de9b342fa6b2db1c26a
                            • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                            • Instruction Fuzzy Hash: CC31F9313183195BC714EDADC4C022AF6D79BC8268F95C63DEA49C3781EE71AC49C781
                            Function 011A8370 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2715ef559b4156f2f16d65511079f923f108ab79f77929dec090369004d0870
                            • Instruction ID: a6bc6694e9821237512914c8aa369643f36e75f1a6008997d9934eefb0cbba27
                            • Opcode Fuzzy Hash: f2715ef559b4156f2f16d65511079f923f108ab79f77929dec090369004d0870
                            • Instruction Fuzzy Hash: FAB012355101008F971BC964DC760E133B277D630575EC4A8D00349015D735D111C600
                            Function 01025200 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1954715312.0000000000FC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                            • Associated: 00000000.00000002.1954698063.0000000000FC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.0000000001573000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1954715312.00000000016CC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.00000000016D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.000000000184F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001951000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001958000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955231800.0000000001A44000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955563721.0000000001A45000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1955692206.0000000001BEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fc0000_file.jbxd
                            Similarity
                            • API ID:
                            • String ID: [
                            • API String ID: 0-784033777
                            • Opcode ID: 1b90eb6bfcff13d6696687ff28a8278be8b80659eba95999e3ee10050eeb5fec
                            • Instruction ID: 4f9f3b2b8ef7d3b1bed06c3b69b93420b576fd7d5597894c63621a9573215acc
                            • Opcode Fuzzy Hash: 1b90eb6bfcff13d6696687ff28a8278be8b80659eba95999e3ee10050eeb5fec
                            • Instruction Fuzzy Hash: B1B19A705083B15BEB768A2CCCA47FFBFD9AF4A204F1805ADE9C6C2182E764D444875A